India’s first comprehensive privacy law, the Digital Personal Data Protection Act,2023 is a landmark legislation that aims to provide individuals with greater control over their personal data and ensure that businesses and organizations handle this data responsibly. 

In this article, we will explore the key provisions of the DPDPA 2023 act and its potential impact on data privacy in the digital landscape.

Digital Personal Data Protection Act 

A significant change in data privacy management in India has been made with the introduction of the “Digital Personal Data Protection Bill 2023”. The two major changes that stand out are- the idea of deemed consent, and the strengthened right to withdraw consent. These changes are prompting discussions about corporate data collection practices, and how employees view their data rights. 

“Deemed consent” is a concept introduced in the Digital Personal Data Protection Bill (2022), which suggests that individuals’ silence or inaction could be deemed consent. 

There has been a significant shift from the deemed consent concept in section 7 of the Digital Personal Data Protection Bill (2023). It now focuses on “certain legitimate uses”, including personal data for specified purposes, for the state and its instrumentalities. 

Under section 7 of the DPDP, data principals may allow their personal data to be processed for the specified purpose for which they voluntarily provided it, unless they explicitly withheld their consent. For instance, in the context of new employment, data collected about an employee’s immediate employment could fall under legitimate use, as long as it aligns with the purpose for which the data principal provided the information. Consent is not required unless the company intends to process the data for a purpose other than the data principal’s employment.

While the earlier drafts of the Indian data protection framework introduced the idea of deemed consent, the DPDP Act, 2023 replaced it with a more structured list of “Legitimate Uses” under Section 7. These scenarios permit personal data processing without explicit consent only for narrowly defined purposes such as legal compliance, employment-related operations, medical emergencies, disaster response, and delivery of government services.

The interpretation of legitimate uses is expected to evolve through regulatory guidance from the Data Protection Board of India (DPBI) and sector-specific implementation practices. Many organizations have already begun preparing internal frameworks to operationalize legitimate use, with industry bodies such as Nasscom-DSCI and legal experts issuing practical guidance as the Act moves toward full enforcement.

Highlights of the DPDPA 

Some of the major highlights of DPDPA are as follows-

  • The scope of the legislation only covers digital personal data, including data digitised from non-digital form, and excludes personal data that is made publicly available by the Data Principal. 
  • Situations which were earlier named as deemed consent have been categorically permitted as “certain legitimate uses”. 
  • Now, cross border transfers are allowed to all countries except those explicitly restricted by the government. 
  • Data Processors must sign a valid contract and comply with all obligations, including data deletion, when onboarded.
  • Personal data must be erased when consent is withdrawn, the service has concluded, or the retention period expires, unless retention is legally required.For five years from the commencement of the DPDPA, the central government has the power to exempt a Data Fiduciary or a class of Data Fiduciaries. 
  • Consent managers are required to be registered with the Data Protection Board and are liable to Data Principals for enforcement of Data Principal rights. 

Key Stakeholders Defined in the DPDPA 

The key stakeholders defined in the DPDPA are:

  • Data Principals- Individuals within the territory of India whose personal data is being processed. 
  • Data Fiduciary- Organisations that act as Data Fiduciaries decide what kinds of data to collect, how to collect them, and for what purposes they should be used.
  • Significant Data Fiduciary- A significant data fiduciary is defined by the government as an organization that processes a large volume of data, or sensitive data that might put risk on individual rights and national security.
  • Data Processors- Data processors are organizations that process data solely on behalf of Data Fiduciaries based on their instructions, and under a binding contract
  • Consent Manager- Consent Managers are independent and government-registered entities that assist Data Principles and Data Fiduciaries to give, manage, review, and withdraw consent.

Penalties 

The DPDPA imposes a penalty for non-compliance on Data Principals, Data Fiduciaries, Significant Data Fiduciaries, and Consent Managers. 

