Compliance

What is the DPDPA 2023? India's Data Protection Law Explained

C
Crewtec Security Team
· 12 August 2024 · 7 min read

India’s Digital Personal Data Protection Act 2023 (DPDPA) came into force on 11 August 2023 when it received Presidential assent. It is the country’s first comprehensive data privacy law — replacing the patchwork of IT Act provisions that governed data handling since 2000.

If your organisation collects, processes, or stores personal data of Indian residents, DPDPA applies to you. This guide explains what the law requires, which organisations are most at risk, and what compliance looks like in practice.

What is the DPDPA 2023?

The Digital Personal Data Protection Act 2023 (Act No. 22 of 2023) establishes legal obligations for any entity that processes the personal data of individuals in India — whether you are an Indian company or a foreign company targeting Indian users.

The Act is built around a simple principle: individuals have a right to know how their personal data is used, and organisations must obtain meaningful consent before using it.

Key definitions:

  • Personal data: Any data that can identify an individual — name, email, phone number, Aadhaar number, location, IP address, and more
  • Data Fiduciary: The organisation that determines the purpose and means of processing personal data (equivalent to “data controller” under GDPR)
  • Data Principal: The individual whose personal data is being processed (the “data subject”)
  • Significant Data Fiduciary (SDF): A category of higher-risk organisations subject to additional obligations, to be notified by the government

Who Does DPDPA Apply To?

The Act applies to:

  1. Any entity in India that processes personal data of individuals in India
  2. Foreign entities that process personal data of individuals in India in connection with offering goods or services to them

Exemptions include:

  • Personal or domestic use
  • Journalistic, research, archival, or statistical purposes (subject to conditions)
  • Certain government processing for national security and law enforcement

In practice, DPDPA applies to virtually every B2C and B2B company operating in India — banks, hospitals, e-commerce platforms, SaaS companies, HR software providers, and more.

Key Obligations Under DPDPA

You must obtain free, specific, informed, unconditional, and unambiguous consent before processing personal data. Consent must be obtained through a clear notice that explains:

  • What data is being collected
  • The purpose of processing
  • The individual’s rights
  • How to withdraw consent

Pre-ticked checkboxes, bundled consent, or vague “by using our service you agree” clauses are not valid under DPDPA.

2. Notice

Before or at the time of collecting personal data, you must provide a notice to the Data Principal in clear, plain language (and in all 22 scheduled languages if requested).

The notice must describe:

  • The personal data to be processed
  • The purpose of processing
  • The manner in which the Data Principal may exercise their rights
  • How to make a complaint to the Data Protection Board

3. Purpose Limitation

Personal data may only be processed for the purpose specified in the consent notice. You cannot collect data “just in case” or repurpose it for secondary uses without fresh consent.

4. Data Principal Rights

The Act grants individuals the following rights:

RightWhat it means
Right to InformationKnow what personal data you hold about them
Right to CorrectionRequest correction of inaccurate data
Right to ErasureRequest deletion of personal data when purpose is served
Right to Grievance RedressalMake complaints to the Data Fiduciary
Right to NominateNominate someone to exercise rights on death or incapacity

5. Data Fiduciary Obligations

As a Data Fiduciary, you must:

  • Implement reasonable security safeguards to prevent personal data breaches
  • Notify the Data Protection Board and affected individuals of any personal data breach as soon as possible
  • Erase personal data when the purpose is served and retention is no longer necessary
  • Ensure accuracy of personal data you hold
  • Not retain personal data beyond the specified purpose

6. Significant Data Fiduciaries (SDFs)

The government will notify certain organisations as Significant Data Fiduciaries based on the volume and sensitivity of personal data processed, potential risk to Data Principals, and national security implications.

