India’s Digital Personal Data Protection Act (DPDPA) is set to take effect soon, bringing with it new responsibilities for businesses that collect, process, or store the personal data of Indian residents. Whether your company operates in India or simply handles data from Indian customers, you’ll need to understand what’s required to comply with this new data privacy legislation.

Below, we’ll provide a comprehensive guide to the DPDPA, explaining what the law entails, who needs to comply, and the key requirements businesses need to meet. You’ll learn everything you need to know to ensure your organization is aligned with India’s evolving data privacy landscape.

What is the Digital Personal Data Protection Act (DPDPA)?

India is rapidly becoming a global leader in digital innovation and technology. With more people and businesses relying on digital services than ever before, protecting personal data is crucial for maintaining public trust, ensuring business transparency, and aligning India’s practices with international privacy standards.

The Digital Personal Data Protection Act (DPDPA) is India’s response to global privacy trends, giving individuals greater control over their personal data while setting clear rules for the businesses that handle it.

It’s similar to other influential global privacy laws, like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA), but with some unique provisions specifically tailored to India's data ecosystem.

Who needs to comply with the DPDPA and when will it be enforced?

If your business collects, stores, or processes personal data from Indian citizens and residents, you must comply with the DPDPA — even if you don’t have a physical presence in India. This applies to companies across all sizes and sectors, from local startups to global enterprises.

While the DPDPA was passed in August 2023, the new law is expected to come into force through a government notification sometime in 2025. Compliance can be complex, and organizations have limited time to ensure they meet the law’s requirements. Businesses should begin preparing immediately to avoid last-minute scrambles and potential compliance gaps.

Rights of Data Principals under the DPDPA

Under the DPDPA, individuals such as customers, end users, and employees (referred to as Data Principals) have clear rights over their personal data, similar to data subject rights under GDPR. Businesses that collect or process personal data (known as Data Fiduciaries) are legally required to honor these rights.

1. Right to access personal data

Data Principals can request a summary of the personal data a Data Fiduciary holds about them. They can also request information about how their data is being processed. Unlike GDPR, however, the DPDPA does not include a data portability requirement, meaning individuals can’t demand their data in a structured format to transfer to another service.

2. Right to correction and erasure

If a Data Principal notices errors in their personal data, they have the right to request corrections or updates. They can also request deletion of their data if it’s no longer needed or if they withdraw their consent, and Fiduciaries must act on these requests unless retention is required by law.

3. Right to withdraw consent

Consent isn’t a one-time agreement under the DPDPA. Individuals can withdraw consent at any time, and Data Fiduciaries must make this process just as easy as it was to give consent initially. Once withdrawn, data processing must stop immediately, unless legally required otherwise.

4. Right to grievance redressal

If an individual feels their rights have been violated, they can file a complaint directly with the Data Fiduciary. If they’re unsatisfied with the response, they can escalate the issue to the Data Protection Board of India for further action.

5. Right to be informed

Businesses must clearly inform individuals about why their data is being collected, how it will be used, and what rights they have before asking for consent. This information should be provided in plain language — no legal jargon.

What qualifies as personal data under the DPDPA?

To comply with the DPDPA, businesses need to understand what’s considered personal data under the law. Similar to GDPR, India's DPDPA defines personal information as any data about an individual that can directly or indirectly identify that person.

Personal information includes:

• Identifiers: Names, addresses, email addresses, phone numbers, and government-issued identification numbers (such as Aadhaar, PAN card, and passport numbers).
• Financial information: Bank account details, payment card numbers, and income details.
• Health data: Medical history, treatment details, health conditions, and biometric data.
• Biometric and genetic information: Fingerprints, facial recognition data, iris scans, and other genetic information.
• Online identifiers: IP addresses, device IDs, cookies, and browsing data that could identify or profile an individual.
• Location data: GPS coordinates and geographical tracking data.
• Employment data: Employment history, professional qualifications, and employee performance data.

Essentially, if data can be connected to an individual in any meaningful way, either directly or when combined with other available information, it falls under DPDPA protections.

However, there are several explicit exemptions where certain types of data processing activities fall outside the scope of DPDPA requirements. These exemptions are designed to balance privacy protections with practical needs related to security, governance, personal use, and public interest:

• Government functions: Data processed for state security, national sovereignty, public order, or law enforcement purposes may be exempt, subject to government-defined conditions.
• Legal and judicial proceedings: Personal data processed specifically for judicial, legislative, or regulatory proceedings is typically exempt from DPDPA compliance requirements.
• Personal or domestic use: Data processed exclusively for personal, household, or domestic purposes by individuals, not involving any commercial or professional activity, is exempt.
• Research and statistical purposes: Data anonymized and processed solely for statistical, archival, or research purposes may be exempt if appropriate safeguards are in place.
• Publicly available data: Information publicly available or officially published by individuals themselves is generally not subject to DPDPA consent and processing restrictions.
• Emergency and disaster response: Processing of data to respond to medical emergencies, disasters, or humanitarian crises can be exempted if necessary to protect life or safety.

