Back to Resources
DPDPA (India Data Protection) Checklist — visual preview
Checklist

DPDPA (India Data Protection) Checklist

Digital Personal Data Protection Act Compliance

Overview

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's first comprehensive data protection law, receiving presidential assent in August 2023. It establishes clear rules for processing digital personal data, grants data principals (individuals) meaningful rights over their data, and imposes significant obligations on data fiduciaries (organizations). While the government is still finalizing the implementing rules, organizations operating in India should start compliance preparations now. The penalties are substantial, reaching up to INR 250 crore (approximately $30 million) per violation.

Key Definitions

TermDPDPA Definition
Data PrincipalThe individual whose personal data is being processed
Data FiduciaryOrganization that determines the purpose and means of processing personal data
Significant Data FiduciaryData fiduciary designated by the government based on volume, sensitivity, or risk of data processed
Data ProcessorEntity that processes data on behalf of a data fiduciary
Consent ManagerRegistered entity that enables data principals to manage consent through an accessible platform
Personal DataAny data about an individual who is identifiable by or in relation to such data
Data Protection BoardThe adjudicatory body that handles complaints and imposes penalties

Lawful Bases for Processing

  • Consent: Freely given, specific, informed, unconditional, and unambiguous. Must be obtained through a clear notice in plain language before or at the time of data collection.
  • Legitimate Uses (without consent): Voluntary provision of data for a specified purpose, state functions and services, medical emergencies, employment purposes, and publicly available personal data.
  • Note: Unlike GDPR, DPDPA does not include "legitimate interest" as a standalone lawful basis for commercial purposes.

Data Principal Rights

Under DPDPA, data principals have several enforceable rights. The right to information about what personal data is being processed. The right to correction and erasure of inaccurate or outdated personal data. The right to grievance redressal, where organizations must respond within a prescribed timeframe. The right to nominate another individual who can exercise these rights in case of death or incapacity. Data principals also have corresponding duties, including not filing false or frivolous complaints and not providing false information when exercising their rights.

Implementation Checklist

  • Conduct a comprehensive data inventory mapping all personal data collection, storage, processing, and sharing activities
  • Implement a consent management platform that captures and records verifiable, granular consent
  • Draft clear privacy notices in plain language (and in languages specified in the Eighth Schedule of the Constitution)
  • Establish mechanisms for data principals to exercise their rights including correction, erasure, and information requests
  • Build internal grievance redressal processes with documented response timelines
  • Review and update data processing agreements with all data processors
  • Implement data protection impact assessments for high-risk processing activities
  • Appoint a Data Protection Officer if designated as a Significant Data Fiduciary
  • Ensure cross-border data transfer mechanisms comply with government-approved country lists
  • Implement reasonable security safeguards proportionate to the personal data being processed
  • Establish breach notification processes to inform the Data Protection Board and affected data principals

Penalties

DPDPA prescribes significant financial penalties for non-compliance. Failure to take reasonable security safeguards resulting in a data breach can attract penalties of up to INR 250 crore (approximately $30 million). Failure to notify the Board and data principals of a breach can result in penalties up to INR 200 crore. Non-fulfillment of obligations relating to children's data can attract up to INR 200 crore. Violation of any other DPDPA provision can result in penalties up to INR 50 crore. The Data Protection Board determines penalty amounts based on the nature, gravity, and duration of the breach.

Frequently Asked Questions

When does DPDPA come into full effect?
DPDPA received presidential assent on August 11, 2023. The government will bring different provisions into effect through notification, and the detailed rules are being finalized. Organizations should begin compliance preparations now, as the full enforcement timeline can be notified at any point.
How does DPDPA differ from GDPR?
Key differences include: DPDPA does not have a standalone "legitimate interest" basis for commercial processing, it applies only to digital personal data, it does not distinguish between data controllers and processors in the same way, it does not include a right to data portability, and it has a simpler penalty structure with fixed caps rather than revenue-based calculations.
What qualifies as a Significant Data Fiduciary?
The government will designate Significant Data Fiduciaries based on factors including volume and sensitivity of data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, risk to electoral democracy, and security of the state. These entities face additional obligations including appointing a DPO and conducting data audits.
How are cross-border data transfers handled?
DPDPA allows cross-border transfer of personal data to countries or territories notified by the Central Government. Transfers to countries not on the approved list will be restricted. The government has not yet published the approved country list, so organizations should prepare for restrictions.
What are the requirements for children's data?
Processing personal data of children (under 18) requires verifiable parental consent. Data fiduciaries cannot undertake tracking, behavioral monitoring, or targeted advertising directed at children. The government may lower the age threshold for certain purposes and exempt specific data fiduciaries from the verifiable consent requirement.

Ready to use this resource?

Download it now or schedule a demo to see how Hunto AI can automate your security workflows.

Book a Demo