SDFs face additional obligations:

  • Appointment of a Data Protection Officer (DPO) based in India
  • Appointment of an independent Data Auditor
  • Conduct of periodic Data Protection Impact Assessments (DPIAs)
  • Prohibition on processing personal data of children for tracking or behavioural monitoring

Penalties Under DPDPA

The DPDPA introduces significant financial penalties enforced by the Data Protection Board of India:

ViolationMaximum Penalty
Failure to implement adequate security safeguards₹250 crore
Failure to notify breach to Data Protection Board₹200 crore
Breach of obligations related to children’s data₹200 crore
Non-compliance with Board’s orders₹150 crore
Other violations₹50 crore

Unlike GDPR (which calculates fines as a percentage of global revenue), DPDPA sets fixed monetary caps. For many Indian SMEs, ₹50–250 crore penalties are existential.

How DPDPA Compares to GDPR

AspectDPDPA 2023GDPR
Applies toIndian residents’ dataEU residents’ data
Legal bases for processingConsent + legitimate usesConsent + 5 other lawful bases
Breach notificationAs soon as possible (no 72-hour window specified yet)Within 72 hours
Right to data portabilityNot includedIncluded
Cross-border transfersWhitelisted countries (to be notified)Adequacy decisions / SCCs
Penalty basisFixed cap (up to ₹250 crore)% of global revenue (up to 4%)

Steps to Comply with DPDPA

Compliance is not a one-time checkbox — it requires building data protection into your processes. Here is a practical starting point:

Step 1: Data Mapping

Identify all personal data your organisation collects, where it is stored, who processes it, and for what purpose. You cannot protect data you cannot locate.

Audit all consent mechanisms — registration forms, cookie banners, marketing opt-ins, HR onboarding documents. Replace bundled or vague consent with specific, granular consent notices.

Step 3: Privacy Notice Update

Rewrite your privacy policy and in-product notices to meet DPDPA standards — plain language, specific purposes, rights clearly stated.

Step 4: Data Principal Rights Process

Build a mechanism to receive and respond to requests for information, correction, and erasure. Document your response timelines.

Step 5: Breach Response Plan

Establish a data breach response procedure: how you detect a breach, how you assess its scope, and how you notify the Data Protection Board and affected individuals.

Step 6: Vendor Contracts

Review contracts with processors (cloud providers, payroll vendors, CRM platforms, analytics tools) to ensure they include appropriate data protection obligations.

Step 7: Security Controls

Implement reasonable security safeguards. The Act does not prescribe specific controls, but ISO 27001 provides a widely accepted framework that satisfies the “reasonable safeguards” standard.

DPDPA and ISO 27001

ISO 27001 certification does not make you automatically DPDPA compliant — but it provides a strong foundation. ISO 27001 Annex A controls cover:

  • A.8 — Asset management (aligns with data mapping)
  • A.6.4 / A.8.7 — Access control and data handling
  • A.5.34 — Privacy and protection of PII (ISO 27701 extension)
  • A.5.30 — Business continuity / breach response

For organisations pursuing DPDPA compliance, combining ISO 27001 with ISO 27701 (Privacy Information Management System) is the most comprehensive path.

How Crewtec Can Help

Crewtec’s DPDPA compliance practice covers:

  • Data mapping and gap assessment — identify what personal data you hold and where your obligations are not met
  • Consent and notice review — audit and rewrite consent flows, privacy notices, and HR data processing agreements
  • Security control implementation — deploy the technical safeguards the Act requires, including DLP, encryption, and access controls
  • ISO 27001 + ISO 27701 implementation — build a certified ISMS that satisfies DPDPA’s security safeguard requirements
  • Ongoing compliance management — vCISO support to maintain your DPDPA programme as rules and business processes evolve

DPDPA compliance is not optional — and the Data Protection Board will have enforcement powers once fully constituted. The time to build your compliance programme is before the breach, not after.

Book a free DPDPA gap assessment →

Tags

DPDPA data protection privacy India compliance

In This Article

Navigate to sections as you read.

Need Help?

Talk to a Crewtec Specialist

Get personalised guidance on implementing strategies discussed in this article for your enterprise.

Book Free Consultation