Personal data used to be a footnote in compliance checklists. Today, it’s at the centre of every digital interaction, every customer relationship, and increasingly, every regulatory headline.
With the Digital Personal Data Protection (DPDP) Act, 2023, India joins a growing list of countries putting legal weight behind how data is collected, stored, and shared. But this isn’t a carbon copy of the GDPR. It’s a uniquely Indian approach, shaped by local priorities, digital public infrastructure, and an urgent need for accountability.
For businesses, the DPDP Act is both a signal and a shift. The signal: privacy is now serious policy. The shift: consent, access, breach reporting, and data transfers are no longer just IT or legal concerns. They sit at the heart of how organisations operate and communicate.
So what exactly does the law say? And how should companies prepare?
What Does the DPDP Act Cover?
At its core, the DPDP Act governs digital personal data — information about individuals that can be used to identify them, whether directly or indirectly. It applies to:
- Data collected in India, regardless of where it’s processed
- Any organisation offering goods or services in India
- Data processed digitally, even if the original collection was physical
This means everything from online forms to mobile app behaviour is within scope. If your business uses this data, you’re now expected to justify it, secure it, and be ready to answer questions about it.
Consent is Now a Proper Conversation
The Act puts consent back into the hands of individuals. That means no more vague checkboxes, catch-all terms, or hard-to-find opt-outs.
Consent must be:
- Informed: Users need to know what they’re agreeing to and why
- Specific: Blanket permissions won’t work
- Easy to withdraw: Saying no should be just as simple as saying yes
Organisations are expected to explain, in clear language, what data they’re collecting and how it will be used. That applies across channels – from apps and websites to customer support and third-party tools.
What Rights Do Users Have?
The DPDP Act gives individuals several rights that shape how their data is used across its entire lifecycle.
Here’s what users can do:
- Access their data: Ask for a summary of what’s been collected and how it’s used
- Request corrections or deletions: Fix outdated or wrong information, or request complete removal
- Transfer their data: Move their information to another provider or platform
- File complaints: If they feel their data was misused or mishandled
These rights aren’t theoretical. Companies will need real systems to process, track, and fulfil such requests, on time and without friction.
Who is Responsible?
The Act distinguishes between:
- Data Fiduciaries: The primary organisations that determine how and why data is processed
- Data Processors: External parties handling data on behalf of a fiduciary (such as analytics firms or cloud providers)
Both are responsible for following privacy practices. That includes:
- Strong encryption and access controls
- Clear retention and deletion policies
- Internal audits and breach protocols
Some fiduciaries, especially those dealing with sensitive data or children’s information, may also need to appoint a Data Protection Officer and maintain more detailed records.
What About Cross-Border Transfers?
Personal data can only be transferred to countries that are officially approved by the Indian government. This provision is aimed at protecting data sovereignty and preventing unrestricted flow of data to unvetted jurisdictions.
For businesses, this means:
- Understanding where your data is currently hosted
- Re-evaluating vendor contracts and processing locations
- Avoiding transfers to countries that are not on the approved list
If your cloud infrastructure or SaaS tools operate globally, this may require significant adjustments.
What Happens When There's a Breach?
If personal data is compromised, the DPDP Act requires companies to:
- Notify the Data Protection Board of India
- Inform the affected individuals without unreasonable delay
This means organisations need a full incident response plan, including breach detection, escalation protocols, and public communication strategies.
How Long Can You Store Data?
The DPDP Act promotes data minimalism. Personal data should only be kept for as long as it’s needed for the stated purpose. After that, it must be deleted securely.
Businesses must define retention policies, automate deletion where possible, and document how long data will be kept, and why.
DPDP vs GDPR: What’s Similar, What’s Not?
| Aspect | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Consent | Allows “deemed” consent in certain cases | Requires clear opt-in consent |
| Data Transfers | Allowed only to approved countries | Permitted to adequate jurisdictions |
| Penalties | Fines up to ₹2,500 crore | Up to 4% of global annual turnover |
| Scope | Digital personal data only | Both digital and physical data |
While both laws aim to protect privacy, their definitions, frameworks, and enforcement styles differ. India’s approach allows for greater government involvement in setting conditions for data transfer and enforcement.
What This Means for Businesses
If You’re a Large Enterprise
You will need to revisit everything — from how you collect consent to how you store backups. Systems must be updated, internal processes documented, and privacy built into the architecture. For most enterprises, this will involve legal reviews, technology upgrades, and ongoing monitoring.
If You’re a Startup or SME
Smaller companies may not have a compliance team, but they still need to comply. Affordable tools for consent management, breach alerts, and access controls can help bridge the gap. Some may also benefit from outsourcing DPO responsibilities or using plug-and-play privacy solutions.
If You’re in Finance or Healthcare
Handling sensitive data comes with additional scrutiny. Explicit consent, documented privacy impact assessments, and secure data flows are no longer optional. These sectors may need to over-prepare especially when dealing with external partners and vendors.
Your 6-Step DPDP Compliance Plan
Run a Compliance Check
Start with a structured audit of where personal data is collected, stored, and shared.
Rework Consent Notices
Make sure all privacy notices are clear, specific, and easy to understand.
Set Retention Rules
Define how long different types of data should be kept and when to delete them.
Review Vendor Contracts
Especially those involving overseas data transfers or shared data responsibilities.
Train Your Teams
Help employees understand what’s changing, what to watch for, and what not to overlook.
Build a Response Plan
Create a documented process for handling breaches, user complaints, and audit requests.
The DPDP Act is not just another regulatory update. It marks a clear shift in how India views privacy not as a formality, but as a right.
Businesses that treat compliance as an afterthought will find it difficult to keep up. But those who build privacy into their operations now can stay ahead of enforcement, avoid steep penalties, and build lasting trust with their customers.
Need clarity on your compliance roadmap?
Our privacy consultants can help you assess gaps, plan next steps, and implement solutions tailored to your business size and sector.