The legislation has adopted a layered penalty mechanism. Penalties may extend up to ₹250 crore for failure to implement reasonable security safeguards, ₹200 crore for breach notification failures or violations of children’s data obligations, and ₹150 crore for non-compliance by Significant Data Fiduciaries. General violations may incur penalties up to ₹50 crore, while Data Principals may face fines up to ₹10,000 for wilful misuse.

How to Prepare for DPDPA Privacy Compliance? 

Let’s take a look at the five steps that privacy professionals can undertake to construct a proactive compliance roadmap, emphasizing the operational aspects that are both resource-intensive and reliant on technology.

Determine Applicability 

The act is limited to digital personal data, covering information collected in digital form or digitized from offline sources. Privacy professionals must determine applicability by addressing whether the organization processes digital personal data within or outside India for goods or services to Indian data principals. 

Exemptions exclude personal or domestic data processing by individuals and situations where data is publicly disclosed or legally obligated to be disclosed. If the organization handles digital personal data under specified conditions, compliance with the Act is mandatory. 

Notably, understanding exemptions requires careful analysis, given broad exclusions for government entities and potential additions by the central government for specific data fiduciaries, like startups.

Build a Data Inventory and Data Map 

In order to achieve effective privacy compliance, robust data governance must be established. There is no explicit requirement for data inventory and mapping in the Act, but privacy professionals should know what data is processed, where it is stored, how it is processed, and how data processors interact with one another.

Key obligations, such as ensuring data accuracy, facilitating data principal rights, enforcing data erasure, and providing transparent processing notices, rely on a comprehensive data inventory. 

Crafting a tailored data inventory involves various approaches, from manual interviews to automated solutions like code scanning or machine learning. Choosing the most suitable method should be guided by factors such as data complexity, volume, resources, executive backing, and scalability. 

Setup Consent Mechanism 

To comply with consent requirements under the Act, organizations must follow these steps:

  • Examine data maps to identify consent-dependent processing activities.
  • Define when and where consent is necessary.
  • Data protection officer contact details and an explanation of the consent process should be established.
  • Develop processes for obtaining verifiable consent from parents of minors and guardians of individuals with disabilities.
  • Set up a privacy preference center or dedicated email address for consent withdrawal.
  • Track and synchronize consent across systems for timely cessation of in-scope data processing post-revocation.
  • For proof of compliance, keep consent logs, including data principal identifiers, consent timestamps, methods, and versions of consent notices.

Enable Data Principal Rights 

According to the act, organizations must develop procedures for preserving the rights of users to access, correct, erase, grieve, and nominate their data. Privacy professionals can initiate this by:

  • Utilizing data maps to discern in-scope data.
  • Formulating a privacy rights intake system, logging requests via web forms, in-app preference centers, or dedicated email addresses.
  • Enforcing identity-verification for requesters, considering minors, guardians, and nominees.
  • Deciding on manual, automated, or hybrid rights fulfillment methods.
  • Establishing procedures to transmit correction and erasure requests to data processors.

Implement Technical and Organizational Measures

Organizational Measures:

  • Initiate a comprehensive security and privacy training program for employees and contractors managing personal information.
  • Develop standard operating procedures outlining precise requirements for handling personal data.
  • Disseminate internal policies on security and privacy, integrating acknowledgment into employee onboarding or periodic training sessions by human resources.

Technical Measures:

  • Utilize anonymization techniques to de-identify personal data effectively.
  • Enforce robust access controls for personal data.
  • Ensure secure configurations of devices and software handling personal data are established and maintained.

Positive Aspects of the DPDPA 

Some of the major positive aspect of DPDPA are- 

  • Boosts growth and innovation: In the business sector, DPDPA has a significant effect and was inevitable considering the speed of digitization in India. 
  • Distributed liability for organization: The DPDPA allows both, the Data Fiduciary and Consent Managers to be held liable before the board when they fail in carrying out their respective responsibilities. 
  • Effective data processor governance: It requires Data Fiduciaries to engage Data Processors only under an agreement. This can help Data Fiduciaries plan their risk appetite and set-off risk with obligations which are shared responsibilities with the data processor. 
  • Ease in implementation: The DPDPA suggests a gradual implementation, allowing organizations to strategically plan and minimize resources needed to comply with its provisions.

