Key principles, consent rules, and organizational readiness
India’s landmark Digital Personal Data Protection Act (DPDPA) 2023 was enacted on August 11, 2023, to regulate the processing of all digital personal data (data collected in digital form, or later digitized) of India’s residents, the DPDPA applies to any entity (data fiduciary) that determines the purpose and means of processing such data.
Its extraterritorial scope is broad, and covers processing within India and processing abroad connected with offering goods or services to individuals in India. The Act introduces consent-based processing, individual rights, and regulatory mechanisms, elements familiar in global privacy laws, tailored to India’s context.
The DPDPA took effect upon publication in the Official Gazette, but it will be operationalized in phases. No effective date has been set, pending the appointment of the Data Protection Board and the issuance of detailed rules (expected within the next 6-12 months) to flesh out obligations and procedures.
Stakeholders are advised to start preparing now. The law promises robust penalties (up to INR500 million- 2.5 billion, approx. US$6-30 million) for noncompliance and represents an urgent mandate to integrate privacy into business operations.
Who’s covered under India’s DPDPA? Scope, key terms, and processing principles explained
While the DPDPA introduces foundational data protection principles, it lacks the concept of “special categories of data” like the GDPR’s sensitive personal data (e.g., health, biometric, sexual orientation). All personal data is treated uniformly; notably, any data made publicly available by the individual or required to be made public by law is wholly outside the law’s scope. This is broader than exemptions in many laws and means scraped social-media or directory data may escape the law if already “public,” though legal questions remain if such data ceases to be public after collection.
A data fiduciary, analogous to a GDPR controller, “determines the purposes and means” of processing, and bears the burden of compliance. By contrast, data processors (acting under a fiduciary’s instructions) have no direct obligations under the DPDPA; instead, fiduciaries must contractually bind processors to protect data.
Thus, unlike GDPR or CCPA, which impose some duties on processors, DPDPA focuses enforcement on the fiduciaries, who must, in turn, hold their vendors accountable.
The DPDPA codifies the standard fair-information principles. All processing must be lawful, fair, transparent, purpose-specific, and minimally invasive. Personal data must be collected only for clear purposes and not retained longer than needed. Data fiduciaries must implement strong security safeguards (technical and organizational) to prevent breaches and maintain records demonstrating compliance.
DPDPA consent requirements: Lawful basis for processing personal data in India
A consent-oriented regime is at the core of the DPDPA, as it demands “free, specific, informed, unconditional and unambiguous” consent from individuals (data principals) before processing their personal data. Consent must be an affirmative act; pre-checked boxes or implied agreements are prohibited.
The rules (being finalized) are expected to require detailed consent “artefacts” so that every consent is granular, revocable, auditable, and logged. The Act also envisions “consent managers,” interoperable platforms or services that help individuals grant, manage, and withdraw consent across providers. This concept is unique to India’s law and emphasizes user control.
Additionally, consent is the primary lawful basis for processing. The DPDPA does not recognize many of the non-consent bases familiar to European law.
Aside from consent, the Act allows only a narrow list of “legitimate uses” (specific statutory or emergency purposes) without consent. These include situations where data is voluntarily shared and not objected to by the individual, compliance with court orders or law, employment necessities, and responses to natural disasters or epidemics.
No general legitimate interest or contract necessity grounds exist as in the GDPR. This consent-centric approach will challenge many organizations: in contexts like AI model training or large-scale analytics, it may be impractical to obtain individualized consent.
Data principle rights under India’s DPDPA: Access, correction, deletion, and redress
The DPDPA grants individuals rights largely similar to those in GDPR, but with some country-specific enhancements. Data principals can access, correct, or erase their data held by a fiduciary, and they may receive a copy of their information. The law also mandates notice; organizations must provide clear privacy policies and notices about how data is processed and protected.
Importantly, the law adds some unique rights: every data fiduciary must maintain a grievance redressal officer so that individuals have “readily available and effective means” to complain. Individuals also gain the right to nominate a representative to exercise their rights after death or incapacity. These procedural rights reflect India’s emphasis on accessible redress.
Notably, there is no private right of action under the DPDPA; only the Data Protection Board can enforce penalties. However, data principals can register complaints with the Board or seek other prescribed remedies.
The rules will elaborate on how individuals can exercise rights (likely via online portals or forms) and what proof of identity is required. The expectation is that companies must be prepared to respond promptly to access, deletion, and consent-withdrawal requests under a tight timeline, a significant operational requirement.
DPDPA exemptions and special cases
The DPDPA provides several exemptions and carve-outs balancing privacy with other interests. Personal data processed by natural persons for purely personal or household purposes is out of scope. Personal data already made public by the individual or under a legal obligation is exempt.
Critically for innovation, Section 17(2)(b) explicitly exempts research, archiving, and statistical processing from the Act’s obligations, provided such processing meets government-prescribed standards and is not used for decisions about a specific individual. If rulemaking clarifies the standards, this could permit AI/ML research using large datasets, a boon for innovation.
But questions remain: who qualifies (academic institutions only or also private labs), and what technical/ethical guidelines will apply? Clear guidelines here will determine how “clean” personally identifiable data can be repurposed for research.
Children’s data is another focus. The Act contemplates special protections for minors: a parent’s consent is needed for processing a child’s data, and the government may mandate a parental consent mechanism. Limited exemptions are possible for child protection or safety (e.g., blocking harmful content), but these are to be narrowly drawn. Again, detailed rules will specify age thresholds and consent procedures.
