DPDP Act 2023 Compliance for Indian Businesses — A Practical Roadmap

The Digital Personal Data Protection Act 2023 (DPDP Act) is India's first comprehensive data-protection statute. Passed by Parliament in August 2023 and operationalised gradually through subordinate rules and notifications, the Act represents the most significant change to Indian commercial-legal compliance in recent years for any business that processes personal data — which, in practice, means almost every business operating in India.

This article explains what the DPDP Act actually requires, how it differs from the earlier Information Technology Rules framework, and what a practical compliance roadmap looks like for Indian businesses today.

The Architecture in Brief

The DPDP Act establishes a consent-based framework for processing personal data, with specific obligations on entities that process personal data and specific rights for individuals whose data is processed.

Key concepts:

• **Data Principal:** The individual to whom personal data relates. The DPDP Act's protections are for Data Principals.
• **Data Fiduciary:** The entity that determines the purposes and means of processing personal data. Most businesses are Data Fiduciaries.
• **Data Processor:** An entity that processes personal data on behalf of a Data Fiduciary. Cloud providers, SaaS tools, and outsourced service providers often function as Data Processors.
• **Significant Data Fiduciary:** A category to be designated by the government based on volume of data, sensitivity, risk, or impact. Significant Data Fiduciaries face enhanced obligations.

The Data Protection Board of India (DPBI) is constituted as the enforcement body. Penalties for contraventions are substantial — up to INR two hundred and fifty crore for specific failures.

What Has Changed from the Earlier Framework

Before the DPDP Act, Indian data-protection law was governed primarily by Section 43A of the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. That framework was procedurally limited:

• It applied only to "sensitive personal data or information" (a narrower category)
• It focused on "reasonable security practices" without prescriptive requirements
• It provided limited rights to individuals
• Penalties were capped at INR five crore

The DPDP Act expands the framework substantively:

• It covers **all personal data**, not just sensitive personal data
• It prescribes **specific obligations** including consent, purpose specification, use limitation, and security
• It creates **enforceable rights** for Data Principals (access, correction, erasure, grievance redressal)
• It significantly **expands penalties** to up to INR two hundred and fifty crore

The Consent Architecture

Consent is the primary lawful basis for processing personal data under the DPDP Act. The Act prescribes specific consent requirements:

1. Consent must be free, specific, informed, unconditional, and unambiguous. Bundled consent (where the user agrees to multiple unrelated processing activities through a single click) does not satisfy this standard.

2. Consent must be given through a clear affirmative action. Pre-ticked checkboxes, silence, or inactivity do not constitute consent.

3. Notice must accompany the consent request. The notice must identify the processing purpose, the categories of personal data being processed, and provide instructions for accessing and exercising Data Principal rights.

4. Consent must be revocable. Data Principals can withdraw consent as easily as they gave it. Following withdrawal, processing must cease unless another lawful basis exists.

5. Consent for children's data requires parental consent. Verifiable parental consent is required for processing personal data of children below eighteen years.

For most Indian businesses, the practical compliance work is to redesign consent flows on websites, mobile apps, and other touchpoints to satisfy these requirements. Existing terms-of-service-based "consent" architecture frequently does not satisfy the DPDP Act standard.

Data Principal Rights

The DPDP Act creates specific enforceable rights for Data Principals:

Right to access information: A Data Principal can ask a Data Fiduciary for a summary of personal data being processed, the processing activities undertaken, and the identities of Data Processors with whom the data has been shared.

Right to correction and erasure: A Data Principal can seek correction of inaccurate personal data and erasure where there is no continuing lawful basis for retention.

Right to nominate: A Data Principal can nominate another individual to exercise their rights in case of incapacity.

Right to grievance redressal: A Data Principal can lodge a grievance with the Data Fiduciary's grievance officer; if unresolved, the matter can be escalated to the Data Protection Board.

For Data Fiduciaries, the practical compliance work is to establish documented procedures for handling Data Principal requests within statutory timelines (typically thirty days for most requests). This includes designating a grievance officer, training customer-service teams, and maintaining records of requests and responses.

Breach Notification

The DPDP Act requires Data Fiduciaries to notify the Data Protection Board and affected Data Principals in case of a personal-data breach. The specific notification requirements are being operationalised through subordinate rules, but the broad framework is:

• Notification to the Data Protection Board within prescribed timelines
• Notification to affected Data Principals where the breach poses significant risk
• Documentation of breach response and remediation

Failure to comply with breach notification requirements is one of the categories carrying the highest statutory penalties under the Act.

Cross-Border Data Transfers

The DPDP Act permits cross-border transfer of personal data to most jurisdictions, except those that the government may specifically restrict by notification. This is a substantively more permissive framework than the earlier draft bills had proposed (which would have required data localisation in many cases).

