.svg){kind=small}
.avif)
The Digital Personal Data Protection Act (DPDP Act) is India’s first comprehensive data protection legislation. It puts power in the hands of the users, imposing obligations on businesses on how to collect, store and use personal data.
Why was the DPDP Act needed?
With growing technological developments, businesses rapidly scaled. However, this growth came at a great risk. A lot of personal data was being processed without any strict regulations in place. With the introduction of the DPDP Act and regulators mandating compliance, this changes. All businesses that process personal data are now required to take explicit consent from the data principal (whose data is being processed) stating the purposes they will use the data, and non-compliance will have financial, reputational and business repurcussions.
What are new DPDP Rules 2025?
The Final DPDP Rules were published in november this year. The final DPDP Rules provide clear guidance for businesses on how to handle personal data.
The rules give extensive rights to the users to access, erase, and control their data, set out clear processes for businesses to follow and clarify the roles and responsibilities of the Data Protection Board. The rules also mandate verifiable parental consent for use of children’s data.
You can read in detail about DPDP Rules 2025 here
What are 7 principles of Data Protection Act?
The government has released the final DPDP Rules, which brings certain parts of the Act into force. The Rules also introduce a hard deadline for full compliance- which ends in May 2027.
Here are the 7 key pillars of the DPDP Act in India: :
A. Consent as Primary Ground of Processing: Consent is the main requirement for processing personal data under the DPDP Act, with other grounds being rare exceptions. To process data, there must either be a legitimate use or lawful consent. You can read more on the grounds for processing personal data here.
B. Data Fiduciaries' Responsibility: The DPDP Act holds Data Fiduciaries accountable for all data processing, including that done by third-party vendors. There are higher obligations for Significant Data Fiduciaries.
C. Data Security and Breach Notification: Data fiduciaries must ensure strong data security and promptly report breaches to the Data Protection Board and affected individuals.
D. Data Protection Board (DPB): The Data Protection Board shall oversee the enforcement of the Act, impose penalties, and handle complaints with considerable discretion in levying monetary penalties
E. Rights of Data Principals - Data Principals or Users now have the right to acces, review and delete consent, request data erasure as well as raise complaints. The data fiduciaries are manadated to respond to a request within 90 days. F. Cross-Border Data Transfers: Data can be transferred to any jurisdiction unless specifically prohibited by the government. Read more about restrictions on cross border data transfers and data localization.
G. Protecting Children's Data: The Act gives special consideration to children's data, requiring verified parental consent for processing and banning certain practices like targeted advertising. Read more about DPDP law on children's data on our consent blog.
You can read in detail about the key principals of data protection act in our blog.
What type of personal data is covered under the DPDP Act?
Any data that can be used to identify a person is personal data.
Some examples of personal data are
- person’s name
- mobile number
- bank account
- photograph
- signature
- Aadhaar details etc.
You can read more about personal data in our blog on the applicability of the DPDP Act.
Who must comply with the DPDP Act?
The DPDP Act impacts everyone, but the key stakeholders defined in the Act are:
- Data Principals: Individuals to whom the data belongs, such as customers opening bank accounts or users registering on websites.
- Data Fiduciaries: Anyone who determines the purpose of processing personal data- entities like banks, telecom providers, and social media platforms. They face the highest level of compliance obligations under the DPDP Act.
- Data Processors: A person who processes personal data on behalf of a Data Fiduciary.
The critical difference between Data Processors and Data Fiduciaries is that only the Fiduciaries determine the means and purpose of processing data.
Data Fiduciaries collect and process data of multiple Data Principals
Data Processors process data on behalf of Data Fiduciariy
What are the penalties for non-compliance under the DPDP Act?
The Digital Personal Data Protection Act imposes significant fines for breaches which will be deteremined by the Data Protection Board based on-
a) nature
b) duration, and
c) severity of the breach.
The Board has considerable discretion in levying monetary penalties. Penalties can go up to 250 crores per violation. But the result of non-compliance is not just monetary. It can also cause a lot of reputational damage and even result in halting of specific business operations.
Read our blog on DPDP Penalties for more details.
What are the exemptions under the DPDP Rules?
The government has the power to exempt businesses from certain obligations. There are exemptions to the DPDP Act's provisions in certain cases like investigation of offences, enforcement of legal rights or claims, and processing outside Indian territory.
We have detailed out the exemption in our DPDP Act Exemption blog
What to do with data collected before DPDP Act?
Even for consents collected prior to the enactment of the DPDP Act, the Data Fiduciary must send a one-time notice to the Data Principal. If the Data Principal withdraws their consent after this notice, the data processing will have to stop.
This is a significant obligation on many industries, especially the data heavy industries like BFSI, telemarketing, e-Commerce, healthcare. A customized notice must be sent to all the existing customers detailing:
- their data
- purpose of use
- right to withdraw consent and
- method of grievance redressal.
What is the difference between DPDP and GDPR?
The General Data Protection Regulation (GDPR) of the European Union and India's DPDP Act are both landmark legislations in their respective regions for data protection and privacy. Here are some key differences between GDPR and DPDP Act.
Conclusion/Next Steps
The DPDP Act is changing the data privacy landscape in India. Companies need to adapt quickly and reimagine how they collect and process personal data. Failure to do so will invite penalties up to 250 crores, legal consequences and reputational damage.
With a hard deadline in place for compliance, it is more important than ever to start fixing internal policies, training employees, updating third party-agreements and setting up DPDP-compliant systems for processing personal data.
Wondering where to start? Get in touch with us for more information.
