📚 Understanding India's DPDP Act — A Beginner's Guide
🎓 What Is It?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's principal law governing how digital personal data may be collected, stored, processed, and shared. Think of it as India's answer to the EU's GDPR, but tailored to the Indian legal and business context. It applies only to digital personal data (or non-digital data that is later digitised). The Act creates a new regulatory body — the Data Protection Board of India (DPBI) — to adjudicate complaints and impose penalties. The law is principles-based rather than prescriptive, meaning many operational details will be specified later through Rules notified by the Central Government.
👥 Who It Applies To
The DPDP Act applies to every person or entity (Data Fiduciary) that processes digital personal data of individuals located in India, regardless of where the processing happens. This includes: (1) Indian companies of any size — from startups to large conglomerates; (2) Foreign companies that offer goods or services to people in India or process their data; (3) Government bodies and agencies that process citizen data; (4) Non-profits and other organisations that handle personal data digitally. If your client's database contains personal data of anyone in India — a name, phone number, email, Aadhaar number, PAN, or bank details — the DPDP Act almost certainly applies.
🌐 Geographic Scope
The DPDP Act has extra-territorial application similar to GDPR. It applies to: (a) processing of digital personal data within India, whether the data was collected online or offline and later digitised; and (b) processing of digital personal data outside India if it relates to offering goods or services to Data Principals in India. However, it does NOT apply to personal data processed by an individual for personal or domestic purposes, or to data that has been made publicly available by the Data Principal or under any other law.
📅 Key Dates
The DPDP Act received Presidential Assent on 11 August 2023. However, the Act's provisions will come into force on dates notified by the Central Government, and the detailed Rules under the Act are still being drafted as of early 2025. The government has released draft Rules for public consultation. Companies should use this interim period to prepare — once Rules are notified and enforcement dates announced, there may be limited time for compliance. Industry experts expect phased enforcement beginning in 2025-2026.
🔄 Comparison with GDPR
The DPDP Act draws inspiration from GDPR but is a distinct law. Key similarities include: consent as a primary basis for processing, data principal rights (access, correction, erasure), data breach notification requirements, and significant financial penalties. Key differences include: DPDP is narrower in scope (only digital personal data), has fewer lawful bases for processing (consent and 'certain legitimate uses' vs GDPR's six), introduces Data Principal Duties (no equivalent in GDPR), creates the Consent Manager concept, sets the age of a child at 18 (vs 16 in GDPR), does NOT include a right to data portability, and uses a government-appointed Board rather than independent supervisory authorities. The penalty structure is also simpler — fixed maximum amounts per violation type rather than GDPR's percentage-of-turnover approach.
⚠ Penalties
📖 Key Terms Glossary
Data Principal
The individual to whom the personal data relates — the human being whose data is being processed. Equivalent to GDPR's 'Data Subject'. In the case of a child, the parent or lawful guardian acts as the Data Principal.
Example: A customer whose name, phone number, and delivery address are stored in your e-commerce database.
Data Fiduciary
Any person or entity (company, government body, individual) that alone or jointly determines the purpose and means of processing personal data. Equivalent to GDPR's 'Data Controller'. The term 'fiduciary' emphasises the trust-based relationship — the entity holds data in trust for the individual.
Example: An online food delivery company like Swiggy or Zomato that decides what customer data to collect and how to use it.
Significant Data Fiduciary (SDF)
A Data Fiduciary designated by the Central Government based on factors like volume of data processed, sensitivity of data, risk to Data Principal rights, potential impact on sovereignty, and risk to electoral democracy. SDFs have additional compliance obligations including appointing a DPO and conducting DPIAs.
Example: Large telecom operators, major banks, or social media platforms operating in India with millions of users.
Data Processor
Any person or entity that processes personal data on behalf of a Data Fiduciary. Unlike GDPR, the DPDP Act places primary obligations on the Data Fiduciary, who remains responsible for the Processor's actions. The Processor must act only on the Fiduciary's instructions.
Example: A cloud hosting provider like AWS India or a payroll processing company that handles employee data on behalf of the employer.
Consent Manager
A new concept unique to the DPDP Act — a registered entity (registered with the Data Protection Board) that acts as a single point of contact for Data Principals to give, manage, review, and withdraw consent. Think of it as a consent dashboard service provider. Must be an Indian company with specific technical and financial requirements.
Example: A consent management platform registered with the DPBI that lets users see which companies have their consent and revoke it with one click.
Data Protection Board of India (DPBI)
The adjudicatory body established under the DPDP Act to handle complaints, investigate breaches, and impose penalties. Unlike GDPR's Data Protection Authorities, the DPBI is not a regulator that issues guidance — it functions more like a tribunal. It operates as a digital office and proceedings are conducted virtually.
Example: When a Data Principal files a complaint that a company refused their erasure request, the DPBI adjudicates the dispute.
Personal Data
Any data about an individual who is identifiable by or in relation to such data. The DPDP Act applies only to digital personal data — data in digital form, or data collected in non-digital form and subsequently digitised.
Example: Name, email, phone number, Aadhaar number, PAN number, bank account details, medical records, location data stored digitally.
Processing
Any operation or set of operations performed on digital personal data. This includes collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction.
Example: Running a SQL query to pull customer records, storing user data in a data warehouse, or sending customer lists to a marketing vendor.
Consent
Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous, given by a clear affirmative action. It must relate to a specific purpose stated in a notice. Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent.
Example: A user explicitly checking a checkbox saying 'I agree to share my name and email for order delivery purposes' after reading a clear notice.
