PrivacyTru
PrivacyTru

Digital Personal Data Protection Act (DPDPA), India

India’s Digital Personal Data Protection Act, 2023 (DPDPA) is the first all-encompassing privacy law in the nation that intends to sort out the problems related to data privacy. It sets up a legal structure for the safeguarding of private data in the online world and makes both private and government offenders accountable.

What is DPDPA Compliance?

The DPDPA gives people the legal right to determine their personal information over the internet such as, for instance, by becoming aware of the usage of their personal data, withdrawing the consent for its usage, and raising a complaint when the law is violated. The legislation requires companies to treat individuals’ data as Fiduciaries who are responsible for making sure that the data is used in a clear and legal way. This law is also making way for a new Data Protection Board of India to settle disputes and oversee penalties.

The DPDPA, which incorporates global best practices customized to India’s digital situation, is a crucial milestone towards empowering individuals and holding them accountable in the field of data governance.

Contact Us

A PrivacyTru Consulting FAQ: Your Guide to India's DPDPA

Navigating India’s new data privacy landscape is the single most important compliance challenge for businesses today. The Digital Personal Data Protection Act (DPDPA), 2023, has fundamentally rewritten the rules for how you collect, use, and protect data.

At PrivacyTru Consulting, we know that compliance is not just a legal hurdle-it’s a business imperative. Achieving “in toto” (total) compliance goes far beyond a website banner; it requires a deep, operational transformation of your data governance practices.

We’ve prepared this guide to answer your most pressing questions and provide a clear path forward.

Section 1: The Basics (What Is It and Do We Need to Comply?)

The DPDPA is India’s first comprehensive, cross-sectoral law for the protection of digital personal data. It replaces the older, patchwork IT Rules (2011) and establishes a new, trust-based framework. However, SPDI Rules still apply for now, but the DPDPA will replace them once it is fully implemented. It grants new rights to individuals (Data Principals) and imposes significant, high-stakes obligations on organizations (Data Fiduciaries) that process individuals’ data.

This is the most critical question for businesses. The Act was passed in August 2023, but it is not yet in full effect.

Here’s the current status:

The Draft DPDPA Rules, 2025, which outline the specific “how-to” for compliance, were released for public consultation on 3rd January 2025, now have been finalised and notified by MeitY on 13th November 2025. It has a phase-wise enforcement timeline.

Similarly, the Act will be implemented in a phased manner. The Data Protection Board (the enforcer) is to be established first, followed by a transition period for businesses to come into compliance. Affected organisations have 18 months to comply with the DPDP Act & Rules.

PrivacyTru Insight: The time to start is now. The rules are being finalised, and the penalties for non-compliance are severe. Building a total compliance program takes months, not weeks. Waiting for the last day (of the 18-month period) is a high-risk strategy.

The DPDPA applies to any organization (a “Data Fiduciary”) that processes digital personal data in India. It also has extraterritorial reach, meaning it applies to your business even if you are not physically located in India if you process the data of individuals in India in connection with offering them goods or services.

Q: What data is covered? Is it only digital data?

The Act applies to “digital personal data.” This includes:

  • Data you collect in digital form (e.g., via a website form, app, or email).
  • Data you collect in non-digital (physical) form and then digitize (e.g., scanning a paper feedback form, digitizing a visitor logbook).

It does not apply to purely physical, non-digitized records.

Customers and Organisations are more likely to engage with companies that value and protect their personal data, which increases trust and strengthens relationships. In addition to building trust, a robust privacy framework can make your company more attractive to international clients and consumers who expect your company to follow stringent compliance guidelines. It improves your company’s standing in the marketplace by demonstrating that security and accountability are essential to you.

Yes, there are several key exemptions. The Act does not apply to:

  • Data processed by an individual for any personal or domestic purpose.
  • Publicly available personal data (e.g., data a user posts on their public social media profile).
  • Data processing for research, archiving, or statistical purposes.
  • Exemptions for specific fiduciaries like healthcare providers, allied health professionals, educational institutions, childcare/crèche operators, and child-transport service providers: each only to the extent required for the child’s health, safety, or education.