Importantly, the DPDPA grants broad government exemptions. The government can declare law enforcement, national security, and sovereign interests out of scope, as can certain classes of data fiduciaries (e.g., startups) based on factors like the volume of data processed and the impact on national security or public order (these open-ended powers have drawn criticism).
DPDPA security obligations explained: Data minimization, breach notifications, and governance standards
Security
The DPDPA reiterates and extends traditional security obligations. Data fiduciaries must adopt “reasonable security practices” at least as stringent as international standards, akin to India’s IT Act 43A (now largely superseded). In fact, the DPDPA provides a far more comprehensive framework than the IT Act’s patchwork approach; it renders the older IT Act security provision largely redundant.
The new law also imposes data minimization. Businesses must delete personal data once its collection purpose has been served. This means organizations must inventory and classify data categories and set retention schedules, a nontrivial task for businesses with vast legacy data holdings.
Breach notification
On breaches, the Act requires mandatory notification to both the Data Protection Board and affected individuals whenever a personal data breach occurs, irrespective of scale.
The DPDPA does not specify a fixed timeline or harm threshold; these details await rulemaking. The expectation (per media reports) is a 72-hour-like timeline, but until the rules are out, fiduciaries should prepare for immediate notification obligations. Breach reports will need to follow formats set by the Board, covering the nature and impact of the breach.
Importantly, organizations should align DPDPA breach procedures with other obligations (e.g., telecom or financial sector breach rules and CERT-IN requirements) to avoid conflicting processes.
Accountability
Beyond breach reports, the DPDPA embeds accountability measures. All fiduciaries must maintain records of their processing activities and implement privacy governance measures. Those designated as “Significant Data Fiduciaries” (SDFs), based on factors like volume of data, sensitivity, and impact on India’s sovereignty, democracy, or public order, face extra duties.
To see how these SDF obligations apply to AI and high-volume data platforms, read our breakdown of the DPDPA’s global and sector-specific implications.
SDFs must appoint a resident Data Protection Officer, designate an independent data auditor, and conduct regular Data Protection Impact Assessments (DPIAs) for high-risk processing.
These measures are aimed at high-volume tech firms, social platforms, and critical infrastructure providers, forcing them into a formal data governance posture.
The government can also ease or tighten obligations (even exempt whole classes like startups), so companies should watch for objective criteria in the rules.
When will DPDPA be enforced? Understanding the Board’s powers and what comes next
The Data Protection Board of India will be the DPDPA’s enforcement authority. It is empowered to investigate complaints, conduct inquiries, and impose fines (up to INR 2.5 billion) or corrective orders, including blocking data processing or demanding deletion. The Board can also mandate urgent remedial measures in case of a serious breach.
Until the Board is constituted, actual enforcement is on hold, a gap that firms must still fill by proactive compliance. The law emphasizes preparation: privacy teams must await the forthcoming rules, which will set the precise procedures for registration, breach reporting, grievance redress, and penalties.
Regulators have signaled a progressive but firm stance. Indian policymakers aim to align the DPDPA with global best practices while accommodating local needs. For example, a Finance Ministry advisory sees robust data protection as central to economic and national security interests.
At the same time, concerns about transparency (Right to Information Act) and law enforcement privacy (IT Act) must be balanced. The DPDPA amends RTI rules to protect officials’ personal data, a change that has sparked debate.
DPDPA implementation: Compliance challenges and business readiness
Operationalizing the DPDPA will be a complex undertaking. Compliance must permeate the entire organization, from top leadership to frontline staff.
Companies should start by mapping all personal data flows to identify what data is collected, why, where it is stored, and to whom it is disclosed. Only with a complete inventory can firms apply the DPDPA’s rules to each data set (e.g., requiring new consents or erasing old data).
Existing policies and practices will need revision. Privacy notices will have to explicitly track India’s consent and data subject rights requirements. Global companies must check “policy deltas”: while the GDPR allows processing on legitimate interest or contracts, India’s law will often demand fresh consent instead, which means consent mechanisms may need redesign in India-specific ways. Firms should also implement or upgrade systems to record and log consent transactions, evidence that valid consent was obtained for every processing activity.
Contractual agreements will also require review. Data processing agreements must be amended so that fiduciaries can enforce DPDPA obligations on their vendors, even though the law only directly binds fiduciaries. For example, cloud or analytics providers may need new clauses on security standards, audit rights, breach notification, and data return or deletion. Aligning such contracts across the supply chain is crucial since fiduciaries remain liable for breaches by their processors.
Finally, organizations should invest in training and culture change. Given the DPDPA’s novel features (consent managers, no default legal interests, nomination rights, etc.), employees will need education to handle data correctly. Companies may run simulation exercises for data breaches or rights requests, and ensure that even non-technical staff understand basic privacy tenets. Building privacy into day-to-day operations is not just legal risk mitigation; it is becoming a strategic imperative in India’s digital economy.
Turning privacy principles into business practice
The Digital Personal Data Protection Act signals India’s intent to build a modern privacy regime rooted in consent, transparency, and accountability. From redefining lawful data processing to mandating strong governance and breach preparedness, the DPDPA requires organizations to move beyond checkbox compliance and embrace a privacy-by-design mindset.
But foundational understanding is only the first step. Implementation will require organizations to rework contracts, overhaul consent flows, inventory their data, and instill a culture of privacy across teams and tools. With enforcement timelines still unfolding, now is the time to build the infrastructure—technical, procedural, and cultural—that ensures long-term compliance.
