DPDP Act 2023: What Every Indian Business Needs to Do Now

What Is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection legislation. Passed in August 2023 and progressively notified by the Ministry of Electronics and Information Technology (MeitY), the DPDP Act establishes a legal framework for the processing of digital personal data of individuals in India.

The Act applies to any entity — Indian or foreign — that processes the personal data of Indian residents, whether the processing occurs within India or outside it. If your business collects an email address, phone number, name, or any other piece of information that can identify an individual, you are subject to this law.

Key Definitions You Must Understand

The Act introduces precise definitions that determine your obligations:

• Personal Data: Any data that can identify an individual — directly or indirectly. This includes names, phone numbers, email addresses, IP addresses, location data, financial records, health information, and much more.
• Data Fiduciary: Any person or entity that determines the purpose and means of processing personal data. If you decide why and how you process customer data, you are a Data Fiduciary. Most businesses will fall into this category.
• Data Principal: The individual whose personal data is being processed — your customers, employees, website visitors, and so on.
• Data Processor: An entity that processes personal data on behalf of a Data Fiduciary — for example, a cloud hosting provider or a third-party analytics firm.
• Consent Manager: A government-registered entity through which Data Principals can give, manage, review, and withdraw consent.

Who Qualifies as a Significant Data Fiduciary?

The Government of India has the authority to designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on factors including the volume and sensitivity of data processed, risk to data principals, potential impact on national security, and so on. SDFs face a higher level of obligation — including mandatory appointment of a Data Protection Officer (DPO), independent data audits, and Data Protection Impact Assessments (DPIAs). Businesses should assess whether their scale and data handling practices might attract SDF designation.

Core Obligations for Data Fiduciaries

Every Data Fiduciary — regardless of size — has a set of fundamental obligations under the DPDP Act.

1. Lawful Basis for Processing: Consent

The DPDP Act places consent at the heart of personal data processing. Before collecting or processing personal data, you must obtain a clear, free, specific, informed, and unambiguous consent from the Data Principal. The consent request must be presented in plain language (and in English or any of the 22 languages listed in the Eighth Schedule to the Constitution, upon request). You cannot bundle consent for multiple purposes — each purpose must be separately consented to.

There are limited exceptions to the consent requirement — called Legitimate Uses — such as processing for the performance of a contract, legal obligations, public interest, and medical emergencies. However, these must be applied narrowly and cannot be used as a workaround to avoid obtaining consent in ordinary commercial contexts.

2. Notice Requirements

At the time of obtaining consent (or, where data was collected before the Act's commencement, as soon as practicable), you must provide the Data Principal with a clear and accessible notice that includes:

• The categories of personal data being collected
• The purposes for which the data will be processed
• How the Data Principal can exercise their rights (access, correction, erasure, grievance)
• How to withdraw consent and the consequences of withdrawal
• Contact details for the Data Fiduciary's grievance officer

3. Purpose Limitation and Data Minimisation

Personal data may only be used for the specific purpose for which consent was obtained. You cannot later repurpose the data for a different objective without obtaining fresh consent. Similarly, you must collect only the minimum data necessary for the stated purpose — collecting data "just in case" is no longer permissible.

4. Data Retention and Erasure

Data Fiduciaries must not retain personal data beyond the period necessary for the stated purpose. Once the purpose is fulfilled or the Data Principal withdraws consent, the data must be erased — unless retention is required by law. You must establish and document retention periods for each category of personal data you process.

5. Rights of Data Principals

The DPDP Act grants Data Principals several enforceable rights:

• Right of Access: The right to obtain confirmation of whether their data is being processed and a summary of the processing.
• Right to Correction and Erasure: The right to have inaccurate data corrected and, in appropriate circumstances, to have data erased.
• Right to Grievance Redressal: The right to raise a complaint with the Data Fiduciary and, if unsatisfied, to escalate to the Data Protection Board of India.
• Right to Nominate: The right to nominate another person to exercise rights on their behalf in the event of their death or incapacity.

