The Digital Personal Data Protection Act, 2023 — Overview & Compliance

• The Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted to safeguard personal data in the digital era while enabling lawful use for innovation and governance.
• It regulates the collection, processing, and transfer of digital personal data, ensuring transparency, accountability, and individual rights.
• Applicability extends to Indian entities and foreign organizations dealing with data of individuals located in India.

Scope & Applicability

• Covers processing of digital personal data within India.
• Extends to processing outside India if linked to offering goods/services in India.
• Excludes purely domestic/personal use and data already made public by the individual or mandated by law.

Rights of Individuals (Data Principals)

• Right to access data held.
• Right to correct, update, or erase data.
• Right to grievance redressal.
• Right to nominate someone to exercise rights on their behalf.

Obligations of Organizations (Data Fiduciaries)

• Obtain free, informed, and specific consent with withdrawal options.
• Provide clear notices on data usage and rights.
• Implement security safeguards and retention/erasure policies.
• Notify the Data Protection Board and individuals in case of breaches.
• For children’s data, obtain verifiable guardian consent; ban targeted ads and tracking.

Significant Data Fiduciaries (SDF)

• Appoint a Data Protection Officer (DPO).
• Conduct Data Protection Impact Assessments (DPIA).
• Undergo independent audits.

Cross-Border Data Transfers

• Allowed unless restricted by government notification.
• Stricter sector-specific localization laws (e.g., financial data) prevail over the Act.

Penalties for Non-Compliance

• Failure to adopt safeguards: up to ₹ 250 crore.
• Breach of children’s data rules: up to ₹ 200 crore.
• Non-compliance by SDF: up to ₹ 150 crore.
• Breach of notice/notification duties: up to ₹ 200 crore.
• Other violations: up to ₹ 50 crore.
• Data principal violating duties: up to ₹ 10,000.

Compliance Roadmap for Organizations

• Step 1: Map personal data flows, third-party processors, and risks.
• Step 2: Deploy consent systems, update privacy policies, enable grievance and rights management.
• Step 3: Set retention periods, breach protocols, and advanced privacy tools.
• Step 4: Monitor government notifications and prepare for stricter cross-border transfer restrictions.

Key Takeaways

• The DPDP Act balances privacy rights and business needs.
• Heavy penalties make proactive compliance essential.
• Organizations must embrace privacy by design and transparency to build digital trust.
• Foreign companies handling Indian data also fall under its scope.