PrivacyTru Insight: The Act provides a “legitimate use” for processing employee data for employment purposes or to safeguard the employer. However, this is a legally ambiguous area. We strongly advise our clients against using this as a blank check for broad or intrusive employee monitoring, as it carries a high risk of being challenged.

Section 2: Core Concepts (Understanding the Lingo)

This is the most important distinction in the Act.

  • Data Fiduciary: This is your organization. You are the “Data Fiduciary” if you, alone or with others, determine the “purpose and means” of processing. You hold the primary legal accountability for all compliance, even for breaches caused by your vendors.
  • Data Processor: This is any entity that processes data on behalf of a Fiduciary (e.g., your cloud provider, marketing platform, or payroll vendor). The Act places very few direct obligations on them, which is why your contract with them is so critical.

“Personal Data” is broadly defined as “any data about an individual who is identifiable by or in relation to such data.” This includes everything from names and phone numbers to IP addresses, cookie IDs, and location data.

Unlike the old rules or GDPR, the DPDPA does not create a separate, formal category for “Sensitive Personal Data.” However, the sensitivity of the data is a key factor the government will use to designate a “Significant Data Fiduciary.”

The government will designate certain Data Fiduciaries as “Significant” based on a risk-based assessment of factors like:

  • The volume and sensitivity of the data you process.
  • The risk of harm to individuals.
  • Your impact on the sovereignty of India or electoral democracy.
  • Pose risk to electoral democracy.
  • Threats the security of the State.
  • Interfere with the Public Order.

If you are a large social media platform, e-commerce site, online gaming or process high volumes of financial or health data, you are at high risk of being designated as an SDF.

PrivacyTru Insight: This designation is not a fine; it’s a promotion to a higher class of compliance. SDFs have significant, costly extra obligations, which we detail in Section 5.

Section 3: Your "In Toto" Compliance Obligations

At PrivacyTru, we build your “in toto” compliance program around the DPDPA’s core principles. This is not just a “consent” issue; it’s a “governance” issue. You are responsible for:

  • Lawfulness, Consent & Transparency: Personal data processing is done in a manner that recognizes individual rights while allowing for necessary data use.
  • Purpose Limitation: Collecting data only for a specific, declared purpose and not using it for anything else without new consent.
  • Data Minimization: Collecting only the data that is necessary for that purpose.
  • Accuracy: Making reasonable efforts to ensure the data you use for decisions is accurate and complete.
  • Storage Limitation: Erasing data once the purpose is fulfilled or consent is withdrawn. You must have a data retention policy.
  • Integrity and Confidentiality (Security): Implementing “reasonable security safeguards” to prevent a data breach.
  • Accountability: This is the key principle. You are accountable for everything, including the actions of your Data Processors (vendors).

Consent is the primary legal basis. But the DPDPA provides a dual-ground model:

  1. Valid Consent: This is the default.
  2. Certain Legitimate Uses: A narrow, exhaustive list of situations where you can process data without consent (e.g., for employment, legal obligations, or when a user voluntarily provides data for a specific purpose like a home delivery).

PrivacyTru Insight: This is a major difference from GDPR. The DPDPA does not have a “Legitimate Interest” or “Performance of a Contract” basis. This lack of flexibility makes your consent-gathering process even more critical.

No, pre-ticked boxes are explicitly banned. To be valid, consent must be:

  • Free, specific, and informed.
  • Unambiguous with a “clear affirmative action” (e.g., the user must actively tick a box or click “I Agree”).
  • Given only after you provide a clear, plain-language notice.
  • As easy to withdraw as it was to give.

“Reasonable” does not mean the highest possible level of security.
It means appropriate, proportionate, and industry-aligned safeguards based on the risks involved.

You are required to implement reasonable security safeguards to prevent data breaches. The draft rules provide clarity, pointing to measures like:

You, as a Data Fiduciary, must protect all personal data that it controls or processes (including data handled by a Data Processor). To do this, it must implement reasonable security safeguards that prevent personal data breaches. These safeguards include:

  • Data Protection Measures: Encrypting, masking, obfuscating, or tokenising personal data.
  • Access Control: Restricting access to computer systems and data to authorised users only.
  • Monitoring & Logging:
  • Maintaining logs of access to personal data.
  • Monitoring and reviewing logs to detect unauthorised access.
  • Investigating breaches and taking remediation steps to prevent recurrence.
  • Business Continuity & Backups: Ensuring processing can continue even if data is lost, destroyed, or compromised. Using backups or alternative processing mechanisms.
  • Retention for Incident Detection: Keeping logs and related personal data for at least one year to support investigation and prevention of future incidents.
  • Contractual Safeguards: Including security-related obligations in contracts with Data Processors.
  • Technical & Organisational Measures: Maintaining policies, processes, and controls to ensure effective security.

