India's Digital Personal Data Protection Act 2023

The DPDP Act applies to the processing of digital personal data within India and, crucially, to processing outside India when it involves offering goods or services to data principals in India. This extraterritorial reach mirrors the approach of the EU GDPR's Article 3 and the UK GDPR, which apply based on where the data subject is located, not where the processor is incorporated. Brazilian LGPD adopts the same principle. The US approach differs: CCPA applies based on the residency of the consumer and the revenue of the business, while HIPAA applies based on the type of entity and type of data, regardless of geography.

Processing under the DPDP Act is lawful only if the data principal has given valid consent or if the processing falls within one of the defined "deemed consent" categories, which the Act terms legitimate uses. Legitimate uses include processing necessary for the performance of a legal obligation by the state, medical emergencies, employment-related processing, and processing for public interest functions. This is narrower than the GDPR's six lawful bases, which include performance of a contract, compliance with a legal obligation, vital interests, public task, legitimate interests, and consent as separate and interchangeable grounds. The DPDP Act's consent-centred approach means that most commercial data processing by private entities requires valid consent unless it fits a legitimate use category.

Personal data is defined as any data about an identifiable individual. The Act does not create separate categories for sensitive personal data in the main statute, instead granting the central government power to specify additional obligations for certain classes of data through rules. This regulatory flexibility parallels the approach used in Singapore's Personal Data Protection Act, where many operational details are set by subsidiary legislation rather than fixed in statute.

A data fiduciary under the DPDP Act must: provide a consent notice in clear, plain language before collecting personal data; process data only for the specified purpose; implement reasonable security safeguards to prevent personal data breaches; notify the Data Protection Board and affected data principals of a breach in the prescribed manner; erase personal data when the purpose is fulfilled or consent is withdrawn; ensure the accuracy of personal data; and respond to data principal rights requests. These obligations create a compliance programme structure that maps directly to ISO/IEC 27001 controls and NIST Cybersecurity Framework functions.

The Act requires fiduciaries to appoint a Grievance Officer accessible to data principals. This officer handles complaints before they escalate to the Data Protection Board. The Grievance Officer role does not require specific professional qualifications under the Act but must be reachable via the fiduciary's contact details published on its platform. Larger organisations typically assign this function to a dedicated privacy or compliance team rather than creating a standalone role.

The Act explicitly addresses data processors: a fiduciary remains responsible for ensuring its processors comply with the Act and must execute a valid contract with each processor specifying the processing instructions and security requirements. This mirrors GDPR Article 28, which mandates written data processing agreements. In an audit context, third-party processor management becomes a testable control: auditors will check that contracts exist, that they contain the required clauses, and that the fiduciary has assessed the security posture of its processors. For deeper treatment of third-party risk in security audits, the Risk Identification and Asset Classification topic covers how to scope vendor risk within an asset inventory.

The DPDP Act grants data principals five categories of rights. First, the right to access a summary of personal data being processed and the processing activities. Second, the right to correct inaccurate or misleading personal data and to erase data that is no longer necessary for the purpose for which consent was given. Third, the right to withdraw consent, with the consequence that the fiduciary must cease processing and instruct processors to do so, though prior lawful processing is not invalidated. Fourth, the right to nominate another individual to exercise rights in the event of the data principal's death or incapacity. Fifth, the right to file a grievance with the fiduciary's Grievance Officer, and if unsatisfied, to appeal to the Data Protection Board.

Compared with the GDPR, the DPDP Act's rights framework is somewhat narrower. GDPR grants data subjects the right to data portability (receiving data in a machine-readable format for transfer to another controller) and in some circumstances the right to object to processing. The DPDP Act does not establish a general portability right in the statute, though the government may introduce portability requirements through rules. The right to erasure under both Acts is not absolute: it does not apply where retention is required by law or where the data is needed for ongoing legitimate purposes.

