Contact Us

India’s Digital Personal Data Protection Act (DPDPA) – What You Need to Know!

Shubhi Bhargava
April 12, 2025
India’s Digital Personal Data Protection Act (DPDPA) – What You Need to Know!
Cybersecurity News

The Digital Personal Data Protection Act, 2023 is a comprehensive legislation enacted to regulate the processing of digital personal data. The Act aims to protect individuals’ privacy while acknowledging the need to process personal data for lawful purposes. It establishes a robust legal framework governing the collection, storage, processing, and sharing of personal data, ensuring a balance between safeguarding citizens’ data rights and addressing the data processing requirements of businesses and government entities.
Background – With the rapid digitalization of services, concerns over the misuse of personal data have intensified. The Supreme Court of India, in its 2017 judgment, recognized privacy as a fundamental right, prompting the need for robust data protection laws. The DPDP Act 2023 is India’s response to these evolving privacy challenges, aligning with global standards like the GDPR.

Examples of Personal Data:

  • Names, addresses, phone numbers
  • Email addresses, IP addresses
  • Financial information (bank details, credit card numbers)
  • Health records and biometric data
  • Location and online identifiers

Definitions –

  • Child – an individual who has not completed the age of eighteen years.
  • Consent Manager – a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
  • Data Fiduciary – any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
  • Data Principal – the individual to whom the personal data relates and where such individual is
    • a child, includes the parents or lawful guardian of such a child;
    • a person with disability, includes her lawful guardian, acting on her behalf.
  • Data Protection Officer – an individual appointed by the Significant Data Fiduciary

Key Provisions of the DPDP Act 2023

Scope & Applicability – The Digital Personal Data Protection (DPDP) Act covers processing of digital personal data of Indian residents in India, whether the data is gathered in electronic form or converted into electronic form later. It also covers processing outside India if it involves providing goods or services to individuals (Data Principals) who are in India.
Not Applicable to (i) personal data used by a person for personal or domestic purposes, or (ii) personal data that has been intentionally made publicly available by either the Data Principal to whom the personal data pertains or any other person or entity required under law to make personal data available to the public

Exemptions under the DPDP Act

The DPDP Act does offer a few exemptions where those provisions do not apply.

  • This includes processing the personal data of enforcing legal rights, by regulatory authorities or the courts.
  • Processing of data is also exempted while carried out under contracts with persons outside India, in corporate restructuring or mergers sanctioned by authorities.
  • The Act exempts data processing by state government-notified agencies for national security, public order, or foreign relations.
  • Personal data processed for research, archiving, or statistics is exempt if it does not affect decisions about individuals and adheres to prescribed standards.
  • Certain data fiduciaries, such as startups, may also be exempt from certain provisions depending on the quantity and nature of data processed.
  • The government can grant exemptions to specific fiduciaries for a period of up to five years from the commencement of the Act.

Consent and Notice

The DPDP Act requires Data Fiduciaries to give notice clearly and to receive informed consent of Data Principals prior to processing personal data. The notice shall contain:

  • Personal data to be processed and for what purpose.
  • How Data Principals may enforce their rights.
  • Procedure for filing a complaint to the Data Protection Board.
  • Details of the Data Protection Officer or person in charge.

Requirements of Consent: Consent shall be Free, specific, informed, unconditional, and unambiguous through clear affirmative conduct. Limited to data required for the specified purpose.

Rights and Duties of Data Principals

Rights of a Data Principal Under the DPDP Act, Data Principals have been given certain rights which include:

  • Right to access information about personal data
  • Right to correction and erasure of personal data
  • Right to withdraw consent
  • Right of grievance redressal
  • Right to nominate

Duties of a Data Principal – A Data Principal shall:

  • Obey all relevant laws while performing rights under this Act.
  • Not impersonate another individual when sharing personal data.
  • Give full and correct information when presenting personal data for official documents, identifiers, or proofs released by the State or its agencies.
  • Not file false or unfounded complaints with a Data Fiduciary or the Board.
  • Give verifiable data when asking for data correction

Obligations of Data Fiduciaries

The data fiduciary is required to:
(i) maintain accuracy of data,
(ii) have security measures,
(iii) inform the Data Protection Board and concerned persons in case of breaches, and
(iv) delete data upon achievement of purpose unless required otherwise by law.

Storage limitation and erasure rights do not apply to government authorities.

Cross-Border Data Transfers

The Bill allows cross-border data transfer of personal data to notified countries or territories by the Central Government, having regard to issues such as national security, strategic considerations, and effective standards of data protection. government entities are exempted for reasons such as national security or public interest. Data Fiduciaries have to provide sufficient safeguards, including contractual terms and security measures, to protect the transferred data.

