The Digital Personal Data Protection Act (DPDP Act), enacted by India's Parliament in August 2023, is the country's first comprehensive legislation governing personal data. It applies to any entity — Indian or foreign — that processes the personal data of individuals in India, regardless of where the processing takes place. The Act replaces the earlier IT Act provisions on data handling and brings India broadly in line with global frameworks like the GDPR, while reflecting the realities of India's digital economy and its large population of internet users.
Key Obligations
The DPDP Act establishes a consent-first framework. Data Fiduciaries (organisations that determine the purpose and means of processing) must obtain clear, informed, and specific consent before collecting personal data. Consent must be sought separately for each distinct purpose and cannot be bundled in lengthy terms and conditions that users are unlikely to read. Individuals — called Data Principals under the Act — have the right to access their data, correct inaccuracies, and withdraw consent at any time. Upon withdrawal, the fiduciary must stop processing and erase the data unless a legal obligation requires retention.
Significant Data Fiduciaries
The government may designate certain large or sensitive-data processors as Significant Data Fiduciaries (SDFs). SDFs face additional obligations including appointment of a Data Protection Officer, mandatory data impact assessments, and periodic audits. The threshold criteria (likely based on user volume and data sensitivity) are yet to be finalised in the implementing rules, but organisations processing health, financial, or children's data should plan for SDF status.
Penalties
The Act provides for a Data Protection Board with powers to investigate complaints and impose financial penalties. Breaches of consent obligations or data security requirements can attract penalties of up to ₹250 crore (approximately $30 million USD) per instance, with the highest penalties reserved for catastrophic data breaches affecting large numbers of Data Principals.
Common Compliance Steps
- Audit data flows to map all personal data collected, where it is stored, and how it is used.
- Update consent collection to be specific, granular, and revocable.
- Build mechanisms for Data Principals to access, correct, and delete their data.
- Implement data breach detection, response, and reporting procedures.
- Review contracts with data processors (vendors, cloud providers) to ensure sub-processing obligations are passed through.
How Dictode Can Help
Dictode works with Indian businesses and international companies processing Indian resident data to assess DPDP readiness, update data architecture, and implement the technical controls required for compliance. If you are uncertain about your obligations under the Act, contact our team for an initial review.