Reading the DPDPA 2023: a compliance manager's field guide

India's Digital Personal Data Protection Act, 2023 is the country's first comprehensive privacy law. It applies to organizations that process digital personal data in India or in connection with offering goods or services to data principals in India. This article is a practitioner's walk through the Act — what it requires, who it applies to, and how it interacts with the sectoral regulations that already govern many of the organizations it touches.

What the DPDPA is, in one paragraph

The DPDPA regulates the processing of digital personal data. It establishes obligations for entities called data fiduciaries (similar to controllers under GDPR), distinguishes a category of significant data fiduciaries with additional obligations, grants rights to data principals (the people whose data is processed), creates a Data Protection Board of India to adjudicate complaints, and sets out penalties for non-compliance. The Act applies to processing in India and to processing outside India that relates to offering goods or services to people in India.

The principals, the fiduciary, the processor

Three parties matter. The data principal is the individual whose personal data is being processed — always a natural person, never an organization. The data fiduciary is the entity that decides the purpose and means of processing. If you decide why the data is collected and how, you are a fiduciary. The data processor is an entity that processes data on behalf of a fiduciary. Many organizations are both — a fiduciary for their own customers' data and a processor for data they handle on behalf of other fiduciaries. Mapping these roles precisely inside your organization is the foundational step of DPDPA compliance.

Consent and notice

Consent is the primary legal basis for processing under the DPDPA. It must be free, specific, informed, unconditional, unambiguous, given through a clear affirmative action, and limited to the specified purpose. Notice accompanies consent and must describe the personal data being processed, the purpose, how to exercise rights, and how to complain to the Data Protection Board. A handful of specific situations allow processing without consent (the Act calls these 'certain legitimate uses') — employment-related processing, specified public interest, legal obligations, medical emergencies, and a short list of others. Every other basis has fallen away; there is no soft legitimate interest basis comparable to GDPR's Article 6(1)(f).

The significant data fiduciary designation

The central government can designate certain fiduciaries as 'Significant Data Fiduciaries' based on factors including the volume and sensitivity of data processed, risk to the rights of data principals, potential impact on sovereignty and integrity, and risk to electoral democracy. A significant fiduciary must appoint a Data Protection Officer based in India, conduct periodic Data Protection Impact Assessments, undergo periodic audits by an independent data auditor, and meet additional obligations specified in rules. Many large financial services firms, insurers, and large technology platforms expect to be designated. The designation adds structural commitments, not just paperwork — the DPO is an independent senior role.

Rights of the data principal

Principals have the right to access and correction, the right to grievance redressal, the right to nominate, and the right to erasure. These rights are exercised through the fiduciary. Fiduciaries must publish the contact details of a person to whom complaints can be made, and must respond to rights requests within a time that will be prescribed in rules. Consent managers — a new category of entity under the Act — provide an interoperable layer for principals to give, manage, and withdraw consent across multiple fiduciaries.

Breaches and the Data Protection Board

A fiduciary must notify the Data Protection Board and affected data principals about a personal data breach. Specific timelines will be prescribed in rules. The Data Protection Board is empowered to adjudicate complaints, impose penalties, and direct fiduciaries to take specific actions. Penalties under the Act can be substantial — the maximum penalty for failure to prevent a significant breach is 250 crore INR. Penalties are imposed per instance, and factors considered include the nature and gravity of the breach, the harm caused, and whether the fiduciary took reasonable steps to prevent it.

How the DPDPA interacts with sectoral rules

Many organizations subject to the DPDPA are also subject to sectoral regulations — RBI for banks and NBFCs, IRDAI for insurers, SEBI for capital markets participants, MeitY for IT intermediaries. The DPDPA is not a subtraction from these rules; it is an addition. Where the sectoral rule and the DPDPA conflict, the sectoral rule generally takes precedence for the matter it governs, but the DPDPA's principles still apply. In practice, organizations end up running one privacy program that satisfies both the DPDPA and the sectoral requirement, with a clear mapping that shows which control satisfies which obligation. Running these as two separate programs is the most common and most expensive mistake.

A 10-item implementation checklist

First, map your fiduciary and processor roles across every data flow. Second, document the legal basis for every processing activity. Third, rewrite your consent flows to meet the DPDPA's specificity requirements and publish notices that match. Fourth, establish a grievance redressal mechanism and publish the contact details. Fifth, prepare for the possibility of significant fiduciary designation and draft your DPO role description and DPIA template in advance. Sixth, inventory your cross-border data transfers and document the legal basis for each. Seventh, establish a breach response runbook that meets the Act's notification requirements. Eighth, run a Data Protection Impact Assessment on any processing that plausibly qualifies as high risk. Ninth, audit your processor agreements to confirm the fiduciary-processor contract obligations are in place. Tenth, train your people — the failure modes in privacy programs are almost always human, not technical.

Tags