For Indian businesses using global SaaS tools, cloud services, and analytics platforms — which is virtually all businesses — the practical implication is that current architectures generally remain compliant, subject to specific compliance with consent and notice requirements at the point of data collection.

The framework includes anti-circumvention provisions. Cross-border transfers cannot be used to evade DPDP Act obligations applicable in India.

The Penalty Framework

The DPDP Act prescribes specific penalty ranges for different categories of contraventions:

• **Up to INR 250 crore** for contraventions related to security safeguards causing breach
• **Up to INR 200 crore** for contraventions of children's data obligations
• **Up to INR 50 crore** for failure to notify breach
• **Up to INR 50 crore** for failure to fulfil obligations to a Significant Data Fiduciary
• **Up to INR 10 crore** for other specific contraventions

The Data Protection Board has discretion in determining the actual penalty within the maximum range. Factors considered include the nature and gravity of the contravention, the type of personal data affected, and the size and nature of the Data Fiduciary's operations.

A Practical Compliance Roadmap

For Indian businesses navigating DPDP Act compliance, a practical roadmap typically follows this sequence:

Step 1 — Data inventory. Document all personal data being processed: what categories, for what purposes, from what sources, shared with which third parties, retained for how long, and stored where.

Step 2 — Lawful-basis analysis. For each processing activity, identify the lawful basis. Most processing will require Data Principal consent; some may rely on legitimate-use exceptions specifically permitted under the Act.

Step 3 — Consent architecture redesign. Redesign consent flows on websites, mobile apps, employee onboarding, customer interactions, and all other touchpoints to satisfy the DPDP Act requirements.

Step 4 — Privacy notice update. Draft or update privacy notices to clearly identify processing purposes, data categories, retention periods, sharing arrangements, Data Principal rights, and grievance contact information.

Step 5 — Data Principal request procedures. Establish documented procedures for handling access, correction, and erasure requests within statutory timelines. Train customer-service and other relevant teams.

Step 6 — Vendor and third-party arrangements. Review contracts with vendors, SaaS providers, and other Data Processors. Update agreements to include DPDP Act-compliant processing obligations.

Step 7 — Breach response plan. Develop a documented breach response plan covering identification, containment, notification, and remediation. Test the plan periodically.

Step 8 — Grievance officer designation. Designate a grievance officer (or function) responsible for handling Data Principal grievances. Ensure contact information is publicly accessible.

Step 9 — Periodic compliance review. Establish a periodic review cycle to audit compliance, identify gaps, and update procedures as the regulatory framework evolves.

Specific Sector Considerations

Several sectors face DPDP Act compliance considerations that go beyond the generic framework:

Financial services. Banks, NBFCs, and fintech companies process substantial personal data and are likely to be designated as Significant Data Fiduciaries. Enhanced obligations including Data Protection Officer appointment and Data Protection Impact Assessments will apply.

Healthcare. Medical and health data is among the most sensitive categories. Hospitals, clinics, diagnostic centres, and digital-health platforms face heightened compliance requirements.

E-commerce and marketplaces. Customer data, transaction histories, behavioural analytics, and recommendation algorithms all involve personal data processing. Consent architecture is particularly important.

Educational institutions. Children's data is processed extensively. Verifiable parental consent and enhanced safeguards apply.

Employers. Employee personal data is processed throughout the employment lifecycle. Specific consent and notice requirements apply, alongside the broader employment-relationship framework.

What Happens When Enforcement Begins

The Data Protection Board is being established and full enforcement is expected to develop over the next two to three years. Early enforcement activity is likely to focus on:

• Egregious breach cases with significant Data Principal impact
• Large Data Fiduciaries with public visibility
• Complaints filed by Data Principals through the grievance redressal framework
• Sector-specific compliance reviews coordinated with sectoral regulators

For Indian businesses, the practical question is whether to move on compliance proactively or wait for enforcement pressure. The substantively conservative position is proactive compliance — the cost of getting compliance right is materially less than the cost of remediation under regulatory pressure, and the penalty framework creates real downside exposure.

How the Chambers Engage with This Practice

Unified Chambers And Associates handles DPDP Act compliance and disputes as part of the Media, Defamation and IT Law practice area. The work covers:

• Consent architecture review and drafting
• Privacy notice preparation
• Data Principal request response procedure design
• Breach response plan development
• Vendor agreement review for DPDP Act compliance
• Disputes arising from alleged non-compliance
• Representation in proceedings before the Data Protection Board

The framework is new and the jurisprudence is still developing. Conservative compliance with documented decision-making creates substantively better defensive positions than reactive compliance under regulatory pressure.

For specific DPDP Act compliance questions or disputes, contact the chambers through subodhbajpai.in/contact. Related reading includes Digital Marketing for Law Firms on the related advertising-compliance framework, the legal glossary on key terms (DPDP Act, IT Act 2000, Section 79), and recent insights on Indian commercial-law developments.