PrivacyTru
PrivacyTru

Digital Personal Data Protection Act (DPDPA), India

India’s Digital Personal Data Protection Act, 2023 (DPDPA) is the first all-encompassing privacy law in the nation that intends to sort out the problems related to data privacy. It sets up a legal structure for the safeguarding of private data in the online world and makes both private and government offenders accountable.

What is DPDPA Compliance?

The DPDPA gives people the legal right to determine their personal information over the internet such as, for instance, by becoming aware of the usage of their personal data, withdrawing the consent for its usage, and raising a complaint when the law is violated. The legislation requires companies to treat individuals’ data as Fiduciaries who are responsible for making sure that the data is used in a clear and legal way. This law is also making way for a new Data Protection Board of India to settle disputes and oversee penalties.

The DPDPA, which incorporates global best practices customized to India’s digital situation, is a crucial milestone towards empowering individuals and holding them accountable in the field of data governance.

Contact Us

A PrivacyTru Consulting FAQ: Your Guide to India's DPDPA

Navigating India’s new data privacy landscape is the single most important compliance challenge for businesses today. The Digital Personal Data Protection Act (DPDPA), 2023, has fundamentally rewritten the rules for how you collect, use, and protect data.

At PrivacyTru Consulting, we know that compliance is not just a legal hurdle-it’s a business imperative. Achieving “in toto” (total) compliance goes far beyond a website banner; it requires a deep, operational transformation of your data governance practices.

We’ve prepared this guide to answer your most pressing questions and provide a clear path forward.

Section 1: The Basics (What Is It and Do We Need to Comply?)

The DPDPA is India’s first comprehensive, cross-sectoral law for the protection of digital personal data. It replaces the older, patchwork IT Rules (2011) and establishes a new, trust-based framework. However, SPDI Rules still apply for now, but the DPDPA will replace them once it is fully implemented. It grants new rights to individuals (Data Principals) and imposes significant, high-stakes obligations on organizations (Data Fiduciaries) that process individuals’ data.

This is the most critical question for businesses. The Act was passed in August 2023, but it is not yet in full effect.

Here’s the current status:

  • The Draft DPDPA Rules, 2025, which outline the specific “how-to” for compliance, were released for public consultation.
  • The government is now finalizing these rules.
  • The Act will be implemented in a phased manner. We expect the Data Protection Board (the enforcer) to be established first, followed by a transition period for businesses to come into compliance.

PrivacyTru Insight: The time to start is now. The rules are being finalized, and the penalties for non-compliance are severe. Building a total compliance program takes months, not weeks. Waiting for the final “go-live” date is a high-risk strategy.

Our team offers continuous support through services like risk assessments, privacy impact reviews, Records of Processing Activities (ROPAs) and Data Protection Officer (DPO) representation, with an emphasis on promptly responding to regulatory requests and upholding the confidentiality and security of personal data. We offer guidance and help get your company ready for changing legal requirements by preparing for responsible AI use and governance.

By working with PrivacyTru, your organisation can demonstrate compliance, respond confidently to regulators, and build customer trust while reducing legal and reputational risks.

The DPDPA applies to any organization (a “Data Fiduciary”) that processes digital personal data in India. It also has extraterritorial reach, meaning it applies to your business even if you are not physically located in India if you process the data of individuals in India in connection with offering them goods or services.

Q: What data is covered? Is it only digital data?

The Act applies to “digital personal data.” This includes:

  • Data you collect in digital form (e.g., via a website form, app, or email).
  • Data you collect in non-digital (physical) form and then digitize (e.g., scanning a paper feedback form, digitizing a visitor logbook).

It does not apply to purely physical, non-digitized records.

Customers and Organisations are more likely to engage with companies that value and protect their personal data, which increases trust and strengthens relationships. In addition to building trust, a robust privacy framework can make your company more attractive to international clients and consumers who expect your company to follow stringent compliance guidelines. It improves your company’s standing in the marketplace by demonstrating that security and accountability are essential to you.

Yes, there are several key exemptions. The Act does not apply to:

  • Data processed by an individual for any personal or domestic purpose.
  • Publicly available personal data (e.g., data a user posts on their public social media profile).
  • Data processing for research, archiving, or statistical purposes.

PrivacyTru Insight: The Act provides a “legitimate use” for processing employee data for employment purposes or to safeguard the employer. However, this is a legally ambiguous area. We strongly advise our clients against using this as a blank check for broad or intrusive employee monitoring, as it carries a high risk of being challenged.

We are a constantly evolving company in both regional and global forums. We aim to help you comply with your legal requirements, whether from any sector. You can reach out to us for further queries.

Section 2: Core Concepts (Understanding the Lingo)

This is the most important distinction in the Act.