The central government may designate a data fiduciary as a Significant Data Fiduciary (SDF) by notification. The criteria for designation include the volume of personal data processed, the sensitivity of the data, the risk to data principals, the potential impact on national security or sovereignty, and the impact on public order or the rights of children. The designation mechanism is similar in intent to the GDPR's concept of high-risk processing requiring a Data Protection Impact Assessment, but differs structurally: under GDPR, the controller itself must assess whether its processing is high-risk and conduct a DPIA; under the DPDP Act, the government makes the SDF designation and then specifies what additional obligations apply.

Once designated, an SDF must appoint a Data Protection Officer (DPO) based in India who reports to the Board of Directors or equivalent governing body. The DPO role under the DPDP Act parallels the GDPR's DPO requirement under Article 37, which applies to public authorities and to organisations engaged in large-scale systematic monitoring or processing of special categories of data. An SDF must also have its processing activities audited by an independent data auditor, must conduct periodic Data Protection Impact Assessments (DPIAs), and must ensure that its algorithms and technology do not pose risks to the rights of data principals.

For audit teams, SDF designation changes the compliance scope materially. An SDF audit must verify DPO appointment and reporting lines, DPIA completion for specified processing activities, independent audit arrangements, and the algorithmic impact review process. Organisations processing data at scale in the financial services, telecommunications, or health sectors are most likely to receive SDF designations when the government publishes the criteria through rules.

The Data Protection Board of India (DPBI) is the Act's adjudicatory authority. It is constituted by the central government and has the powers of a civil court for the purposes of receiving complaints, summoning documents, and directing remediation. The Board can impose financial penalties after conducting an inquiry and giving the data fiduciary an opportunity to be heard. This procedural due process requirement mirrors the enforcement structure under GDPR, where supervisory authorities must give the controller the opportunity to respond before imposing a fine, and under HIPAA, where the US Department of Health and Human Services follows a corrective action process before imposing civil monetary penalties.

The penalty schedule is tiered by the nature of the violation. Failure to implement adequate security safeguards leading to a personal data breach attracts a penalty of up to INR 250 crore. Failure to notify the Board of a breach carries a penalty of up to INR 200 crore. Failure to safeguard children's data is penalised up to INR 200 crore. Breach of any other obligation under the Act or the rules attracts a penalty up to INR 50 crore. The Board may also direct the data fiduciary to take specific remedial action.

Appeals against Board orders lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) and from there to the Supreme Court of India. The multi-tier appeals structure is designed to ensure that significant penalties can be reviewed on both facts and law before they become final.

An organisation subject to the DPDP Act needs a compliance programme that covers five workstreams. First, data mapping: identifying every category of personal data collected, the purpose, the lawful basis (consent or legitimate use), the retention period, and the processors involved. Second, consent management: implementing notice-and-consent flows for each data collection point, maintaining records of consent, and building the technical capability to honour withdrawals. Third, security controls: aligning the organisation's information security programme to the Act's requirement for reasonable safeguards, which in practice means mapping to a recognised framework such as ISO 27001 or the NIST Cybersecurity Framework. Fourth, breach response: maintaining a tested incident response plan with defined notification timelines for both the DPBI and affected data principals. Fifth, rights fulfilment: building workflows to receive, verify, and respond to access, correction, erasure, and withdrawal requests within the prescribed period.

Auditors testing DPDP compliance will typically structure their work around these five workstreams. For each workstream they will review documentation (policies, process flowcharts, consent records, processor contracts, incident logs), test controls in operation (attempt a rights request and observe the response, review breach-notification test results, inspect consent withdrawal processing), and interview responsible staff to verify that documented procedures are understood and followed. The audit report will express findings as compliance gaps against the statutory obligations and recommend remediation in priority order.

Organisations operating across multiple jurisdictions face the additional challenge of harmonising DPDP Act requirements with GDPR, UK GDPR, LGPD, APPI, and CCPA where applicable. A common approach is to treat the most stringent applicable requirement as the baseline and verify that it satisfies the others. For consent requirements, this usually means adopting GDPR standards (which are higher than the DPDP Act in some respects, particularly regarding the right to object and data portability) as the floor. For security safeguards, ISO 27001 certification provides a defensible demonstration of reasonable safeguards under multiple regimes simultaneously.