Regulation

Digital Personal Data Protection Act

India’s DPDPA is a comprehensive data protection law that governs the processing of the digital personal data of Indian citizens. The DPDPA is expected to come into effect in 2024.

Does India’s DPDPA Apply to My Organization?

The DPDPA applies to the processing of digital personal data in India in the course of offering goods and services, and outside of India if the processing is connected with an activity relating to offering goods or services to Indian citizens.

Obligations under DPDPA

Appoint a DPO

DPDPA requires organizations classified as significant data fiduciaries (e.g., controllers) to appoint a DPO who is located in India to represent the organization and address inquiries made by individuals about the processing of their personal data. The contact information of the DPO needs to be publicly available.

Conduct data protection impact assessments (DPIA) and compliance audits

Significant data fiduciaries must periodically conduct DPIAs to assess and manage the risk of personal data processing activities. Organizations must appoint an independent auditor to evaluate its compliance with the DPDPA.

Individual rights

Individuals have the following rights under the DPDPA with regard to their personal data: access; correction; and erasure.

Consent & transparency

Individuals must consent to processing in a way that clearly demonstrates their intent, and be able to easily revoke that consent at any time. Inform individuals about the processing of their personal data and how to exercise their rights prior to requesting their consent.

Security and incident response

The DPDPA requires all data fiduciaries to implement appropriate technical and organizational measures to protect personal data under its control, including data processed on its behalf by a data processor, and to notify the Data Protection Board and each affected individual in the event of a breach.

Grievance redressal

There must be an effective mechanism for individuals to raise concerns about the processing of their personal data and exercise their rights, including escalation to the Data Protection Board.

Webinar

Building Trust and Competitive Advantage: The Value of Privacy Certifications

Join our experts in this webinar as they go over the importance of how privacy certifications can unlock business value and help you stay ahead of the competition in today’s privacy-conscious landscape.

Watch now

Achieve compliance

FAQs

When does the DPDPA go into effect?

Although the DPDPA has been enacted, it is not yet operational. No effective date or timeline for implementation has been established; however, it is expected to go into effect in 2024.
Does the DPDPA require personal data to be retained in India?

The DPDPA does not provide specific data localization requirements. Data Fiduciaries can still be subject to sector-specific laws with requirements to localize certain categories of personal data.
What is the difference between a Data Fiduciary and a Significant Data Fiduciary?

A Data Fiduciary is similar to a Data Controller under the GDPR – it refers to an organization that determines the purposes and means of processing personal data. The Indian Government may classify a Data Fiduciary as a Significant Data Fiduciary based on certain factors, such as the sensitivity and volume of data processed, and the impact of the processing on the sovereignty, security, and integrity of India. Significant Data Fiduciaries will have additional obligations under the DPDPA.

Related resources

View all resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.