India has waited a long time for a comprehensive data protection law. For years, the country relied on a patchwork of provisions under the Information Technology Act 2000 and its amendments, supplemented by sector-specific guidelines from regulators like RBI and SEBI, to govern how personal data was collected, processed, and stored. That patchwork was always inadequate for the scale and complexity of India's digital economy. The Digital Personal Data Protection Act 2023 is the legislation that finally changes that.
Passed by Parliament in August 2023, the DPDPA represents the most significant shift in India's data governance landscape in over two decades. It creates a structured legal framework for the protection of digital personal data, establishes clear obligations for organizations that process such data, introduces meaningful penalties for non-compliance, and sets up an institutional enforcement mechanism in the form of the Data Protection Board of India.
For organizations operating in or serving India, the Act is not a distant regulatory concern. It is an active compliance obligation that is moving toward full enforcement as its implementing rules are finalized and the Data Protection Board becomes operational. The organizations that treat it seriously and build genuine compliance programs will be in a fundamentally stronger position than those waiting to see how enforcement develops before taking action.
This guide breaks down what the DPDPA actually requires, who it applies to, what the penalties look like, and what a credible compliance program needs to include.
The DPDPA applies to the processing of digital personal data in two scenarios. The first is where personal data is collected within India, whether online or digitized after being collected offline. The second is where personal data is processed outside India but relates to the profiling of individuals within India or the offering of goods and services to individuals in India.
This extraterritorial reach is significant. A foreign e-commerce platform selling to Indian consumers, a global SaaS company serving Indian enterprise customers, or an international employer with Indian employees all fall within the Act's scope if they process the digital personal data of individuals in India. The Act does not limit itself to Indian organizations. It follows the data.
The Act distinguishes between two primary categories of entities. A Data Fiduciary is any person, company, or organization that determines the purpose and means of processing personal data. A Data Processor is any entity that processes personal data on behalf of a Data Fiduciary. The primary compliance obligations under the Act fall on Data Fiduciaries, but Data Processors are not without obligation. They must process data only in accordance with the Data Fiduciary's instructions and must implement appropriate security measures.
The Act defines personal data as any data about an individual who is identifiable by or in relation to such data. This is a broad definition that covers names, contact details, financial information, health data, location data, device identifiers, behavioral data, and any other information that can be linked to a specific individual.
The Act does not create a separate category of sensitive personal data with heightened protections, as some earlier draft versions did. Instead, it applies a uniform set of obligations to all personal data, with the expectation that organizations will apply appropriate safeguards calibrated to the nature and sensitivity of the data they process.
The Act creates a special category called Significant Data Fiduciaries, which the central government can designate based on factors including the volume and sensitivity of data processed, the potential risk to data principals, the potential impact on national security and public order, and the risk to electoral democracy. Organizations designated as Significant Data Fiduciaries face additional obligations including the appointment of a Data Protection Officer based in India, the engagement of an independent data auditor, and the conduct of periodic Data Protection Impact Assessments.
The criteria for designation have not yet been fully specified in the implementing rules, but organizations processing large volumes of personal data or operating in sensitive sectors should assume that designation is a realistic possibility and prepare accordingly.
The DPDPA requires that personal data be processed only for a lawful purpose. The primary lawful basis under the Act is consent. A Data Fiduciary must obtain the consent of the Data Principal, the individual whose data is being processed, before processing their personal data. That consent must be free, specific, informed, unconditional, and unambiguous. It must be given through a clear affirmative action.
The Act also recognizes certain legitimate uses where consent is not required. These include processing necessary for the performance of a contract to which the Data Principal is a party, processing required for compliance with a legal obligation, processing necessary to respond to a medical emergency, processing for employment-related purposes, and processing for certain state functions. These legitimate uses are defined relatively narrowly, and organizations should not assume that business convenience qualifies as a legitimate use in the absence of consent.
The consent requirement has significant operational implications. Organizations must be able to demonstrate that valid consent was obtained for each processing purpose, that consent was as granular as the processing requires, and that records of consent are maintained and accessible. For organizations with large customer databases built over years without robust consent management infrastructure, this is a substantial implementation challenge.