DPDPA requirements for Data Fiduciaries

Under the DPDPA, Data Fiduciaries have a legal obligation to safeguard the personal data they collect or process. But what exactly does that mean, and who qualifies as a Data Fiduciary?

A Data Fiduciary is any entity that determines the purpose and means of processing digital personal data, whether it’s customer or employee information — essentially, a data controller. This means they decide what data to collect, why it’s being collected, and how it will be processed. For example, a financial services company that collects and processes customer data for banking transactions would be considered a Data Fiduciary.

The DPDPA is designed to uphold individuals' fundamental right to control their personal data. To ensure this, the data protection law sets clear responsibilities for Data Fiduciaries, outlining how they must handle and protect sensitive personal data:

• Consent management: Data Fiduciaries must obtain explicit, informed consent from Data Principals before processing any personal data. They must use clear opt-in checkboxes or prompts for data collection, and make it easy for users to withdraw consent at any time.
• Data minimization and accuracy: Only the personal data necessary for the stated purpose can be collected, and reasonable efforts must be made to ensure the accuracy of personal data​.
• Data security: Organizations must implement strong information security safeguards, including encrypting personal data, maintaining access logs, regularly monitoring for security threats, and taking appropriate remediation steps in the event of data breaches​.
• Data breach notifications: Upon becoming aware of any personal data breach, Data Fiduciaries must notify affected individuals immediately and report the breach to the Data Protection Board of India within 72 hours.
• Retention and erasure of data: Data Fiduciaries must set up an easy way for users to request changes or deletions to their data. They must erase personal data after a specified time period or once the purpose of data processing has been fulfilled, unless retention is mandated by Indian law. They must also inform Data Principals at least 48 hours before erasure​.
• Transparency and communication: Data Fiduciaries must provide clear information on their websites or apps about how Data Principals can exercise their rights, including contact details of a Data Protection Officer or designated representative​. They must also clearly disclose information about data-sharing practices with any third-party processors or vendors.
• Children’s data: Special rules apply for processing children's data, requiring verifiable legal guardian or parental consent, with strict due diligence obligations to confirm the guardian's identity and authority​.
• Data localization and transfer restrictions: Data Fiduciaries must comply with data localization rules as mandated by the Indian government. Transfers of personal data outside of the territory of India are subject to government-specified restrictions​.

Additional requirements for Significant Data Fiduciaries

Certain types of Data Fiduciaries may be classified as Significant Data Fiduciaries (SDFs), based on the scale, sensitivity, and risk associated with its data processing activities. If your organization processes a large amount of personal data, processes high-risk or sensitive data, or generates a significant amount of revenue from data processing activities, you may be considered an SDF and be required to take extra steps to protect personal information.

• Volume of personal data processed: Organizations processing large amounts of personal data may be designated as SDFs, even if they are not based in India.
• Risk to Data Principals: If the processing of data poses a significant risk to individual rights, such as profiling or automated decision-making with legal consequences, the entity may be classified as an SDF.
• Impact on public order or national security: Companies handling critical infrastructure data, public interest data, or data related to government functions may be subject to SDF regulations.
• Processing of children’s or sensitive personal data: Businesses that process children’s data or sensitive personal data (such as health, biometrics, or financial data) at a large scale may fall under this classification.
• Use of emerging technologies for data processing: If an organization uses AI, machine learning, or large-scale automated processing that could impact individuals' privacy rights, it may be classified as an SDF.
• Turnover and business size: Large corporations, particularly those generating significant revenue from data processing, may be designated as SDFs.

SDFs must meet additional obligations beyond those required of standard Data Fiduciaries. One of the key requirements is the appointment of a Data Protection Officer (DPO), who must be based in India. The DPO is responsible for ensuring compliance with the DPDPA, responding to Data Principal queries, and serving as the primary point of contact for regulatory authorities.

SDFs are also required to conduct annual Data Protection Impact Assessments (DPIAs) to evaluate the risks associated with their data processing activities. These assessments must document potential risks, outline mitigation strategies, and be submitted to the Data Protection Board for review as needed. In addition to DPIAs, SDFs must undergo regular independent audits to verify compliance, and audit reports must be submitted to the Data Protection Board for oversight.

SDFs are also expected to meet higher accountability standards, which means keeping a close eye on how they handle personal data. This includes making sure AI and automated decision-making systems are used responsibly, avoiding unfair bias, and being transparent about how these systems process data. These extra requirements help ensure that large-scale or high-risk data processing is done in a way that protects individuals’ rights and maintains trust.