Personal data used to be a checkbox on compliance audits. Today, it governs how businesses collect leads, personalise content, handle user requests, and respond to breaches. It’s also squarely in the spotlight of regulatory scrutiny.
With the Digital Personal Data Protection (DPDP) Act, 2023, India formalises its stance on digital privacy. But this isn’t a carbon copy of GDPR. The law reflects local digital infrastructure, platform-first service delivery, and the government’s active role in regulating how data flows within and beyond borders.
A Quick Timeline: How We Got Here
The DPDP Act was the result of six years of legislative evolution—beginning with a landmark Supreme Court ruling and shaped by committee reports, industry feedback, and intense parliamentary debate.
| Date | What Happened |
|---|---|
| 24 Aug 2017 | Supreme Court declares the Right to Privacy a fundamental right (Justice K.S. Puttaswamy vs Union of India) |
| 22 Dec 2018 | Justice B.N. Srikrishna Committee initiates public consultations on a draft data law |
| Jul 2018 | Committee submits the first draft of the Personal Data Protection Bill |
| 11 Dec 2019 | The revised PDP Bill, 2019 is introduced in Lok Sabha, sent to JPC |
| Aug 2022 | PDP Bill is withdrawn following heavy criticism |
| 18 Nov 2022 | Ministry releases DPDP Bill, 2022 for public feedback |
| 5 Jul 2023 | Cabinet clears the DPDP Bill, 2023 |
| 3–9 Aug 2023 | Introduced and passed in both Houses of Parliament |
| 11 Aug 2023 | Assented by President; becomes the DPDP Act, 2023 |
What Does the DPDP Act Cover?
The DPDP Act regulates digital personal data – that is, any data that can identify an individual, either directly (e.g., name, phone number) or indirectly (e.g., cookies, device ID).
It applies to:
- Data collected or processed in India
- Any organisation (Indian or foreign) offering goods/services to individuals in India
- Any data that is processed digitally, even if it was collected offline
This includes everything from signup forms and mobile analytics to cookies and support tickets. If your business handles such data, you’re now required to justify how and why it’s being processed.
Consent is Now a Proper Conversation
Consent under DPDP must be:
- Informed: Users must know what data is being collected and for what purpose
- Specific: No more one-size-fits-all permissions
- Easy to Withdraw: Users should be able to say no at any point without friction
Privacy notices must be provided in plain language, and available in 22 Indian languages listed in the Constitution’s 8th Schedule.
What Rights Do Users Have?
The Act gives data principals (i.e., users) control over how their information is collected, stored, and used. Their rights include:
- Access: See what personal data is held and how it’s used
- Correction: Fix inaccurate or outdated information
- Erasure: Request deletion once data is no longer needed
- Grievance Redressal: Raise complaints and receive timely responses
- Nomination: Appoint a person to manage rights in case of death/incapacity
These rights apply to all data fiduciaries.
Larger ones or those handling sensitive data must have systems in place to process such requests at scale.
Who is Responsible?
The Act distinguishes between:
- Data Fiduciaries: The primary organisations that determine how and why data is processed
- Data Processors: External parties handling data on behalf of a fiduciary (such as analytics firms or cloud providers)
Both are responsible for following privacy practices. That includes:
- Strong encryption and access controls
- Clear retention and deletion policies
- Internal audits and breach protocols
Some fiduciaries, especially those dealing with sensitive data or children’s information, may also need to appoint a Data Protection Officer and maintain more detailed records.
What About Cross-Border Transfers?
Personal data can only be transferred to countries that are officially approved by the Indian government. This provision is aimed at protecting data sovereignty and preventing unrestricted flow of data to unvetted jurisdictions.
For businesses, this means:
Understanding where your data is currently hosted
Re-evaluating vendor contracts and processing locations
Avoiding transfers to countries that are not on the approved list
If your cloud infrastructure or SaaS tools operate globally, this may require significant adjustments.
What Happens When There's a Breach?
If personal data is compromised, the DPDP Act requires companies to:
- Notify the Data Protection Board of India
- Inform the affected individuals without unreasonable delay
This means organisations need a full incident response plan, including breach detection, escalation protocols, and public communication strategies.
Encryption is your first line of defence when devices are lost or compromised.
How Long Can You Store Data?
The DPDP Act enforces data minimisation. You cannot retain data longer than necessary for the original purpose.
Organisations are expected to:
- Define category-wise retention policies
- Build systems for automated deletion
- Explain why certain data is retained for longer durations (e.g., legal holds, financial compliance)
DPDP vs GDPR: What’s Similar, What’s Not?
| Feature | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Scope | Only digital personal data | All personal data (digital + physical) |
| Consent | Allows “deemed” consent in some cases | Requires explicit consent |
| Cross-border transfer | Allowed only to approved countries | Based on adequacy or safeguards |
| Penalties | Up to ₹2,500 crore | Up to 4% of global turnover |
| Sensitive data | No formal distinction | Clear categories with added restrictions |
While both laws aim to protect privacy, their definitions, frameworks, and enforcement styles differ. India’s approach allows for greater government involvement in setting conditions for data transfer and enforcement.
Exemptions to the Act
Certain types of data processing are exempt from some or all provisions:
- Legal obligations: Courts, tribunals, and law enforcement bodies
- Contractual processing: For individuals outside India under international contracts
- Mergers or restructuring: Corporate actions approved by relevant authorities
- Loan recovery: Processing to trace defaulters, subject to existing laws
However, even exempt entities are expected to handle data responsibly, especially where harm or discrimination may occur.