Before seeking consent, a Data Fiduciary must provide the Data Principal with a notice in clear and plain language. That notice must describe the personal data to be collected, the purpose for which it will be processed, the manner in which the Data Principal can exercise their rights, and the procedure for making a complaint to the Data Protection Board.
The notice must be available in English and in any of the languages specified in the Eighth Schedule to the Constitution, effectively requiring organizations to provide notices in the regional languages relevant to their user base. For organizations with pan-India consumer footprints, this multilingual notice requirement is a non-trivial operational obligation.
The Act grants Data Principals a meaningful set of rights that Data Fiduciaries must be operationally prepared to honor. These include the right to access information about the personal data being processed and the processing activities, the right to correction and erasure of inaccurate or outdated personal data, the right to grievance redressal through a clear and accessible mechanism, and the right to nominate another individual to exercise their rights in the event of death or incapacity.
Critically, the Act requires Data Fiduciaries to respond to Data Principal rights requests in a timely manner. The implementing rules are expected to specify response timelines, but organizations should be designing their rights management processes now rather than waiting for the rules to prescribe the exact parameters.
The erasure right is particularly operationally complex for organizations whose data is distributed across multiple systems, some of which may be legacy platforms with limited data management capabilities. Building the technical infrastructure to locate, retrieve, correct, and delete personal data across all systems is a significant undertaking that requires early planning.
The Act requires that personal data be used only for the purpose for which consent was given or for which a legitimate use exists. Using data collected for one purpose to serve a different purpose without fresh consent is a violation of the Act. This purpose limitation requirement has direct implications for organizations that have historically used customer data collected for one service to cross-sell other products or to inform targeted advertising.
Data minimization, the principle that only the data necessary for the stated purpose should be collected, is embedded in the Act's framework. Organizations that collect broad categories of personal data on the basis that it might be useful in the future are not aligned with the Act's requirements. Data collection practices need to be reviewed against the purpose for which data is being collected and pruned accordingly.
The Act requires that personal data be retained only for as long as necessary to serve the purpose for which it was collected. Once that purpose is fulfilled and there is no legal obligation requiring retention, the data must be erased. This storage limitation requirement conflicts with the practices of many organizations that retain customer data indefinitely as a matter of course.
Building compliant data retention practices requires clear retention schedules that specify how long different categories of data are kept and why, automated or at least systematic erasure processes that implement those schedules consistently, and documentation that demonstrates compliance with retention obligations.
For organizations working through the operational complexity of DPDPA compliance, specialist support can significantly reduce the time and risk involved in building a credible program. Redfox Cybersecurity's GRC team works with organizations across sectors to navigate the DPDPA's requirements and build compliance programs that are both substantive and sustainable.
One of the areas where the DPDPA differs most significantly from frameworks like the GDPR is its approach to cross-border data transfers. Rather than establishing a detailed adequacy and transfer mechanism framework, the Act takes a principles-based approach. The central government has the authority to specify countries or territories to which personal data may not be transferred. Transfers to all other countries are permissible.
This approach gives the government significant flexibility to restrict transfers to specific jurisdictions on national security or public interest grounds while permitting the broad global data flows that India's technology sector depends on. The list of restricted countries has not yet been published, but organizations should monitor regulatory developments closely and build the flexibility to adapt their transfer practices if restrictions are imposed.
For multinational organizations with global data infrastructure, the DPDPA's transfer framework requires careful attention to where data relating to Indian individuals is stored and processed. Cloud infrastructure decisions, data replication arrangements, and offshore processing relationships all need to be reviewed against the Act's requirements and the government's evolving list of permitted and restricted destinations.
The Data Protection Board of India is the institutional centerpiece of the DPDPA's enforcement framework. It is an independent body with the power to receive and adjudicate complaints from Data Principals, inquire into alleged violations of the Act, and impose financial penalties on Data Fiduciaries and Data Processors found to be in breach.
