DPDP Act
Digital Personal Data Protection Act 2023
India's comprehensive personal data protection law establishing rights for data principals and obligations for data fiduciaries processing digital personal data.
Overview
India's Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent on August 11, 2023, making India one of the world's largest economies to enact a standalone comprehensive personal data protection law. The Act establishes a framework governing the processing of digital personal data in India and the processing of digital personal data outside India in connection with activities related to offering goods or services to individuals in India.
The DPDP Act is notable for several distinctive features compared to global peers. It recognises only consent and 'legitimate uses' (broadly defined statutory purposes) as grounds for processing — there is no equivalent to GDPR's legitimate interests balancing test. The consent mechanism requires a clear, affirmative action and mandates that the consent notice be provided in all 22 scheduled Indian languages. Data fiduciaries are required to respond to data principal requests within strict timeframes, and the Act introduces significant penalties for breaches of children's data obligations.
The Data Protection Board of India (DPBI), the adjudicatory body established by the Act, operates as a digital office to adjudicate on complaints and breaches. The Central Government will notify rules covering a wide range of operational matters — including the list of countries to which data can be transferred, the obligations of Significant Data Fiduciaries, and the consent manager framework — making the full compliance picture contingent on rules expected to be notified in 2025.
Scope & Applicability
The DPDP Act applies to the processing of digital personal data within India (collected online or digitised offline) and to the processing of digital personal data outside India if such processing relates to offering goods or services to data principals within India. It applies to data fiduciaries (entities determining the purpose and means of processing) and data processors (entities processing data on behalf of fiduciaries). Certain exemptions apply to processing for personal or domestic purposes, research and journalism (subject to standards), national security, and law enforcement.
Key Principles
- 1Lawful Processing — personal data may only be processed for a lawful purpose: with consent or for a specified 'legitimate use'
- 2Purpose Limitation — personal data must be processed only for the specific purpose for which consent was given or the legitimate use applies
- 3Data Minimisation — only personal data necessary for the specified purpose may be processed
- 4Data Accuracy — data fiduciaries must make reasonable efforts to ensure accuracy and completeness
- 5Storage Limitation — personal data must be erased once the purpose is fulfilled and retention is no longer necessary
- 6Security Safeguards — reasonable security safeguards must be implemented to prevent personal data breaches
- 7Accountability — data fiduciaries are responsible for compliance and must be able to demonstrate it
Data Subject Rights
Data principals can request a summary of personal data processed, the processing activities, and the identities of all data fiduciaries and processors to whom their data has been disclosed.
Data principals can request correction of inaccurate or misleading personal data and erasure of data no longer necessary for the purpose or where consent has been withdrawn.
Data principals can raise grievances with the data fiduciary, which must be acknowledged and resolved within the prescribed period (expected to be set in rules).
A unique feature of the DPDP Act: data principals can nominate another individual to exercise their rights on their behalf in the event of death or incapacity.
Data principals can withdraw consent at any time, as easily as it was given. Withdrawal does not affect lawfulness of processing prior to withdrawal.
Business Obligations
Obtain Free, Informed, and Specific Consent
Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. The notice preceding consent must be in plain language and available in all 22 scheduled Indian languages.
Appoint a Data Protection Officer (for Significant Data Fiduciaries)
Entities notified by the Central Government as Significant Data Fiduciaries (based on volume, sensitivity of data, national security risk, or other factors) must appoint a DPO based in India.
Conduct Data Protection Impact Assessments (for Significant Data Fiduciaries)
Significant Data Fiduciaries must conduct periodic DPIAs as prescribed in the rules and submit them to the DPBI on request.
Implement Reasonable Security Safeguards
All data fiduciaries must implement reasonable security safeguards to prevent personal data breaches. The rules will specify the nature of such safeguards.
Notify the DPBI and Data Principals of Breaches
Personal data breaches must be notified to the DPBI 'in such manner as may be prescribed' and to affected data principals. The rules will specify the timeline, but the DPDP Act signals urgency.
Erase Data Upon Purpose Fulfilment
Personal data must be erased upon the data principal withdrawing consent or once the purpose is served, unless retention is required by law. Data processors must also erase data when instructed by the fiduciary.
Children's Data Obligations
Processing personal data of children (under 18) requires verifiable parental consent. Significant Data Fiduciaries must not track, behaviourally monitor, or target advertising at children.
Cross-Border Transfer Rules
The DPDP Act permits cross-border transfer of personal data only to countries or territories notified by the Central Government as permissible destinations. The list of permitted countries has not yet been notified as of early 2025, pending rulemaking. Unlike GDPR, the Act does not contemplate Standard Contractual Clauses or Binding Corporate Rules as transfer mechanisms — the primary mechanism is the Central Government's notified list. Significant Data Fiduciaries and certain sensitive data categories may face additional restrictions once rules are notified.
Breach Notification Requirements
As soon as reasonably practicable — the rules will specify the exact timeline; industry expectation is 72 hours based on international norms
Data Protection Board of India (DPBI) — notification via the DPBI's digital portal (portal details to be specified in rules)
Affected data principals must also be notified of the breach in the prescribed manner under rules yet to be finalised
How TruePrivacy Helps
Purpose-built tools for every DPDP Act obligation.
TruePrivacy's consent platform delivers DPDP-compliant consent notices in all 22 scheduled Indian languages, with granular purpose-specific consent collection and a complete audit trail.
Automated workflows handle access, correction, erasure, and grievance requests within the DPDP Act's prescribed timelines, with identity verification and multi-language response templates.
TruePrivacy's SDF readiness assessment identifies obligations likely to apply to your organisation as a Significant Data Fiduciary and prepares you for DPO appointment and DPIA requirements.
Automated scanning across structured and unstructured data repositories identifies all digital personal data, building the processing inventory required for DPDP compliance.
Pre-built breach notification workflows generate DPBI-ready reports and data principal notification templates, tracking the notification timeline from discovery to resolution.
Automated controls detect processing of minors' data, trigger parental consent workflows, and flag behavioural monitoring or targeted advertising activities for Significant Data Fiduciaries.
Ready to achieve DPDP Act compliance?
TruePrivacy automates your compliance workflows so your team can focus on what matters.