  • Data Fiduciary: This is your organization. You are the “Data Fiduciary” if you, alone or with others, determine the “purpose and means” of processing. You hold the primary legal accountability for all compliance, even for breaches caused by your vendors.
  • Data Processor: This is any entity that processes data on behalf of a Fiduciary (e.g., your cloud provider, marketing platform, or payroll vendor). The Act places very few direct obligations on them, which is why your contract with them is so critical.

“Personal Data” is broadly defined as “any data about an individual who is identifiable by or in relation to such data.” This includes everything from names and phone numbers to IP addresses, cookie IDs, and location data.

Unlike the old rules or GDPR, the DPDPA does not create a separate, formal category for “Sensitive Personal Data.” However, the sensitivity of the data is a key factor the government will use to designate a “Significant Data Fiduciary.”

The government will designate certain Data Fiduciaries as “Significant” based on a risk-based assessment of factors like:

  • The volume and sensitivity of the data you process.
  • The risk of harm to individuals.
  • Your impact on the sovereignty of India or electoral democracy.
  • Pose risk to electoral democracy.
  • Threats the security of the State.
  • Interfere with the Public Order.

If you are a large social media platform, e-commerce site, or process high volumes of financial or health data, you are at high risk of being designated as an SDF.

PrivacyTru Insight: This designation is not a fine; it’s a promotion to a higher class of compliance. SDFs have significant, costly extra obligations, which we detail in Section 5.

Section 3: Your "In Toto" Compliance Obligations

At PrivacyTru, we build your “in toto” compliance program around the DPDPA’s core principles. This is not just a “consent” issue; it’s a “governance” issue. You are responsible for:

  • Lawfulness, Consent & Transparency: Personal data processing is done in a manner that recognizes individual rights while allowing for necessary data use.
  • Purpose Limitation: Collecting data only for a specific, declared purpose and not using it for anything else without new consent.
  • Data Minimization: Collecting only the data that is necessary for that purpose.
  • Accuracy: Making reasonable efforts to ensure the data you use for decisions is accurate and complete.
  • Storage Limitation: Erasing data once the purpose is fulfilled or consent is withdrawn. You must have a data retention policy.
  • Integrity and Confidentiality (Security): Implementing “reasonable security safeguards” to prevent a data breach.
  • Accountability: This is the key principle. You are accountable for everything, including the actions of your Data Processors (vendors).

Consent is the primary legal basis. But the DPDPA provides a dual-ground model:

  1. Valid Consent: This is the default.
  2. Certain Legitimate Uses: A narrow, exhaustive list of situations where you can process data without consent (e.g., for employment, legal obligations, or when a user voluntarily provides data for a specific purpose like a home delivery).

PrivacyTru Insight: This is a major difference from GDPR. The DPDPA does not have a “Legitimate Interest” or “Performance of a Contract” basis. This lack of flexibility makes your consent-gathering process even more critical.

No, pre-ticked boxes are explicitly banned. To be valid, consent must be:

  • Free, specific, and informed.
  • Unambiguous with a “clear affirmative action” (e.g., the user must actively tick a box or click “I Agree”).
  • Given only after you provide a clear, plain-language notice.
  • As easy to withdraw as it was to give.

You are required to implement reasonable security safeguards to prevent data breach. The draft rules provide clarity, pointing to measures like:

  • Data Encryption
  • Access Controls
  • Monitoring and logging
  • De-identification (pseudonymization)

PrivacyTru Insight: “Reasonable” is not a fixed standard; it’s relative to the volume and sensitivity of your data. A breach that could have been prevented by standard security measures (like multi-factor authentication) will almost certainly be penalized. We help you conduct a risk assessment to define and implement the “reasonable” safeguards for your specific business.

The DPDPA mandates a dual-notification duty. You must notify:

  • (I) The Data Protection Board of India (DPB)
  • (II) Each affected Data Principal

The draft rules suggest a 72-hour timeline for notifying the Board. Failure to notify carries a staggering penalty of up to ₹200 crore. A core service of PrivacyTru Consulting is developing your Incident Response Plan, so you are prepared to meet this tight deadline.

You (the Fiduciary) are 100% liable for any breach or violation committed by your Processor. The only way to manage this risk is through an iron-clad contract (a Data Processing Agreement or DPA). We help our clients conduct vendor due diligence and remediate their contracts to ensure their entire data supply chain is compliant.

Section 4: Managing Individual Rights

You must build operational workflows to fulfill these rights:

  • Right to Access Information: To get a summary of their data and who it’s been shared with.
  • Right to Correction and Erasure: To fix inaccurate data and have their data deleted.
  • Right of Grievance Redressal: The right to file a complaint with you.
  • Right to Nominate: A unique right to nominate someone to exercise their rights after their death or incapacity.

