DPDP Act 2023: What Every Indian Organization Must Know

Compliance Data Privacy India

📅 May 2025 · 🕐 8 min read · By HackersFood Team

India's Digital Personal Data Protection (DPDP) Act 2023 is the country's first comprehensive data privacy law. Whether you're a startup or an enterprise, if you process personal data of Indian citizens, you are obligated to comply. Here's everything you need to know.

🔍 What Is the DPDP Act?

The Digital Personal Data Protection Act, 2023 was passed by the Indian Parliament in August 2023. It establishes a framework for processing "digital personal data" — any data about individuals that can identify them — in a lawful, fair, and transparent manner.

It applies to personal data collected digitally within India, and to data collected outside India if it involves offering goods/services to individuals in India.

📌 Key Definitions

Data Principal — The individual whose data is being processed.
Data Fiduciary — An entity that determines the purpose and means of data processing.
Data Processor — Any entity processing data on behalf of a Data Fiduciary.
Consent Manager — A registered entity enabling individuals to manage their consent.

🏢 Who Does It Apply To?

The DPDP Act applies to all organizations — Indian or foreign — that:

Process personal data of individuals in India in digital form
Process digitized personal data collected in non-digital form
Process personal data outside India in connection with offering goods/services to individuals in India

Small businesses and startups with limited data processing may receive simplified obligations under forthcoming rules, but should still prepare now.

✅ Core Obligations for Data Fiduciaries

1. Lawful Basis & Consent

Processing personal data requires a valid legal basis — primarily, free, specific, informed, and unambiguous consent from the Data Principal. Consent must be obtained before processing begins, and organizations must maintain records of consent.

2. Notice Requirements

Before or when seeking consent, organizations must provide a clear notice in English or any scheduled language, informing individuals about what personal data is being collected, the purpose of processing, and how to exercise their rights.

3. Purpose Limitation

Personal data may only be used for the specific purpose for which consent was obtained. Using data for additional purposes requires fresh consent from the Data Principal.

4. Data Minimization

Organizations must collect only such personal data that is necessary for the specified purpose — the principle of data minimization must be embedded into data collection processes.

5. Data Retention & Erasure

Personal data must be erased once the purpose for which it was collected is no longer being served, or upon withdrawal of consent by the Data Principal, unless legal obligations require retention.

6. Data Principal Rights

Individuals have significant rights under the Act:

Right to access information about their data
Right to correction and erasure of data
Right to grievance redressal
Right to nominate another individual to exercise rights in case of death or incapacity

7. Data Breach Notification

Data Fiduciaries must notify the Data Protection Board of India and affected Data Principals in the event of a personal data breach. The exact timelines will be specified in forthcoming rules, but organizations should establish breach detection and notification procedures now.

🏛️ Significant Data Fiduciaries

The government can designate certain entities as "Significant Data Fiduciaries" (SDFs) based on the volume of data processed, sensitivity, and potential impact on national security. SDFs face enhanced obligations including:

Appointment of a Data Protection Officer (DPO)
Periodic Data Protection Impact Assessments (DPIA)
Comprehensive audit requirements
Additional technical and organizational measures

💰 Penalties & Enforcement

⚠️ Significant Financial Penalties

Failure to implement adequate security safeguards: up to ₹250 crore
Failure to notify a personal data breach: up to ₹200 crore
Non-fulfilment of obligations for children's data: up to ₹200 crore
Non-compliance with provisions for SDFs: up to ₹150 crore
Breach of other obligations: up to ₹50 crore per instance

🗺️ How to Achieve DPDP Compliance — Step by Step

Data Discovery & Mapping: Identify what personal data you hold, where it is stored, how it flows, and who has access.
Lawful Basis Assessment: Determine the legal basis for each data processing activity — consent, legitimate use, or legal obligation.
Consent Framework Design: Implement a notice-and-consent mechanism that meets the Act's requirements — granular, revocable, and documented.
Rights Management: Build processes to respond to Data Principal requests within the prescribed timelines.
Vendor Review: Assess all third-party Data Processors and ensure they comply with your obligations through contractual agreements.
Security Controls: Implement appropriate technical and organizational measures to protect personal data.
Breach Response Plan: Develop and test an incident response plan with breach notification procedures.
Training: Train employees handling personal data on DPDP Act obligations and internal policies.

📅 Timeline & What to Do Now

While the Central Government has yet to notify the specific timelines for various provisions, organizations should treat this as urgent. The law is in force, and rules are expected shortly. Organizations that start their compliance journey now will be well ahead.

✅ Priority Actions for Indian Organizations

Conduct a DPDP readiness gap assessment, appoint a privacy lead, implement a consent management mechanism, review your privacy notices, and map all personal data flows — don't wait for rules to be finalized.