Aimed at safeguarding the personal data of individuals in the digital age, the Digital Personal Data Protection Act (DPDPA) by the government marks a significant milestone. The Act provides a comprehensive framework for processing personal data in a secure and trustworthy digital environment.
This includes data collected online or offline and subsequently digitised. It applies to any organisation or person (Data Fiduciary in the Act’s terminology) that handles personal data of individuals in India. It also extends to organisations based outside of India if they are processing data in connection with offering goods or services to individuals in India.
Understanding the Key Terms under Digital Personal Data Protection Act (DPDPA)
To understand the Act better, it’s important to be familiar with some key terms:
Data Principal: This is you – the individual whose personal data is being processed.
Data Fiduciary: Any person or organisation that decides the purpose and means of processing your personal data. This could be a company, government agency, or any other entity handling your data.
Data Processor: Any person or organisation that processes personal data on behalf of a Data Fiduciary.
Significant Data Fiduciary: A Data Fiduciary notified by the Central Government based on factors like the volume and sensitivity of data processed. These entities have additional obligations under the Act.
Consent: Your clear, informed, and freely given agreement for a Data Fiduciary to process your data for a specific purpose.
What are Your Rights as a Data Principal?
The DPDPA empowers individuals with strong data rights, enabling them to take control of their digital footprint:
Right to Information: You have the right to know what information a Data Fiduciary holds about you and how they are using it.
Right to Correction and Erasure: You can request the correction, completion, updating, or erasure of your personal data.
Right to Withdraw Consent: You can withdraw your consent for data processing at any time. The Data Fiduciary must then stop processing your data unless it’s legally required.
Right to Grievance Redressal: If you have a complaint about how your data is being handled, you have the right to seek redressal from the Data Fiduciary or the Data Protection Board.
Right to Nominate: You can nominate someone to exercise your data rights in case of your death or incapacity.
What are the Obligations of Data Fiduciaries?
Data Fiduciaries have various responsibilities to ensure the protection of your personal data:
Obtain Consent: Data Fiduciaries can process your data only for purposes you’ve consented to or for specific, legitimate uses outlined in the Act.
Provide Clear Notice: Data Fiduciaries must inform you about the data being collected, the purpose of processing, and your rights. This notice should be available in English or any language listed in the Eighth Schedule to the Constitution.
Ensure Data Security: Data Fiduciaries are responsible for implementing appropriate technical and organisational measures to protect your data from breaches.
Data Retention Limits: Data Fiduciaries must erase your data when it’s no longer needed for the specified purpose, you withdraw your consent, or it’s reasonable to assume the purpose is no longer being served, unless retention is required by law.
Appoint a Data Protection Officer: Significant Data Fiduciaries must appoint a Data Protection Officer to oversee data protection compliance within the organisation. They must also undertake data audits and impact assessments.
For a detailed understanding of how to prepare your business for compliance, check out our DPDPA Implementation Guide.
Important Provisions of DPDPA
The DPDPA outlines specific legal provisions that govern how personal data should be processed, stored, and protected. These include rules for children’s data, cross-border transfers, exemptions, and penalties for non-compliance.
Processing of Children’s Data: Data Fiduciaries need verifiable parental consent before processing the data of children (individuals under 18 years old). They cannot engage in activities like tracking, behavioural monitoring, or targeted advertising directed at children.
Data Transfers Outside India: The Central Government can restrict data transfers to certain countries or territories.
Exemptions: The Act outlines specific exemptions from certain provisions, for example, for legal proceedings, research, archiving, or in the interest of national security.
Penalties for Non-Compliance: Organisations that violate the provisions of this Act can face significant penalties. These can reach up to 250 crore rupees depending on the nature and severity of the violation.
What’s New in 2025? Latest Updates to DPDPA
As of May 2025, the Indian government released draft of Digital Personal Data Protection Bill for public consultation, further detailing how the Act will be operationalised. These rules cover:
Detailed Consent Management Guidelines: Including language clarity, consent revocation mechanisms, and user dashboards.
Data Breach Notification Timeline: Fiduciaries must report breaches to the Data Protection Board within 72 hours.
Children’s Data Mechanism: The draft rules propose age verification tools and dynamic consent formats for parental controls.
Third-Party Processor Obligations: Data processors will now be directly accountable for specific compliance mandates under contract.
How CyberNX Can Help?
Navigating the requirements of the Digital Personal Data Protection Act (DPDPA) can be complex. CyberNX can guide your organisation towards compliance:
Data Mapping and Gap Analysis: Identifying and analysing your data processing activities to ensure compliance with the Act.
Privacy Policy Development: Crafting a comprehensive privacy policy that clearly communicates your data practices to users.
Consent Management Systems: Implementing processes for obtaining, managing, and documenting user consent in a transparent and user-friendly manner.
Security Assessments and Implementation: Evaluating your organisation’s security posture and implementing robust measures to protect personal data.
Data Protection Officer Services: Providing expert Data Protection Officer services to oversee your data protection program.
Training and Awareness Programs: Educating your staff on the Act’s requirements and best practices for data protection.
Conclusion
The Digital Personal Data Protection Act (DPDPA) is a landmark legislation that significantly strengthens data protection in India. By understanding your rights as a Data Principal and ensuring your organisation complies with the Act’s requirements, you contribute to creating a safer and more responsible digital ecosystem. Reach out to our experts today for a free consultation on DPDPA compliance.
Digital Personal Data Protection Act FAQs
What are the key highlights of the DPDPA Draft Rules released in January 2025?
The Digital Personal Data Protection Act draft rules released in January 2025 clarify how organisations should operationalise the Act. Key highlights include a 72-hour breach notification deadline, mandatory formats for obtaining consent, requirements for age verification when processing children’s data, and a framework for the registration and functioning of Consent Managers. The draft also outlines administrative procedures for compliance monitoring and appeals.
How will startups and small businesses be impacted by the Digital Personal Data Protection Act?
Startups and small businesses may be granted limited exemptions by the government based on the volume and nature of data they process. However, core obligations like lawful consent, user rights, and breach notifications still apply to all entities. Those handling sensitive data or operating in high-risk sectors will need to comply fully, regardless of size.
Does the Digital Personal Data Protection Act (DPDPA) require companies to localize or store data within India?
The DPDPA does not enforce mandatory data localization. However, it empowers the Central Government to restrict the transfer of personal data to specific countries via official notification. In the absence of such restrictions, cross-border data transfers are permitted, giving companies flexibility while maintaining regulatory control.
How does the Digital Personal Data Protection Act (DPDPA) with existing sectoral regulations like RBI or IRDAI guidelines?
The Digital Personal Data Protection Act (DPDPA) complements rather than overrides existing sector-specific data regulations. Where sectoral regulators like RBI or IRDAI impose stricter data protection norms, those standards continue to apply. In cases of conflict, the law or regulation offering stronger protection to the individual typically prevails, ensuring regulatory harmony and data security.