The Board operates as a digital office, with proceedings conducted online and decisions published publicly. Appeals against the Board's decisions go to the Telecom Disputes Settlement and Appellate Tribunal, and further appeals from there to the High Court.
The DPDPA's penalty structure is significant enough to warrant careful attention from organizational leadership, not just compliance teams. The Act specifies penalties for different categories of violation, with the most serious violations attracting penalties of up to two hundred and fifty crore rupees, which is approximately thirty million US dollars at current exchange rates.
Specific penalty levels include up to two hundred and fifty crore rupees for failure to implement adequate security safeguards resulting in a personal data breach, up to two hundred crore rupees for failure to notify the Data Protection Board and affected Data Principals of a personal data breach, up to ten thousand rupees for violation of the obligations applicable to children's data, and varying amounts for other specific violations.
These are not administrative inconveniences. For mid-sized organizations, a penalty at the upper end of the scale represents a material financial event. For any organization, the reputational damage associated with a public Board determination of non-compliance is a significant additional consequence beyond the financial penalty.
The DPDPA creates specific obligations around the processing of personal data of children, defined as individuals below the age of eighteen. Data Fiduciaries must obtain verifiable parental consent before processing a child's personal data. They must not process children's data in a manner that is detrimental to the wellbeing of the child. And they must not conduct behavioral monitoring or targeted advertising directed at children.
The requirement for verifiable parental consent is operationally demanding. Organizations that operate consumer platforms accessible to minors need to implement age verification mechanisms and consent management processes that can reliably identify child users and obtain and record parental consent before processing their data.
The prohibition on behavioral monitoring and targeted advertising directed at children has direct implications for digital platforms, gaming companies, educational technology providers, and any other organization whose services are used by or marketed to individuals under eighteen.
While the Act does not prescribe specific age-appropriate design standards in the detail of some international frameworks, its prohibition on processing detrimental to child wellbeing and its restrictions on tracking and targeting create implicit design obligations for platforms used by children. Organizations in this space should be reviewing their product design, data collection practices, and advertising systems against the Act's child protection provisions as a matter of priority.
The foundation of any credible DPDPA compliance program is a comprehensive understanding of what personal data the organization holds, where it sits, how it flows, who has access to it, and for what purposes it is processed. This data mapping exercise is often the most time-consuming part of compliance preparation, particularly for organizations with complex data architectures, legacy systems, and data spread across multiple cloud environments and geographic locations.
The data map should capture the categories of personal data collected, the sources from which it is obtained, the purposes for which it is processed, the legal basis for each processing activity, the systems in which it is stored, the third parties with whom it is shared, and the countries to which it is transferred. This inventory becomes the foundation for all subsequent compliance work, including consent management design, retention schedule development, and rights management process design.
For most consumer-facing organizations, building compliant consent management infrastructure is the most operationally complex element of DPDPA compliance. This means designing consent mechanisms that meet the Act's requirements for specificity, clarity, and affirmative action, building the technical capability to record and timestamp consent, creating processes for managing consent withdrawal and its downstream consequences, and developing the multilingual notice capability required to reach India's diverse user base.
Organizations with existing consent management platforms should review their current configurations against the DPDPA's requirements and identify gaps. Organizations without such platforms need to evaluate whether to build or buy, and should factor the timeline for implementation into their compliance roadmap.
Data Principal rights requests need a defined operational response process. This means designating who receives and triages rights requests, establishing the technical capability to locate, retrieve, correct, and delete personal data across all relevant systems, defining response timelines and escalation paths, and maintaining records of requests and responses.
The grievance redressal mechanism required by the Act needs to be accessible, well-publicized, and genuinely responsive. A mechanism that exists on paper but is practically difficult to use does not satisfy the Act's requirements and will generate complaints to the Data Protection Board from frustrated Data Principals.
The Act requires Data Fiduciaries to implement appropriate technical and organizational security measures to protect personal data. While the Act does not prescribe specific technical standards, the penalty structure for security failures resulting in breaches makes clear that the expectation is genuine, substantive security rather than minimal compliance.
