The Digital Personal Data Protection Act, 2023 (DPDPA) is India's first comprehensive data protection legislation. It received Presidential assent in August 2023. The Act establishes rights for individuals whose personal data is processed, obligations for businesses that process that data, and a regulatory authority — the Data Protection Board of India — with significant penalty powers. Businesses that collect, store, process or share personal data of Indian residents — which covers virtually every business that has customers, employees or vendors — must understand their obligations under the DPDPA before its operational provisions are notified and enforcement begins.

Key DPDPA 2023 Compliance Steps

  • Data mapping — identify what personal data you collect, from whom, for what purpose
  • Consent mechanism — valid, free, informed, specific, unconditional consent required
  • Privacy notice — clear, plain language notice before or at the time of data collection
  • Data retention — personal data retained only as long as necessary for stated purpose
  • Data principal rights — right to access, correction, erasure and grievance redressal
  • Data breach — notification to the Board and data principals on breach
  • Data processors — written agreements with processors handling your data
  • Cross-border transfers — permitted only to notified countries

The Consent Framework

Section 6 of the DPDPA requires that personal data may be processed only for a lawful purpose, with the consent of the data principal (the individual whose data is being processed). Consent must be free — not conditional on providing data beyond what is necessary. It must be specific — for a clearly defined purpose, not omnibus consent covering undefined future uses. It must be informed — given after the data principal has received a clear privacy notice. It must be unconditional — the data principal cannot be compelled to consent as a precondition to receiving a service unless the data is necessary for that service. Consent can be withdrawn at any time and withdrawal must be as easy as giving consent. On withdrawal, processing must cease and data must be erased unless retention is required by law. Businesses must redesign consent flows to meet these standards — pre-ticked boxes, bundled consent and consent buried in terms and conditions do not satisfy the Act.

Legitimate Uses Without Consent

The Act recognises that certain processing activities do not require consent. These include: processing necessary for the State for providing subsidies, benefits and services; processing required under Indian law; processing necessary for responding to medical emergencies; processing for safety measures during disasters; and processing for employment-related purposes where the data principal is a job applicant or employee. These legitimate uses must be interpreted strictly — they do not provide a general escape from the consent requirement. Businesses must determine for each data processing activity whether consent is required or whether a legitimate use exception applies, and document this determination.

Data Principal Rights

Chapter III of the DPDPA creates rights for data principals. The right to access information: a data principal can request a summary of personal data being processed and information about Data Fiduciaries who have received that data. The right to correction and erasure: a data principal can request correction of inaccurate or misleading data, completion of incomplete data, and erasure of data no longer necessary for the purpose for which consent was given. The right to grievance redressal: every Data Fiduciary must establish a mechanism through which data principals can register grievances and receive responses within a defined period. The right to nominate: data principals can nominate another person to exercise their rights on their death or incapacity. Businesses must build these rights into their data management systems — not as an afterthought but as an operational capability.

Obligations of Data Fiduciaries

A Data Fiduciary — any entity that determines the purpose and means of processing personal data — must: ensure the accuracy of data collected; implement reasonable security safeguards to protect personal data from breach; notify the Data Protection Board of India and affected data principals in the event of a breach (the form, manner and timeline to be prescribed); retain data only as long as necessary for the stated purpose; establish a grievance redressal mechanism with a designated point of contact; and not process children's personal data without verifiable parental consent. Data Fiduciaries must appoint a Data Protection Officer if designated as a Significant Data Fiduciary by the Central Government. Data Fiduciaries must enter written agreements with Data Processors who process data on their behalf, ensuring the Processor processes data only as instructed.

Penalties

The Data Protection Board of India has the power to impose financial penalties after inquiry. The DPDPA prescribes specific penalties for specific defaults: failure to implement security safeguards — up to Rs. 250 crore; failure to notify Board and data principals of a breach — up to Rs. 200 crore; failure to comply with SDF obligations — up to Rs. 150 crore; failure to comply with obligations regarding children's data — up to Rs. 200 crore; and breach of any other provision — up to Rs. 50 crore. The Board must follow principles of natural justice and the right to be heard before imposing penalties. Appeals from Board orders lie to the Telecom Disputes Settlement and Appellate Tribunal and thereafter to the Supreme Court of India.

Frequently Asked Questions

What is the maximum penalty under the DPDPA 2023?

The maximum penalty under the DPDPA 2023 is Rs. 250 crore for failure to take reasonable security safeguards to prevent personal data breaches. Rs. 200 crore applies for failure to notify the Board and affected data principals of a breach and for violations relating to children's data. Other penalties range from Rs. 10 crore to Rs. 150 crore depending on the nature of the default.

What is a Significant Data Fiduciary?

A Significant Data Fiduciary (SDF) is designated by the Central Government based on volume and sensitivity of data processed, risk to data principals' rights, and impact on sovereignty and integrity of India. SDFs face additional obligations: appointment of a DPO (based in India, reporting to the Board of Directors), an independent data auditor, and periodic data protection impact assessments. The categories of SDFs had not been notified at time of publication.

Does the DPDPA 2023 apply to small businesses?

The DPDPA applies to all Data Fiduciaries who process digital personal data within India, regardless of size. There is no blanket small business exemption. The Central Government may exempt certain categories of Data Fiduciaries or personal data from specific provisions. Any business collecting personal data from customers, employees or vendors should assess its DPDPA compliance obligations.