Some other positive aspects include empowering data principals, increased accountability, and relaxed cross-border transfer. 

Potential Challenges in Implementation of DPDPA 

Like any Act, the DPDPA too has its own set of implementation challenges. Here are some of the more critical ones:

Data processing under contractual obligations: 

Moving away from the deemed consent, the law now seeks to require Data Fiduciaries to process personal data on consent and certain legitimate uses. 

Limitations on data principal rights: 

The rights of data principals with respect to access correction, and erasure do not apply when data is processed for legitimate uses except when the data principal voluntarily provides their personal data. 

Exemption on classes of data fiduciary: 

The central government can exempt a data fiduciary or a class of data fiduciaries from certain obligations under the DPDPA. However, the rationale behind such exemption is unclear. 

Conclusion

The notification of the Digital Personal Data Protection Act, 2023, along with the DPDP Rules 2025, marks a major transformation in India’s data privacy landscape. As organizations prepare for phased compliance through 2026- 2027, proactive planning becomes essential. Building strong governance frameworks, implementing transparent consent and rights management, preparing robust breach-response capabilities, and adopting secure technical controls are critical for readiness. 

With the establishment of the Data Protection Board of India and enhanced obligations around children’s data, cross-border processing, and accountability, the Act lays the foundation for a trusted and responsible digital ecosystem. As businesses modernize, privacy-by-design will become a strategic requirement, not an option.

DPDPA Compliance with DoveRunner Mobile App Security

Mobile apps have become the first touchdown for digital services, therefore, securing personal data at this level is essential for compliance with the DPDP Act. DoveRunner helps organizations build privacy-focused and robust security frameworks that safeguard sensitive information. It employs advanced mobile app security capabilities like data encryption, secure key lifecycle management, runtime application self-protection (RASP), device binding, and threat analytics. These solutions detect and prevent attacks like unauthorized access, tampering, or breaches in real time.

DoveRunner also provides content protection for industries that manage premium or licensed digital content. DoveRunner’s primary content security solutions include multi DRM, Forensic Watermarking, and Anti- Piracy controls. These capabilities support secure digital delivery and enable businesses to comply confidently with evolving data protection requirements.

Frequently Asked Questions

When did the DPDP Rules become effective?

14 November 2025 is the official date when the Digital Personal Data Protection Rules became effective.

What is the implementation timeline for full compliance under the DPDP Act?

From November 2026 to May 2027, the compliances under the DPDP Act will come out in phase by phase manner. The Significant Data Fiduciaries are expected to meet full obligations by the end of this period of 18 months.

What is the role and structure of the Data Protection Board of India (DPBI)?

The DPBI is a digital-first enforcement authority composed of four members, empowered to conduct inquiries, resolve complaints, and impose penalties. Appeals go to TDSAT.

What are the new rules for inactive user data?

Data Fiduciaries must delete personal data of users after a specific time period of inactivity depending upon the category of the organizations. However, there are many caveats and limitations to this rule.

Are there record-keeping requirements under the Rules?

Yes. Data Fiduciaries must maintain audit trails and access logs for at least one year, and document purposes, consent status, and security measures for verification readiness.

What are the breach notification obligations under the Act?

If organizations discover any breaches, they must inform the DPBI within 72 hours of discovering the breach. Any failure to do so may incur penalties up to ₹200 crore.

What changed regarding the Right to Information Act (RTI)?

Under the RTI Act, 2005, government agencies had to disclose some personal information if it was critical for public interest. With the new DPDP Act, personal information cannot be disclosed even if there is a strong public interest.

When will the Consent Manager framework become active?

Consent Manager systems are expected to go live by the third quarter of 2026.