Home » DPDP Act » Educational » Digital Personal Data Protection Act, 2023

Digital Personal Data Protection Act, 2023

Picture of Rahul Surve
Rahul Surve
Rahul is a technical expert with 6+ years of experience leading software support teams. He currently heads the Technical Support Department at RankSecure, securing digital infrastructure for organizational and client environments.
Share with your community!

Executive Summary

Introduction to the DPDP Act

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s comprehensive data protection legislation that establishes a framework for processing digital personal data while respecting individuals’ privacy rights. The Act was passed by the Parliament of India in August 2023 and received Presidential assent shortly thereafter.

This landmark legislation aims to:

  • Protect the privacy of individuals with respect to their personal data
  • Establish a framework for processing digital personal data
  • Create a Data Protection Board to enforce compliance
  • Establish penalties for non-compliance
  • Promote data processing that respects individual privacy

The DPDP Act applies to:

  • Processing of digital personal data within India
  • Processing of digital personal data outside India, if it is in connection with any profiling of or offering goods or services to data principals within India


This executive summary provides an overview of the key provisions of the DPDP Act to help organizations understand their compliance obligations.

Key Definitions

Understanding the terminology used in the DPDP Act is essential for compliance.

  • Personal Data: Any data about an individual who is identifiable by or in relation to such data.

  • Data Principal: The individual to whom the personal data relates and where such individual is a child, includes the parents or lawful guardian of such child, and where such individual is a person with disability, includes their lawful guardian.

  • Data Fiduciary: Any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.
  • Data Processor: Any person who processes personal data on behalf of a data fiduciary.

  • Consent: The explicit, informed, specific and freely given agreement of the data principal, signified through clear affirmative action, to the processing of their personal data for a specified purpose.
  • Significant Data Fiduciary: A data fiduciary notified as such by the Central Government based on factors such as volume and sensitivity of personal data processed, risk of harm, impact on sovereignty and integrity of India, etc.


These assets sit idle, but they still exist in your infrastructure. That’s where the problem starts.

Core Principles

The DPDP Act is built on several core principles that guide the processing of personal data:

  • Lawful Processing: Personal data must be processed in accordance with the provisions of the Act.
  • Purpose Limitation: Personal data must be processed only for the specific, explicit, and legitimate purpose for which it was collected.
  • Data Minimization: Only necessary personal data should be collected, and it should be limited to what is required for the specified purpose.
  • Accuracy: Reasonable efforts must be made to ensure that personal data is accurate and kept up to date.
  • Storage Limitation: Personal data should not be retained for longer than necessary for the purpose for which it was processed.

  • Reasonable Security Safeguards: Appropriate technical and organizational measures must be implemented to prevent data breaches.

  • Accountability: Data fiduciaries are responsible for complying with the Act and must be able to demonstrate compliance.


Rights of Data Principals

The DPDP Act grants several rights to data principals regarding their personal data:

  • Right to Information: Data principals have the right to receive information about the processing of their personal data in a clear and concise manner.

  • Right to Access: Data principals can request confirmation of whether their personal data is being processed and access to such data.

  • Right to Correction and Erasure: Data principals can request correction of inaccurate or incomplete personal data, as well as erasure of personal data that is no longer necessary for the purpose for which it was collected.
  • Right to Grievance Redressal: Data principals have the right to register complaints with the data fiduciary and, if not satisfied, with the Data Protection Board.
  • Right to Nominate: In case of death or incapacity, data principals can nominate another person to exercise their rights.

  • Right to be Forgotten: Data principals can restrict or prevent the continued disclosure of their personal data under certain circumstances.

Obligations of Data Fiduciaries

Data fiduciaries have several obligations under the DPDP Act:

  • Notice Obligation: Provide clear and concise notice to data principals about the purpose of data collection, the manner of processing, and their rights.
  • Consent Management: Obtain valid consent from data principals before processing their personal data and provide an effective mechanism to withdraw consent.

  • Data Security: Implement appropriate technical and organizational measures to ensure the security of personal data.
  • Data Breach Notification: Notify the Data Protection Board and affected data principals of personal data breaches that are likely to result in significant harm.

  • Data Protection Impact Assessment: Conduct assessments for high-risk processing activities.

  • Record-Keeping: Maintain records of processing activities.
  • Data Protection Officer: Appoint a qualified individual to oversee compliance (for Significant Data Fiduciaries).

  • Children’s Data: Implement additional safeguards when processing personal data of children.
  • Cross-Border Data Transfers: Comply with restrictions on transferring personal data outside India.

