Introduction
India’s Digital Personal Data Protection Act 2023 (DPDP Act) is the country’s most significant data privacy legislation, fundamentally changing how businesses collect, process, store, and share personal data. Passed by Parliament in August 2023, it creates a unified legal framework governing digital personal data with substantial penalties for non-compliance.
If your organisation handles any personal data of Indian citizens — whether you are a startup, enterprise, or multinational operating in India — this law applies to you. This guide covers everything: what the DPDP Act requires, who it applies to, your obligations, and the exact steps to achieve compliance.
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 governs the processing of digital personal data in India. It applies to data processed within India and to data processed outside India if it involves offering goods or services to individuals in India.
The Act is built around a core principle: individuals (Data Principals) have fundamental rights over their personal data, and organisations (Data Fiduciaries) that collect and use that data have legal obligations to protect it.
Key Definitions
- Personal Data — Any data about an identifiable individual including names, phone numbers, emails, financial information, health records, and biometric data.
- Data Principal — The individual to whom the personal data relates. Has enforceable rights over their own data.
- Data Fiduciary — Any organisation that determines the purpose and means of processing personal data. If you collect customer, employee, or user data, you are a Data Fiduciary.
- Data Processor — Any entity that processes data on behalf of a Data Fiduciary. Cloud providers, payroll processors, and analytics vendors may qualify.
- Significant Data Fiduciary (SDF) — Organisations processing large volumes or sensitive categories of data, subject to additional obligations.
Who Does the DPDP Act Apply To?
The DPDP Act applies to any organisation that processes digital personal data in these contexts:
- Processing personal data within India — regardless of whether the organisation is Indian or foreign
- Processing personal data outside India in connection with offering goods or services to Indian individuals
This means the Act applies to: Indian enterprises of all sizes, multinational companies with Indian operations or customers, SaaS companies with Indian users, e-commerce platforms, healthcare providers, banks, educational institutions, and government bodies (with certain exceptions).
Core Obligations of Data Fiduciaries
1. Lawful Basis — Consent or Legitimate Use
You may only process personal data if you have either free, specific, informed, unconditional, and unambiguous consent from the Data Principal — or a legitimate use basis as defined by the Act (state services, medical emergencies, employment, research, etc.).
2. Notice Requirements
Before collecting personal data, you must provide a clear notice explaining: what data is being collected, the purpose, how to exercise rights, how to withdraw consent, and how to contact the Data Protection Board. Notices must be available in English and any of the 22 Eighth Schedule languages on request.
3. Purpose Limitation & Data Minimisation
Data may only be processed for the specific purpose for which consent was obtained. You may only collect the minimum data necessary for that purpose. Once the purpose is fulfilled, data must be deleted.
4. Security Safeguards
You must implement appropriate technical and organisational security measures to prevent data breaches. Frameworks like ISO 27001 provide the security baseline that aligns with these requirements.
5. Breach Notification
In the event of a personal data breach, you must notify the Data Protection Board of India and each affected Data Principal as soon as possible with details of the breach and steps being taken.
Rights of Data Principals
Right | Description |
|---|---|
Right to Access | Request a summary of personal data being processed and details of who it has been shared with |
Right to Correction & Erasure | Request correction of inaccurate data and erasure of data no longer needed |
Right to Grievance Redressal | File complaints with the Data Fiduciary or escalate to the Data Protection Board |
Right to Nominate | Nominate another individual to exercise rights in case of death or incapacity |
Right to Withdraw Consent | Withdraw consent at any time — withdrawal must be as easy as giving consent |
Penalties for Non-Compliance
Violation | Maximum Penalty |
|---|---|
Failure to implement adequate security safeguards (breach) | ₹250 crore |
Failure to notify Board or individuals of a breach | ₹200 crore |
Non-compliance with children’s data obligations | ₹200 crore |
Non-compliance by Significant Data Fiduciaries | ₹150 crore |
Non-fulfilment of Data Principal rights | ₹50 crore |
Non-compliance with any other provision | ₹50 crore |
Step-by-Step DPDP Compliance Roadmap
- Data Mapping & Inventory (Weeks 1–3) — Identify all personal data, where it is stored, how it flows, who has access, and retention periods. Create a Record of Processing Activities (ROPA).
- Gap Assessment (Weeks 3–5) — Compare current practices against DPDP Act requirements. Identify gaps in consent, notices, security, retention, and breach response.
- Consent Mechanism Review (Weeks 5–7) — Audit all consent mechanisms. Replace bundled or pre-ticked consent with specific, granular consent requests.
- Privacy Notice Update (Weeks 6–8) — Rewrite privacy policies and all data collection notices. Ensure regional language availability on request.
- Data Retention Policy (Weeks 8–10) — Define retention periods for each data category. Implement automated deletion workflows.
- Security Controls Implementation (Weeks 8–14) — Deploy encryption, access controls, audit logging, vulnerability management, and incident response procedures.
- Data Principal Rights Mechanism (Weeks 10–12) — Build processes to handle access, correction, and erasure requests with defined timelines.
- Breach Response Plan (Weeks 12–14) — Develop and test a breach response plan covering detection, containment, notification, and communication.
- Vendor & Processor Agreements (Weeks 12–16) — Review all third-party contracts. Ensure Data Processing Agreements (DPAs) are in place.
- Training & Awareness (Ongoing) — Train all employees handling personal data. Appoint a Data Protection Officer or compliance lead.
Common Mistakes to Avoid
Treating DPDP compliance as a one-time project — Data protection is an ongoing operational commitment. Your data landscape changes as your business grows.
Assuming IT security alone is sufficient — Technical controls are necessary but not enough. Organisational measures, documented policies, and accountability mechanisms are also required.
Ignoring third-party processors — Your liability does not end at your own systems. Ensure all vendors with whom you share personal data have appropriate DPAs in place.
Waiting for the Rules to be notified — While DPDP Rules are still being finalised, the core obligations of the Act are already in force. Build your compliance foundation now.
How Vedtam Can Help
Vedtam’s DPDP Act Consulting Services (vedtam.com/consulting/dpdp-act-consulting-services/) cover the full compliance lifecycle — from data mapping and gap assessment to security controls implementation, privacy notice design, breach response planning, and ongoing advisory support.
Our team combines deep knowledge of Indian regulatory frameworks with international standards including ISO 27001, GDPR, and PCI DSS, giving you a compliance programme that is locally compliant and globally aligned.
Ready to start your DPDP Act compliance journey? Contact Vedtam at vedtam.com/contact/ | info@vedtam.com | +91 98915 55588
Published by Vedtam Cybersecurity Team | Vedtam Tech Solutions, Ghaziabad, Uttar Pradesh, India