What is DPDPA?

India’s Digital Personal Data Protection Act, 2023 (DPDPA) provides a comprehensive legal framework for processing digital personal data. It balances individuals’ rights to privacy with the need for lawful data processing. This document summarizes the Act from compliance and implementation perspectives for developers and organizations building open-source solutions.

1. Scope & Applicability

Covers:
- Digital personal data collected in India or digitized subsequently.
- Data processed outside India if related to offering goods or services to Data Principals in India.
Exemptions:
- Personal or domestic use of data.
- Data made publicly available by the Data Principal or under legal obligation.

2. Key Entities Defined in the Act

Data Principal – The individual to whom the personal data relates.
Data Fiduciary – Determines purpose and means of processing.
Data Processor – Processes data on behalf of the Data Fiduciary.
Consent Manager – Registered intermediary to manage, review, and withdraw consent.
Significant Data Fiduciary (SDF) – Notified based on volume/sensitivity of data; has additional compliance obligations.
Data Protection Board of India (DPBI) – Supervisory body for enforcement and penalties.

3. Compliance Requirements for Data Fiduciaries

3.1 Lawful Processing Grounds

Consent of Data Principal.
“Certain legitimate uses” – e.g., government services, legal obligations, emergencies, employment-related uses.

Must be free, specific, informed, unambiguous and obtained via clear affirmative action.
Notices must specify purpose, data collected, rights of the Data Principal, grievance process, and language options (English or any Eighth Schedule language).
Right to withdraw consent with comparable ease to giving consent.

3.3 Data Quality & Security

Ensure accuracy, completeness, and consistency when data affects decisions or is shared.
Security safeguards to prevent data breaches.
Data breach notifications to the Board and affected individuals.

3.4 Data Retention

Erase data when purpose is no longer served or consent withdrawn unless retention required by law.
Ensure Data Processors also erase data.

3.5 Additional Requirements for Children

Verifiable parental consent for processing data of individuals under 18.
No tracking, behavioral monitoring, or targeted advertising directed at children.

3.6 Significant Data Fiduciary Obligations

Appoint Data Protection Officer (DPO) based in India.
Conduct periodic Data Protection Impact Assessments (DPIAs).
Appoint an independent data auditor.
Implement additional prescribed measures for risk management.

4. Rights & Duties of Data Principals

Access rights – Information about data being processed, recipients, and purposes.
Right to correction and erasure.
Right to grievance redressal via Data Fiduciary or Consent Manager.
Right to nominate a person to exercise rights upon death/incapacity.
Duties – Provide authentic data, avoid impersonation, no frivolous complaints.

5. Special Provisions & Cross-Border Data Flow

Central Government may restrict transfer of personal data to certain countries.
Research, archiving, and statistical uses allowed with safeguards.
Exemptions for courts, legal proceedings, mergers, or national security.

6. Data Protection Board of India (DPBI)

Independent regulatory body with investigative and adjudicatory powers.
Handles complaints, breach notifications, and penalties.
Functions digitally “by design” for complaints and hearings.

7. Penalties

Security safeguard failures – up to ₹250 crore.
Breach notification failures – up to ₹200 crore.
Child data obligations – up to ₹200 crore.
SDF obligations – up to ₹150 crore.
False complaints – up to ₹10,000.

8. Compliance Perspective – Key Action Items

Data Mapping – Identify what personal data is collected, processed, stored, and shared.
Gap Analysis – Compare current practices to DPDPA requirements.
Policy Development – Draft/update privacy notices, consent forms, data retention policies.
Training – Train staff and developers on DPDPA principles.
Governance – Appoint DPO if Significant Data Fiduciary.
Incident Management – Build breach notification protocols.
Vendor Management – Include DPDPA clauses in Data Processor contracts.

Disclaimer: This summary is provided for informational purposes only and does not constitute legal advice. Always consult legal professionals for compliance strategy.

1. Scope & Applicability​

2. Key Entities Defined in the Act​

3. Compliance Requirements for Data Fiduciaries​

3.1 Lawful Processing Grounds​

3.2 Consent & Notice​

3.3 Data Quality & Security​

3.4 Data Retention​

3.5 Additional Requirements for Children​

3.6 Significant Data Fiduciary Obligations​

4. Rights & Duties of Data Principals​

5. Special Provisions & Cross-Border Data Flow​

6. Data Protection Board of India (DPBI)​

7. Penalties​

8. Compliance Perspective – Key Action Items​