Certain Legitimate Uses
The DPDP Act's alternative to consent-based processing — specific situations where personal data can be processed without explicit consent. These are narrower than GDPR's legitimate interests. Includes: voluntary sharing by the Data Principal, State functions, legal obligations, medical emergencies, employment purposes, and public interest.
Example: Processing an employee's PAN number to comply with Income Tax Act requirements — no separate consent needed because it is a legal obligation.
Data Protection Officer (DPO)
A senior officer appointed by a Significant Data Fiduciary to serve as the point of contact for the Data Protection Board and Data Principals. Must be based in India and represent the SDF before the Board. Unlike GDPR, DPO appointment is mandatory only for SDFs, not all organisations.
Example: A Vice President of Privacy & Compliance at a large Indian bank designated as SDF, who liaises with the DPBI.
Data Protection Impact Assessment (DPIA)
A formal assessment that Significant Data Fiduciaries must conduct periodically to evaluate the impact of their data processing activities on Data Principals' rights. The specific format and frequency will be prescribed in the Rules.
Example: An SDF-designated insurance company assessing the privacy risks of a new AI-based claims processing system that analyses customer health data.
Data Breach / Personal Data Breach
Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability.
Example: A hacker gains access to a customer database and downloads 100,000 records containing names, emails, and phone numbers.
Notice
A clear, plain-language communication that a Data Fiduciary must provide to the Data Principal before or at the time of collecting consent. Must include: description of personal data sought, purpose of processing, how to exercise rights, and how to file complaints.
Example: A pop-up on a website that clearly states: 'We collect your name and email to process your order. You can withdraw consent anytime at privacy@company.com.'
Child
Under the DPDP Act, any individual who has not completed 18 years of age. This is higher than GDPR's default of 16 years. Processing children's data requires verifiable parental consent and prohibits tracking, behavioural monitoring, and targeted advertising directed at children.
Example: A 17-year-old signing up for a social media platform — the company must obtain verifiable consent from the parent/guardian.
Verifiable Parental Consent
Consent obtained from the parent or lawful guardian of a child before processing the child's personal data. The method of verification must be reliable — the Rules will prescribe specific mechanisms. Simply asking a child to check a box saying they are 18 is NOT sufficient.
Example: Requiring a parent to authenticate via Aadhaar-based e-KYC or DigiLocker to verify their identity before consenting to their child's data being processed.
Voluntary Provision
One of the 'Certain Legitimate Uses' — when a Data Principal voluntarily provides their personal data to the Data Fiduciary for a specified purpose and has not indicated they do not consent. The burden of proof that sharing was voluntary lies with the Fiduciary.
Example: A customer willingly filling in their details on a hotel registration form at check-in for the purpose of their stay.
Cross-Border Data Transfer
Transfer of personal data to a location outside India. The DPDP Act permits transfers to all countries EXCEPT those specifically restricted by the Central Government through notification. This is a 'blacklist' approach (block specific countries) as opposed to GDPR's 'whitelist' approach (allow only approved countries).
Example: An Indian IT services company sending employee data to its US headquarters — permitted unless the US is on the restricted list (currently no countries are restricted).
Right to Erasure (Right to be Forgotten)
A Data Principal's right to request erasure of their personal data. Under DPDP, once consent is withdrawn and the specified purpose is no longer being served, the Data Fiduciary must erase the data (unless retention is required by law). Unlike GDPR, there is no need to approach a court or adjudicatory body.
Example: A customer who closes their e-commerce account requesting that all their personal data be deleted from the company's systems.
Grievance Redressal
Every Data Fiduciary must have a grievance redressal mechanism. Data Principals must first approach the Data Fiduciary's grievance officer before escalating to the Data Protection Board. The Fiduciary must respond within the time period prescribed in the Rules.
Example: A company publishing a 'Privacy Grievance Officer' email address on their website and responding to complaints within 30 days.
Exemptions (Section 17)
The Central Government can exempt certain Data Fiduciaries or classes of Data Fiduciaries from provisions of the Act in the interest of sovereignty, security of the state, friendly relations with foreign states, public order, or for research/statistical purposes. Startups and specific categories may also receive exemptions.
Example: Intelligence agencies processing personal data for national security purposes may be exempt from consent and notice requirements.
Deemed Consent
Under Section 7 (Certain Legitimate Uses), consent is 'deemed' to have been given in specific scenarios — the Data Fiduciary does not need explicit opt-in consent but must still process data only for the stated purpose. This replaces the earlier draft's concept of 'deemed consent'.
Example: An employer processing employee data for salary payment as required under labour laws — deemed a legitimate use not requiring separate consent.
She-box / DPBI Portal
The Data Protection Board will operate digitally. Complaints, responses, hearings, and orders will all be handled through an online portal. This is part of India's 'Digital India' push to make regulatory processes accessible nationwide.
Example: A Data Principal in a remote village filing a complaint against a data breach through the DPBI's online portal from their smartphone.
Algorithmic Transparency (expected in Rules)
While the DPDP Act text does not explicitly mandate algorithmic transparency, the Rules are expected to address automated decision-making, especially for Significant Data Fiduciaries. Consultants should watch for these provisions.
Example: A bank using AI for loan approvals may need to explain to applicants how the algorithm uses their personal data to make decisions.
Data Retention Limitation
Personal data must not be retained beyond the period necessary for the specified purpose. Once the purpose is fulfilled and retention is not required by any other law, the Data Fiduciary must erase the data. This is similar to GDPR's storage limitation principle.
Example: An e-commerce company must delete a customer's delivery address after the order is fulfilled and the return window has closed, unless the customer has an active account.