What the Data Protection Board Does
The Data Protection Board of India is the enforcement and adjudicating body under this Act. It will:
- Investigate non-compliance
- Hear user complaints
- Impose financial penalties (minimum ₹50 crore in some cases)
- Direct corrective actions
It is not a regulator like the EU’s data protection authorities, but a quasi-judicial body focused on enforcement.
What This Means for Businesses
If You’re a Large Enterprise
You will need to revisit everything — from how you collect consent to how you store backups. Systems must be updated, internal processes documented, and privacy built into the architecture. For most enterprises, this will involve legal reviews, technology upgrades, and ongoing monitoring.
If You’re a Startup or SME
Smaller companies may not have a compliance team, but they still need to comply. Affordable tools for consent management, breach alerts, and access controls can help bridge the gap. Some may also benefit from outsourcing DPO responsibilities or using plug-and-play privacy solutions.
If You’re in Finance or Healthcare
Handling sensitive data comes with additional scrutiny. Explicit consent, documented privacy impact assessments, and secure data flows are no longer optional. These sectors may need to over-prepare especially when dealing with external partners and vendors.
Your 6-Step DPDP Compliance Plan
1. Run a Privacy Audit
Start by building a detailed view of your organisation’s personal data lifecycle. This includes identifying every system where personal data is collected, stored, processed, or shared.
- Create a central inventory of personal data types, such as names, email addresses, device information, and payment details.
- Map each data type to its collection source, storage location, access permissions, and retention period.
- List all third parties, vendors, and platforms that handle personal data on your behalf.
- Classify data based on risk levels, especially in cases involving children or financial information.
This process is the foundation for compliance and risk mitigation. Without full visibility, it is difficult to manage obligations or respond to incidents.
2. Fix Consent Mechanisms
DPDP requires that consent be specific, informed, and easy to withdraw. Most generic or bundled consent methods will not meet this standard.
- Update all consent notices with clear, purpose-linked explanations.
- Avoid vague language and pre-checked boxes. Users must know exactly what data is being collected and why.
- Display opt-in and opt-out options with equal visibility.
- Support consent notices in multiple languages, including those listed in the Eighth Schedule where relevant.
- Maintain detailed logs of consent events, withdrawals, and the associated purposes.
Consent is no longer a legal formality. It must be built into both the user experience and your backend records.
3. Define Data Retention Rules
DPDP requires organisations to retain personal data only as long as it is necessary for a defined purpose. Holding on to data without justification increases both regulatory and security risks.
- Assign retention periods based on data category and legal or business requirements.
- Automate deletion or archiving when the retention period ends.
- Maintain clear documentation explaining each retention policy.
- Create a workflow for processing user-initiated deletion requests, including logs and confirmations.
- Regularly audit internal systems for data that exceeds retention timelines.
Clear retention rules not only support compliance but also reduce the volume of data exposed in the event of a breach.
4. Review and Update Vendor Contracts
If a vendor processes personal data on your behalf, you are accountable for their compliance posture. Every agreement must be reviewed through the lens of DPDP.
- Ensure contracts include specific clauses around data protection obligations, breach notification timelines, and cross-border transfer policies.
- Require vendors to disclose where data is stored and processed.
- Avoid working with vendors located in jurisdictions not approved by the Indian government.
- Include audit rights and termination clauses tied to privacy violations.
- Where necessary, request documentation or certifications that prove alignment with Indian data protection standards.
Your data security is only as strong as your vendor ecosystem. Contracts need to reflect that responsibility.
5. Train Teams Across Departments
Data protection is not limited to legal or IT departments. Everyone who touches personal data must understand their role in upholding privacy standards.
- Train developers and product teams on principles such as data minimisation and purpose limitation.
- Help marketing and sales teams understand what kind of data they can collect, how consent must be obtained, and what records must be maintained.
- Prepare customer service teams to handle access requests, corrections, and grievances.
- Document procedures for handling complaints and escalate unresolved cases to a designated point of contact.
- Conduct periodic refreshers and simulate real-world scenarios such as breach drills or user complaints.
Effective compliance depends on consistent execution. Training should focus on practical scenarios, not just theory.
6. Create a Breach Response Plan
When a data breach occurs, your response is scrutinised as much as the breach itself. The DPDP Act requires timely disclosure to both the regulator and affected individuals.
- Set up monitoring and detection systems that can identify unusual behaviour or unauthorised access.
- Define roles and escalation steps in case of an incident.
- Document communication templates for notifying the Data Protection Board and impacted users.
- Include a timeline for investigation, reporting, and remediation.
- Test your plan periodically to identify bottlenecks or weak points.
Preparation is critical. A well-documented, well-rehearsed breach plan helps minimise damage and demonstrate accountability.
India’s DPDP Act doesn’t just add another layer of compliance. It forces a cultural shift where data is seen not as a business asset to exploit, but as something entrusted to you, with conditions.
In 2025, privacy risk is business risk. The businesses that internalise this early and seriously – will avoid penalties, defend their reputation, and earn trust where it’s now the hardest to win.
The DPDP Act is not just another regulatory update. It marks a clear shift in how India views privacy not as a formality, but as a right.
Businesses that treat compliance as an afterthought will find it difficult to keep up. But those who build privacy into their operations now can stay ahead of enforcement, avoid steep penalties, and build lasting trust with their customers.
Need clarity on your compliance roadmap?
Our privacy consultants can help you assess gaps, plan next steps, and implement solutions tailored to your business size and sector.