Consent Management

Consent is a cornerstone of the DPDP Act. For consent to be valid, it must be:

  • Free: Given without coercion or undue influence
  • Informed: Based on clear information about the purpose of processing
  • Specific: Related to a particular purpose
  • Clear and Affirmative: Indicated through an explicit action
  • Withdrawable: Can be withdrawn at any time

Data fiduciaries must:

  • Provide a notice before collecting personal data
  • Obtain consent before processing personal data
  • Provide an accessible mechanism to withdraw consent
  • Not make the provision of goods or services conditional on consent for unrelated purposes
  • Implement additional safeguards for obtaining consent from children


Certain exemptions from the consent requirement exist, such as:

  • Compliance with law or court orders

  • Medical emergencies
  • Employment-related purposes
  • Public interest purposes as specified by the Central Government

Data Protection Board of India

The DPDP Act establishes the Data Protection Board of India (DPB) as the primary regulatory authority. The DPB’s functions include:

  • Determining non-compliance with the provisions of the Act
  • Imposing penalties for non-compliance
  • Directing data fiduciaries to take specific actions to ensure compliance
  • Issuing codes of practice and guidelines
  • Promoting awareness about data protection
  • Handling complaints from data principals

The DPDP Act establishes the Data Protection Board of India (DPB) as the primary regulatory authority. The DPB’s functions include:

  • Conduct inquiries
  • Summon and enforce the attendance of persons
  • Examine witnesses under oath
  • Receive evidence on affidavits

  • Issue directions to data fiduciaries

  • Impose penalties for non-compliance

Penalties and Enforcement

The DPDP Act prescribes significant penalties for non-compliance:

  • Failure to take reasonable security safeguards: Up to ₹250 crore


  • Failure to notify personal data breach: Up to ₹200 crore


  • Non-fulfillment of additional obligations in relation to children: Up to ₹200 crore


  • Non-fulfillment of additional obligations of Significant Data Fiduciary: Up to ₹150 crore


  • Non-compliance with provisions relating to transfer of personal data outside India: Up to ₹200 crore


  • Non-compliance with other provisions of the Act: Up to ₹50 crore

The Data Protection Board will consider factors such as the nature, gravity, and duration of the violation, the type of personal data affected, and whether the violation was intentional or negligent when determining the amount of the penalty.

In addition to penalties, the Board may direct data fiduciaries to:


  • Take specific remedial actions
  • Cease and desist from certain processing activities
  • Modify their data processing practices

Compliance Timeline

The DPDP Act prescribes significant penalties for non-compliance:

  • August 2023: DPDP Act received Presidential assent

  • Q1 2024: Draft Rules published for public consultation


  • Q2-Q3 2024: Final Rules notified

  • Q3-Q4 2024: Establishment of the Data Protection Board

  • Q4 2024 – Q1 2025: Notification of Significant Data Fiduciaries


  • 2025: Full enforcement of the Act expected

Organizations should begin preparing for compliance immediately, as the implementation timeline is expected to be relatively short compared to other global data protection regulations.

Next Steps for Organizations

To prepare for DPDP Act compliance, organizations should:

  • Data Mapping and Inventory: Identify all personal data being processed, its sources, purposes, and recipients.


  • Gap Analysis: Compare current practices with DPDP Act requirements to identify compliance gaps.


  • Privacy Policies and Notices: Update privacy policies and notices to comply with the transparency requirements.


  • Consent Mechanisms: Implement or update consent collection mechanisms to ensure they meet the Act’s requirements.


  • Data Subject Rights Procedures: Establish processes to handle data principal requests (access, correction, erasure).


  • Data Breach Response Plan: Develop procedures for detecting, reporting, and responding to data breaches.


  • Security Measures: Implement appropriate technical and organizational measures to protect personal data.


  • Vendor Management: Review and update contracts with data processors to ensure they comply with the Act.

  • Training and Awareness: Educate employees about the DPDP Act and their role in ensuring compliance.


  • Documentation: Maintain records of processing activities and compliance measures.


  • Monitoring and Auditing: Regularly review and audit data protection practices to ensure ongoing compliance.


  • DPO Appointment: For Significant Data Fiduciaries, appoint a qualified Data Protection Officer.


Conclusion

The DPDP Act represents a significant shift in India’s data protection landscape. Organizations that process personal data of Indian residents must understand their obligations under the Act and take proactive steps to ensure compliance.



While the Act presents compliance challenges, it also offers an opportunity for organizations to strengthen their data governance practices, build trust with customers, and differentiate themselves in the market.



By implementing a comprehensive DPDP compliance program, organizations can not only avoid penalties but also realize business benefits such as improved data quality, enhanced customer trust, and more efficient data management practices.



This executive summary provides a high-level overview of the DPDP Act. For detailed guidance on compliance, organizations should consult with legal and privacy professionals.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share the Post:

Related Posts