Businesses must establish internal processes — and sufficient staff or automated systems — to handle these requests within the timeframes prescribed by the rules (which are currently being finalised).

Data Breach Notification Requirements

One of the most operationally significant obligations under the DPDP Act is the requirement to notify the Data Protection Board of India and affected Data Principals in the event of a personal data breach. The Act does not (in its current form) specify an exact number of hours within which notification must occur — but it requires notification "in such form and manner as may be prescribed," implying that the rules will set the timeline. Based on comparable global frameworks and the CERT-In incident reporting guidelines, organisations should plan for a notification capability within 72 hours of becoming aware of a breach.

Notification to affected Data Principals must include details of the nature of the breach, the types of data affected, the likely consequences, and the steps the organisation is taking in response. Failure to notify can attract significant penalties.

Children's Data: Special Obligations

The DPDP Act imposes heightened obligations when processing the personal data of children (defined as individuals under 18 years of age). Data Fiduciaries must obtain verifiable parental consent before processing a child's data. Additionally, Data Fiduciaries must not undertake behavioural monitoring, targeted advertising, or tracking of children. The Government may — through rules — exempt certain categories of Data Fiduciaries from the parental consent requirement based on specific safeguards, but until such exemptions are notified, the full obligation applies.

Cross-Border Data Transfers

Unlike some earlier Indian data protection proposals, the DPDP Act 2023 takes a permissive approach to cross-border data transfers as a starting point — personal data may be transferred to countries notified by the Central Government. The Government retains the power to restrict transfers to specific countries or territories on public interest or national security grounds. Businesses involved in international data flows should monitor the Government's notifications closely and ensure contractual safeguards are in place with overseas processors.

Penalties Under the DPDP Act

The financial penalties under the DPDP Act are significant and designed to be a genuine deterrent:

• Failure to take reasonable security safeguards to prevent a data breach: up to ₹250 crore
• Failure to notify the Data Protection Board and affected Data Principals in the event of a breach: up to ₹200 crore
• Non-compliance with obligations related to children's data: up to ₹200 crore
• Non-fulfilment of additional obligations for Significant Data Fiduciaries: up to ₹150 crore
• Non-compliance with other provisions: up to ₹50 crore

These penalties are cumulative and can be imposed for each instance of breach. For a business that has suffered a data breach and failed to notify, the combined penalty exposure can be substantial.

What Indian Businesses Must Do Now

The DPDP Act is being implemented in phases, and the detailed rules are being finalised. However, businesses cannot afford to wait. Here are the practical steps you should take immediately:

Step 1: Data Mapping

Conduct a thorough inventory of all personal data your organisation collects, processes, stores, and shares. Document the source, purpose, retention period, and any third parties with whom data is shared. This is the foundation of your compliance programme.

Step 2: Audit and Update Your Privacy Notices and Consent Mechanisms

Review all points of data collection — website forms, mobile apps, CRM systems, HR systems — and ensure that the consent obtained meets the Act's standards. Update privacy notices to include all required disclosures in plain language.

Step 3: Establish Data Breach Response Procedures

Put in place a documented data breach response plan that covers detection, containment, assessment, notification, and post-incident review. Invest in the technical controls needed to detect breaches promptly — you cannot notify a breach you have not detected.

Step 4: Train Your Team

Employees who handle personal data must understand the DPDP Act's requirements. Provide targeted training for HR, marketing, customer service, and IT teams. Data protection must be embedded in your operational culture, not treated as a legal technicality.

Step 5: Appoint a Grievance Officer

All Data Fiduciaries must designate a grievance officer and publish their contact details. Establish a process for handling Data Principal requests within the prescribed timeframes.

How InfraDefend Can Help

InfraDefend offers end-to-end DPDP Act compliance support — from data mapping and gap assessments to privacy notice drafting, consent management architecture, incident response planning, and employee training. We work with businesses of all sizes across India to build sustainable, pragmatic data protection programmes. Reach out to discuss your compliance needs.