Countdown to India’s Digital Personal Data Protection Act 2023

Karen Bollard, Senior Consultant


The countdown to enforcement of the Indian Digital Personal Data Protection (DPDPA) is underway. Following an act of parliament, the bill received presidential sign-off last August. The Indian government committed to have it in force within 10 months, so you’ve only two months left to prepare if you haven’t already started.

With the clock ticking, we’ve prepared a short list of countdown items for you to consider during your preparations.


Consent Manager: a person registered with the DPBI, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw consent through an accessible, transparent and interoperable platform.

Data Protection Board of India (DPBI): A new regulator to be set up to enforce the DPDPA.

Data: a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.

Data Fiduciary: any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

Data Principal: the individual to whom the personal data relates.

Data Processor: any person who processes personal data on behalf of a Data Fiduciary.

Person: includes (i) an individual; (ii) a Hindu undivided family; (iii) a company; (iv) a firm; (v) an association of persons or a body of individuals, whether incorporated or not; (vi) the State; and (vii) every artificial juristic person, not falling within any of the preceding sub-clauses

Personal data: any data about an individual who is identifiable by or in relation to such data.

Significant Data Fiduciary (SDF): at the discretion of the State, any Data Fiduciary can be declared an SDF with additional responsibilities. The decision is based upon factors such as the scope and nature of processing, the volume of data processed, the rights of Data Principals or the security of the State.


9 … Applicability

The law applies to all digital personal data (data that is available in digital form in, or in non-digital form which has been subsequently digitised) processed in India.

It also applies to the processing of personal data outside India where the data is related to the offering of goods and services to individuals in India.

It specifically does not apply to data processed for household purposes or data that has been made public.

8 … Legal Basis

The primary legal basis for processing is explicit consent.

The idea of ‘legitimate interests’ as per the GDPR does not apply in India. Instead, the law provides a limited list of ‘legitimate uses’.

So, if you have many processes relying on ‘legitimate interests’, be prepared to implement consent management to continue processing in India.

7 … Consent Manager

The relevance of consent has led to the creation of a new privacy role – that of the Consent Manager (definition above). It is still unclear how the consent manager role will work in practice. You’ll need to watch for guidance from the DPBI when it’s up-and-running.

6 … Sensitive data

The DPDPA makes no distinction between personal and sensitive personal data, so no additional conditions for processing are required beyond the legal basis.

5 … Obligations

The DPDPA sets obligations upon Data Fiduciaries. These are broadly similar to those under the GDPR, but there are differences you need to be aware of including the following:

  • The need to have a ‘valid contract’ with all data processors. While this hasn’t been fleshed out, current thinking among privacy experts is that you need to include a DPA with relevant data protection clauses in all contracts with processors;
  • The need to report all data breaches to both the DPBI and the impacted individuals. This is likely to prove unfeasible in the long term, but until such time as formal guidance has been provided by the DPBI you’ll need to be ready to report everything;
  • Data must be deleted when the purpose of processing has concluded or when the data principal withdraws consent. The only exception being when you are obliged by another existing Indian law to retain it. The idea of retention for ‘business reasons’ does not apply.

Unusually, the DPDPA imparts obligations as well as data rights upon the data principal. These essentially boil down to the need to obey the law, to not impersonate others and to not make a false or frivolous complaint. These obligations should, to some extent, limit the amount of Data Subject Access Requests (DSARs) you’ll need to address.

4 ... Significant Data Fiduciary

The State Government reserves the right to determine who should be considered a Significant Data Fiduciary. If your company is informed that it has been deemed to be an SDF, then additional obligations apply. You’ll need to:

  • Appoint an Indian-based DPO;
  • Perform Data Protection Impact Assessments;.
  • Hire an independent third party to conduct data audits.

3 … Transparency

This is probably the most onerous of all the requirements. Privacy notices need to be available prior to consent detailing all the purposes of processing you are seeking consent for. The catch is that the notices need to be available in both English and in any of the official regional languages recognised in the Indian constitution (of which there are currently 22), upon request of the Data Principal. Be prepared to spend money on official translations.

2 … Outsourcing

The DPDPA specifically excludes from its territorial scope the processing of personal data belonging to offshore individuals, should such processing be undertaken in India under contract between any person located in India and a person located outside India. So, you do not need to worry about your offshore processing, but we recommend putting in a contract with relevant Data Protection clauses.

1 … Are you ready?

Now that you’ve got your house in order – there is one final thing you need to know – be prepared for change. The State has reserved the right to make changes as required including the ability to create different retention periods for different Data Fiduciary classes. This is a new law and it will require tweaking as certain items may prove less feasible than others (for example reporting all data breaches to the DPBI) when put into practice.

Official notifications will be via the Gazette of India website.

Watch this space: Website of Gazette of India| National Portal of India


Act now and speak to us about your privacy requirements

Start a conversation about how Privacy Made Practical® can benefit your business.

Click here to contact us.

Back to top