Organizations should review their current security posture against recognized frameworks such as ISO 27001 and identify gaps that represent material risk under the DPDPA's breach notification and penalty provisions. Particular attention should be paid to access controls, encryption, vulnerability management, and the security of third-party access to personal data.
Breach response processes need to be designed specifically for DPDPA compliance, with defined notification timelines to the Data Protection Board and affected Data Principals, clear roles and responsibilities for breach response, and documentation practices that generate the evidence needed to demonstrate timely and appropriate response.
Every third party that processes personal data on behalf of the organization is a Data Processor under the Act, and the Data Fiduciary bears responsibility for ensuring that Data Processors meet the Act's requirements. This means reviewing data processing agreements with all relevant vendors, adding DPDPA-specific obligations including security requirements, breach notification timelines, and processing restrictions, and building the oversight mechanisms to monitor vendor compliance on an ongoing basis.
For organizations with large and complex vendor ecosystems, this is a substantial undertaking. A risk-based approach, focusing initial attention on vendors with access to the most sensitive or voluminous personal data, is a practical way to manage the scope.
DPDPA compliance needs to be embedded in organizational policy and practice, not just documented in legal agreements. This means updating privacy policies, data handling procedures, employee acceptable use policies, and HR data management practices to reflect the Act's requirements. It means training employees who handle personal data on their obligations and on the organization's specific compliance procedures. And it means building the governance structures that ensure ongoing compliance rather than a one-time implementation exercise.
Building a privacy-aware organizational culture takes time and sustained effort. Organizations that start early, before enforcement pressure peaks, have the opportunity to develop genuine capability rather than scrambling to demonstrate surface compliance under regulatory scrutiny.
For organizations at any stage of this journey, from initial gap assessment to full program implementation, Redfox Cybersecurity's GRC practice provides the expertise to accelerate progress and build compliance programs that are genuinely fit for the DPDPA's requirements.
The implementing rules under the DPDPA are still being finalized, and some organizations have interpreted this as permission to delay compliance preparation. This is a significant mistake. The Act's core obligations, including consent requirements, Data Principal rights, security safeguards, and breach notification, are established in the legislation itself. The rules will specify procedural details, but they will not change the fundamental compliance obligations that organizations need to build toward now.
Organizations that wait for the final rules before beginning compliance preparation will find themselves with inadequate time to implement the necessary changes before enforcement begins. Building compliance infrastructure takes time, particularly when it involves technical changes to data systems, redesign of consent mechanisms, and organizational change management.
The DPDPA applies to any organization that processes the digital personal data of individuals in India, regardless of size. There are provisions allowing the government to exempt certain classes of Data Fiduciaries from specific obligations, and startups may benefit from some operational flexibility in the rules. But the core framework applies broadly, and smaller organizations that handle personal data cannot assume they are outside its scope.
Many organizations have privacy policies that were drafted to satisfy earlier IT Act requirements or to meet GDPR standards for international users. These policies are unlikely to satisfy the DPDPA's specific requirements for notice content, language accessibility, and rights information. Existing policies should be reviewed against the Act's requirements and updated accordingly, rather than assumed to be adequate.
The Digital Personal Data Protection Act 2023 is not another regulatory framework to be managed at the margins of organizational attention. It is a fundamental shift in the legal landscape governing how personal data is handled in India, with enforcement mechanisms and penalty levels that make non-compliance a serious organizational risk.
The organizations that approach DPDPA compliance seriously, that invest in building genuine data governance infrastructure rather than superficial compliance theater, will emerge from this transition in a stronger position. They will have cleaner data practices, more trust from their customers, fewer vulnerabilities to breach-related liability, and the regulatory standing that a maturing enforcement environment rewards.
The ones that wait, that treat DPDPA as a legal technicality to be managed by updating a privacy policy and hoping for the best, are building exposure that will become increasingly difficult and expensive to address as enforcement matures.
India's data protection era has arrived. The compliance work that organizations do now will define their position in it for years to come.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
