India's Digital Personal Data Protection Act, 2023 reshapes how every business handles personal data. Here are the core principles, your obligations as a data fiduciary, and how to prepare.
What the DPDP Act is
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data-protection law. It governs how organisations collect, store, use and share the personal data of individuals (called data principals), and it applies to any business processing such data digitally — including foreign businesses that offer goods or services to people in India.
It replaces the patchwork of earlier IT-Act rules with a single, consent-centric framework backed by significant financial penalties. Almost every modern business — anyone with a website, app, CRM or customer database — falls within its scope.
The core principles
The Act is built on a few clear ideas. Personal data may be processed only for a lawful purpose, with the individual's free, informed and specific consent (or under certain 'legitimate uses'). Consent requests must be in clear language and accompanied by a notice explaining what data is collected and why.
Data should be collected only as needed for the stated purpose (data minimisation), kept accurate, and not retained longer than necessary. Individuals have rights to access their data, correct it, erase it, and nominate someone to exercise their rights — and they can withdraw consent as easily as they gave it.
Your obligations as a data fiduciary
A business that decides why and how personal data is processed is a 'data fiduciary' and carries the main obligations. You must obtain valid consent, provide a clear privacy notice, implement reasonable security safeguards, and delete data once its purpose is served or consent is withdrawn.
If a data breach occurs, you must notify both the Data Protection Board and the affected individuals. Larger or higher-risk businesses may be designated 'Significant Data Fiduciaries' with extra duties such as appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and undergoing independent audits. Special care applies to children's data, where processing that is detrimental, or tracking and targeted advertising, is restricted.
Penalties for getting it wrong
The Act gives real teeth to enforcement. Penalties are substantial — failure to take reasonable security safeguards to prevent a breach can attract a penalty of up to ₹250 crore, and other defaults carry their own steep figures. The Data Protection Board can investigate complaints and impose these penalties.
For a startup or SME, even a fraction of these maximums could be existential. That makes proactive compliance — rather than waiting for a complaint — the only sensible posture.
How to prepare now
Start with a data map: list what personal data you collect, where it lives, who can access it, and why. Then update your consent flows and privacy notice so they are specific, clearly worded and easy to withdraw, and put a data-retention and deletion policy in place.
Tighten access controls and security, define a breach-response plan, and review contracts with vendors who process data on your behalf (data processors) to ensure they are bound to the same standards. A lawyer-drafted, DPDP-aligned privacy policy and a set of data-processing agreements are the foundation most businesses should put in place first.