Moderation of Data Localization Requirements

Although the DPDP Act 2023 does not have data localization as a requirement, it recognizes that there can be sector-specific regulations that can impose storage requirements on some classes of data. The Draft Rules mandate Significant Data Fiduciaries to keep certain personal and traffic data within India, although data types covered by requirements are yet to be finalized. Different regulators impose localization: the Reserve Bank of India (RBI) requires all payment system data to be stored in India since October 2018, with foreign-leg data of cross-border transactions alone permitted to be stored overseas.

Moderation of Data Localization Requirements under Indian Regulations:

The DPDP Act 2023 adopts a moderate approach to data localization, not imposing blanket requirements but recognizing sector-specific mandates. While the Act itself lacks direct localization provisions, the Draft Rules propose that Significant Data Fiduciaries keep certain government-specified data within India.

Various regulators enforce targeted localization:

  • The RBI mandates local storage of payment system data since 2018, with limited exceptions for cross-border transactions.
  • SEBI requires financial institutions to store critical governance, risk, and compliance data in India, with foreign entities allowed to retain copies abroad.
  • The IRDAI enforces local storage of insurance policy and claim data.
  • Under the Companies Act 2013, financial records must remain accessible in India.
  • CERT-In mandates local retention of financial transaction logs for service providers.

This approach balances data sovereignty and global operations, allowing limited cross-border storage while securing critical data domestically.

Reporting of data breaches

Under the DPDP Act, Data Fiduciaries must notify both affected Data Principals and the Data Protection Board of India (DPBI) of any personal data breach. The Draft Rules specify the notification format, required details, and timelines. The DPDP Act broadly defines a personal data breach as any case of unauthorized processing, inadvertent disclosure, acquisition, forwarding, use, alteration, destruction, or loss of access to personal data which violates the confidentiality, integrity, or availability thereof.

Data Fiduciaries are required to notify all personal data breaches irrespective of the sensitivity of the breach or impact on the data principals. Importantly, the Act does not provide materiality thresholds or designate specific reporting timelines for breach reports.

DPDPA and Its Role in Addressing Data Breaches

One of the most critical aspects of the DPDPA is its approach to data breaches. Under the Act, data fiduciaries are obligated to report data breaches within a specific time frame (usually 72 hours), ensuring that affected individuals are notified promptly. This rapid notification enables citizens to take immediate action to protect themselves from potential harm.
Moreover, the DPDPA introduces heavy penalties for non-compliance, ensuring that organizations take the necessary steps to safeguard data. This includes implementing strong cybersecurity measures to prevent breaches and taking prompt corrective actions when violations occur.

Data Fiduciaries are required to notify all personal data breaches irrespective of the sensitivity of the breach or impact on the data principals. Importantly, the Act does not provide materiality thresholds or designate specific reporting timelines for breach reports.

Penalties for Failure to Comply

  1. Breach of the requirement of Data Fiduciary to implement reasonable security measures to avoid breach of personal data under sub-section (5) of section 8 – Can go up to two hundred and fifty crore rupees.
  2. Breach of the requirement to provide the Board or concerned Data Principal with notice of a personal data breach under sub-section (6) of section 8 – Can go up to two hundred crore rupees.
  3. Breach of the compliance of further obligations in relation to children under section 9 – Can be up to two hundred crore rupees.
  4. Breach of the compliance of further obligations of Important Data Fiduciary under section 10 – Can be up to one hundred and fifty crore rupees.
  5. Breach of compliance of the duties under section 15 – Can be up to ten thousand rupees.
  6. Breach of any term of voluntary agreement accepted by the Board under section 32 – Up to the extent applicable in respect of the Breach in respect of which the proceedings under section 28 were initiated.
  7. Breach of any other provision of this Act or the rules made thereunder – May extend to fifty crore rupees.

Contact Us:

At SandBox Security, a reliable PCI QSA-certified organization, we make it our business to assist organizations in not just attaining but also sustaining PCI DSS compliance—enabling them to adapt and flourish in today’s constantly changing digital risk environment. Don’t allow compliance issues to get in your way. Reach out to us today at contactus@sandboxsecurity.ai, and let us lead you to secure, sustainable success.

Tags : 

Cyber Security, PCI DSS, PCI DSS compliance

Share this article :

Leave a Comment

Your email address will not be published. Required fields are marked *

Discover The Latest Cyber Security Blog Articles

Scroll to Top