PrivacyTru Insight: “Reasonable” is not a fixed standard; it’s relative to the volume and sensitivity of your data. Reasonable = adequate to prevent foreseeable threats, aligned with best practices, and proportionate to the data sensitivity and processing risks.

A breach that could have been prevented by standard security measures (like multi-factor authentication) will almost certainly be penalised. We help you conduct a risk assessment to define and implement the “reasonable” safeguards for your specific business.

The DPDPA mandates a dual-notification duty. You must notify:

  • The Data Protection Board of India (DPB)
  • Each affected Data Principal

Information/ Notice about a data breach must contain:

  • Description of the breach (nature, extent, timing).
  • Consequences / broad facts regarding the breach.
  • Measures implemented or being implemented to mitigate risk.
  • Remedial actions/measures taken to prevent recurrence.
  • Safety steps the Data Principal may take to protect themselves.
  • Business contact information of the responsible person for queries.
  • Findings on the person who caused the breach.
  • Report on intimations/notifications sent to affected Data Principals.

The Rules suggest a 72-hour timeline for notifying the Board. Failure to notify carries a staggering penalty of up to ₹200 crore. A core service of PrivacyTru Consulting is developing your Incident Response Plan, so you are prepared to meet this tight deadline.

You (the Fiduciary) are 100% liable for any breach or violation committed by your Processor. The only way to manage this risk is through an iron-clad contract (a Data Processing Agreement or DPA). We help our clients conduct vendor due diligence and remediate their contracts to ensure their entire data supply chain is compliant.

Section 4: Managing Individual Rights

You must build operational workflows to fulfill these rights:

  • Right to Access Information: To get a summary of their data and who it’s been shared with.
  • Right to Correction and Erasure: To fix inaccurate data and have their data deleted.
  • Right of Grievance Redressal: The right to file a complaint with you.
  • Right to Nominate: A unique right to nominate someone to exercise their rights after their death or incapacity.

This is a mandatory, two-tiered system.

  • You must provide a readily accessible “Grievance Redressal” mechanism (e.g., a dedicated officer and contact). You must implement proper technical and organisational measures to ensure that grievances from Data Principals are handled effectively and within the prescribed timelines.
  • Data Fiduciaries must publish their grievance-redressal mechanism within 90 days on their website/app, and A Data Principal must exhaust this option (i.e., complain to you) before they can escalate their complaint to the Data Protection Board.

PrivacyTru Insight: This is a huge opportunity. A robust, efficient, and fair grievance redressal system is your best defense. It enables you to resolve issues before they escalate into regulatory complaints. We help you design and implement this critical workflow.

Section 5: High-Risk Areas

It is. The DPDPA defines a “child” as any individual under the age of 18. Under the DPDP Rules, a “child” is anyone under the age of 18. Before processing a child’s personal data, a Data Fiduciary must:

  • Obtain verifiable parental consent, using appropriate technical and organisational measures.
  • Verify that the person giving consent is indeed the parent and is an identifiable adult, by checking reliable details of identity and age.
  • This verification may be done using:
    • identity and age information already available with the Data Fiduciary, or
    • identity and age details voluntarily provided by the individual or through a virtual token issued by an authorised entity.
  • The Data Fiduciary must also exercise due diligence to ensure the correctness of the parent’s identity.