This is a mandatory, two-tiered system.

  • (I) You must provide a readily accessible “Grievance Redressal” mechanism (e.g., a dedicated officer and contact).
  • (II) A Data Principal must exhaust this option (i.e., complain to you) before they can escalate their complaint to the Data Protection Board.

PrivacyTru Insight: This is a huge opportunity. A robust, efficient, and fair grievance redressal system is your best defense. It allows you to solve problems before they become regulatory complaints. We help you design and implement this critical workflow.

Section 5: High-Risk Areas

It is. The DPDPA defines a “child” as any individual under the age of 18. When processing their data, you must:

  • (I) Obtain verifiable parental consent.
  • (II) NOT process data in any way “likely to cause any detrimental effect.”
  • NOT conduct any tracking, behavioral monitoring, or targeted advertising aimed at children.

This is a near-total ban on ad-tech and profiling for anyone under 18, and it requires a robust age-verification mechanism.

This is where “in toto” compliance becomes non-negotiable. As an SDF, you are required to:

  • Appoint a Data Protection Officer (DPO) based in India.
  • Appoint an Independent Data Auditor to conduct regular audits.
  • Conduct periodic Data Protection Impact Assessments (DPIAs).

PrivacyTru Consulting specializes in these high-level functions. We can act as your external DPO-as-a-Service and manage your independent audits and DPIAs from start to finish.

Yes, it’s a major change. The DPDPA uses a “blacklist” model (default-allow). This means you can transfer personal data to any country in the world, unless that country has been explicitly restricted (or “blacklisted”) by the Central Government.

PrivacyTru Strategic Insight: This operational flexibility comes with a significant strategic risk. A country can be blacklisted at any time for political or security reasons, not just for data protection reasons. We advise our clients to build architectural redundancy and avoid over-reliance on a single foreign jurisdiction for critical data processing.

Section 6: Enforcement & Penalties

The Data Protection Board of India (DPB), an independent adjudicatory body, will enforce the Act and impose penalties.

The penalties are severe and are designed to be a strong deterrent. They are tiered based on the specific violation:

Breach / Non-Compliance

Maximum Monetary Penalty (INR)

Failure to take “reasonable security safeguards”

Up to ₹250 crore

Failure to notify the Board or users of a data breach

Up to ₹200 crore

Breach of obligations related to children

Up to ₹200 crore

Breach of SDF obligations

Up to ₹150 crore

Breach in duties of Data Fiduciary

Up to ₹10,000

Breach of any voluntary undertaking made to the Board

In proportion to the seriousness of the breach

Breach of other general provisions (e.g., rights, notice)

Up to ₹50 crore

 

Section 7: The PrivacyTru Solution

You are correct. This is not a task for your IT department alone. “In toto” DPDPA compliance is a business-wide program that touches legal, HR, marketing, and product development.

The best place to start is with a Data Privacy Audit (Data Mapping). You cannot protect what you don’t know you have.

We provide a structured, end-to-end service to make and keep you compliant. Our methodology includes:

  • (I) Data Privacy Audit & Gap Analysis: We map your entire data ecosystem to see what data you have, where it flows, and where your DPDPA gaps are.
  • (II) Governance & Policy Development: We draft your public-facing privacy policies, internal data retention schedules, and security policies.
  • Consent & Rights Engineering: We work with your tech teams to design and implement compliant consent flows and the backend workflows to manage consumer rights (access, deletion, grievance).
  • Vendor Risk Management: We conduct due diligence on your Data Processors and remediate your contracts to ensure you are legally protected.
  • (V) Breach & Incident Response: We develop and test your mandatory Incident Response Plan so you’re ready to meet the 72-hour notification deadline.
  • SDF & DPO Services: For high-risk clients, we provide DPO-as-a-Service, conduct formal DPIAs, and manage your independent audits.
  • “In Toto” Training: We train your entire organization from marketing to HR to build a lasting culture of privacy.

Don’t wait for the enforcement date. Contact a PrivacyTru Consulting expert today to schedule your DPDPA readiness assessment and build a data privacy program that creates trust and protects your business.

Trusted by many

Our Growing Network of Clients

Need a Custom Solution?

Schedule Your Free Strategic Consultation.

Contact Us
0 %
Compliance Success Rate
0 +
Assessments Completed
0 %
Customer Retention Rate
0 +
Specialised Services
0 +
Global Clients
0 +
Countries Served
+91 89790 40159
info@privacytru.com
+91 89790 40159
info@privacytru.com

Submit Your Data Subject Requests

We value your privacy and respect the personal data you’ve shared with us. We are committed to upholding your data rights and take your requests seriously. Use the form below to request access to or deletion of your data.