Overview
India finally has a dedicated data protection law. The DPDP Act 2023 sets the rules for how you collect, store, process, and share digital personal data. It applies to data processing inside India, and also covers processing done outside India if you're offering goods or services to people here.
Penalties go up to INR 250 crore per violation. The government is still finalizing the detailed rules, but waiting isn't a strategy. You need to start your compliance work now.
What Is the DPDP Act 2023?
The DPDP Act 2023 is India's first standalone law governing digital personal data. It tells you how to get valid consent, what rights individuals have over their data, and what happens if you get it wrong.
The Act uses a principles-based approach. That gives you some flexibility in how you comply, but the accountability is strict. The Data Protection Board of India will handle complaints, run inquiries, and impose penalties. Unlike earlier drafts from 2019 and 2021, this version is lighter on prescription but heavier on consequences.
Key Definitions Under the DPDP Act
| Term | DPDP Act Definition |
|---|---|
| Data Principal | The person whose data you are processing |
| Data Fiduciary | You. The organization or person deciding why and how to process personal data |
| Significant Data Fiduciary | A data fiduciary designated by the government based on data volume, sensitivity, and risk to national interests |
| Data Processor | Someone who processes data on your behalf under a contract |
| Consent Manager | A registered platform that lets individuals manage their consent preferences |
| Personal Data | Any data about an identifiable individual in digital form |
| Data Protection Board of India | The body that hears complaints, investigates breaches, and fines organizations |
Lawful Bases for Processing Under the DPDP Act
- Consent: Must be free, specific, informed, unconditional, and unambiguous. You need a clear notice in plain language before or at the time of collection. Individuals can withdraw consent anytime, and you must make withdrawal as easy as giving it.
- Legitimate Uses (without consent): You can process without consent for voluntary data provision, state functions, legal obligations, medical emergencies, employment purposes, and publicly available data.
- Note: Unlike GDPR, the DPDP Act does not recognize "legitimate interest" as a standalone basis for commercial processing. Plan your lawful basis carefully.
Data Principal Rights Under the DPDP Act
Individuals get enforceable rights under the DPDP Act. They can ask what data you hold and why you're processing it. They can demand corrections or deletion of inaccurate or outdated data. They can file grievances and expect a response within set timelines. They can even nominate someone else to exercise these rights if they die or become incapacitated.
The Act also places duties on individuals. They can't file false complaints or give misleading information when exercising their rights. This two-way street is a hallmark of the Indian approach.
DPDP Compliance Checklist
- Map every collection point, storage location, processing activity, and data sharing arrangement across your business
- Deploy a consent management platform that records verifiable, granular consent with easy withdrawal
- Write privacy notices in plain language and in Eighth Schedule languages
- Set up channels for individuals to request access, correction, erasure, and nomination
- Build an internal grievance process with documented timelines and escalation steps
- Update all data processor contracts to reflect DPDP Act obligations
- Run data protection impact assessments for high-risk processing activities
- Appoint a Data Protection Officer if you're tagged as a Significant Data Fiduciary, and schedule periodic audits
- Prepare cross-border transfer mechanisms now, before the government publishes its approved country list
- Put in place reasonable security controls like encryption, access restrictions, and monitoring that match your data risk
- Create breach notification workflows to alert the Data Protection Board and affected individuals without delay
- Lock down access to personal data with role-based controls and least-privilege enforcement
- Train your staff annually on DPDP Act requirements, especially anyone who touches personal data
- Document everything. Regulators will ask for proof.
DPDP India IAM Checklist
Access controls are the backbone of DPDP compliance. You need to restrict personal data access to authorized people on a strict need-to-know basis, and you must review those permissions regularly.
Start with role-based access control across every system holding personal data. Add multi-factor authentication for anyone accessing sensitive repositories. Keep detailed access logs with proper retention. Run quarterly access reviews to strip stale or excessive permissions. Implement privileged access management for database admins and IT staff who can reach personal data stores. Automate user provisioning and deprovisioning so departing employees don't retain access.
If your environment is complex, use identity governance tools to automate access reviews and spot anomalous patterns. This cuts the manual work and keeps you audit-ready year-round.
Penalties Under the DPDP Act 2023
The fines are steep. Breaches caused by weak security safeguards can cost you up to INR 250 crore. Failing to notify the Data Protection Board and affected individuals can hit INR 200 crore. Mishandling children's data without proper parental consent or tracking kids for ads can also reach INR 200 crore. Other violations cap at INR 50 crore.
The Board sets the actual penalty based on how bad the breach was, how long it lasted, what data was involved, and what you did to fix it. Repeat offenders get hammered harder. If you invest in solid access controls, monitoring, and regular security assessments, you'll have a much stronger defense when the Board comes knocking.
Automating DPDP Act Compliance
Manual spreadsheets won't cut it. The DPDP Act spans consent, security, rights fulfillment, breach notification, and auditing. At scale, you need automation.
Focus on the high-value areas first. Automate consent capture, storage, and preference enforcement across all touchpoints. Set up continuous security monitoring to catch potential breaches before they escalate. Use automated access reviews to maintain least-privilege access across your data stores. Generate compliance reports that map your controls directly to DPDP Act requirements so you're never scrambling before an inspection.
Hunto AI helps organizations automate security monitoring, vulnerability assessment, and compliance evidence collection. That means you're always ready, not just at audit time.
Frequently asked questions
DPDP Act stands for the Digital Personal Data Protection Act. It is India's data protection law that governs how organizations process digital personal data. It received presidential assent on August 11, 2023.
The Act got presidential assent on August 11, 2023. The government will notify different provisions in stages, and the detailed rules are still being drafted. Don't wait for the final rules. Start your compliance work now so you aren't caught off guard when enforcement begins.
Several key differences. The DPDP Act has no standalone "legitimate interest" basis for commercial processing. It only covers digital personal data. It doesn't split roles into controllers and processors the same way. There's no right to data portability. It imposes duties on individuals alongside their rights. And penalties use fixed caps up to INR 250 crore rather than revenue-based calculations.
The Central Government decides based on how much data you process, how sensitive it is, the risk to individual rights, potential impact on national sovereignty, risks to electoral democracy, and state security. If you're designated, you need an India-based DPO, regular impact assessments, and independent data audits.
You can transfer personal data to countries the Central Government approves. Transfers to non-approved countries will be restricted. The approved list isn't out yet, so prepare transfer impact assessments now and figure out fallback arrangements for restricted destinations.
You need verifiable parental consent before processing any data belonging to someone under 18. You cannot track kids, monitor their behavior, or target ads at them. The government may lower the age threshold for specific purposes or exempt certain organizations through future rules.
A DPDP tool automates compliance tasks like consent management, data mapping, access governance, breach detection, and audit reporting. Because the Act creates obligations across multiple domains at once, organizations with serious data processing operations need centralized tools that provide visibility and automate workflows. Spreadsheets break under that load.
The framework rests on three pillars. First, the rights of data principals: access, correction, erasure, grievance redressal, and nomination. Second, the obligations of data fiduciaries: lawful processing, security safeguards, breach notification, and transparency. Third, enforcement by the Data Protection Board: complaints, inquiries, and penalties. Build your compliance program around all three.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.