This is where “in toto” compliance becomes non-negotiable. As an SDF, you are required to:

  • Appoint a Data Protection Officer (DPO) based in India.
  • Appoint an independent Data Auditor to conduct a Data Protection Impact Assessment (DPIA) and audit every 12 months.
  • Conduct periodic Data Protection Impact Assessments (DPIAs) and ensure the audit report is furnished to the Board.
  • Ensure due diligence for all technical measures and algorithmic software used for hosting, displaying, uploading, modifying, publishing, transmitting, storing, updating, or sharing personal data so that they do not pose risks to Data Principals.
  • Ensure that any personal data specified by the Central Government (based on committee recommendations) is processed only within India and that related traffic data is not transferred outside India.

PrivacyTru Consulting specialises in these high-level functions. We can act as your external DPO-as-a-Service, managing your independent audits and DPIAs from start to finish.

Yes, it’s a major change. Under the DPDP Act, personal data may be transferred outside India, but only in accordance with any requirements or restrictions specified by the Central Government through general or special orders. This follows a “default-allow, government-restricted” (blacklist) model: cross-border transfers are generally permitted unless the Central Government restricts transfer to a specific foreign State or to an entity controlled by such State. Data Fiduciaries must ensure full compliance with any government-issued conditions before making such data available outside India.

PrivacyTru Strategic Insight: This operational flexibility comes with a significant strategic risk. A country can be blacklisted at any time for political or security reasons, not just for data protection reasons. We advise our clients to build architectural redundancy and avoid over-reliance on a single foreign jurisdiction for critical data processing.

Section 6: Enforcement & Penalties

The Data Protection Board of India (DPB), an independent adjudicatory body, will enforce the Act and impose penalties.

The penalties are severe and are designed to be a strong deterrent. They are tiered based on the specific violation:

Breach / Non-Compliance

Maximum Monetary Penalty (INR)

Failure to take “reasonable security safeguards”

Up to ₹250 crore

Failure to notify the Board or users of a data breach

Up to ₹200 crore

Breach of obligations related to children

Up to ₹200 crore

Breach of SDF obligations

Up to ₹150 crore

Breach in duties of Data Fiduciary

Up to ₹10,000

Breach of any voluntary undertaking made to the Board

In proportion to the seriousness of the breach

Breach of other general provisions (e.g., rights, notice)

Up to ₹50 crore

 

Section 7: The PrivacyTru Solution

You are correct. This is not a task for your IT department alone. “In toto” DPDPA compliance is a business-wide program that touches legal, HR, marketing, and product development.

The best place to start is with a Data Privacy Audit (Data Mapping). You cannot protect what you don’t know you have.

We provide a structured, end-to-end service to make and keep you compliant. Our methodology includes:

  • (I) Data Privacy Audit & Gap Analysis: We map your entire data ecosystem to see what data you have, where it flows, and where your DPDPA gaps are.
  • (II) Governance & Policy Development: We draft your public-facing privacy policies, internal data retention schedules, and security policies.
  • Consent & Rights Engineering: We work with your tech teams to design and implement compliant consent flows and the backend workflows to manage consumer rights (access, deletion, grievance).
  • Vendor Risk Management: We conduct due diligence on your Data Processors and remediate your contracts to ensure you are legally protected.
  • (V) Breach & Incident Response: We develop and test your mandatory Incident Response Plan so you’re ready to meet the 72-hour notification deadline.
  • SDF & DPO Services: For high-risk clients, we provide DPO-as-a-Service, conduct formal DPIAs, and manage your independent audits.
  • “In Toto” Training: We train your entire organization from marketing to HR to build a lasting culture of privacy.

Don’t wait for the enforcement date. Contact a PrivacyTru Consulting expert today to schedule your DPDPA readiness assessment and build a data privacy program that creates trust and protects your business.

Trusted by many

We draw experience from

Need a Custom Solution?

Schedule Your Free Strategic Consultation.

Contact Us
0 +
Assessments Completed
0 +
Consultations
0 +
Projects
0 +
Global Clients
0 +
Specialised Services
0 +
Countries Served

Your global partner for building trust and driving growth.

Service Locations
Say Hello

info@privacytru.com

+91 8979040159
+31 647249698

Socials
Legal

© PrivacyTru Consulting LLP 2026. All Rights Reserved. Designed & Developed by ShortMelon

Submit Your Data Subject Requests

We value your privacy and respect the personal data you’ve shared with us. We are committed to upholding your data rights and take your requests seriously. Use the form below to request access to or deletion of your data.