India’s data protection law has now moved from text on paper to a live compliance reality. With the Digital Personal Data Protection (DPDP) Act, 2023 and its Rules in force, any business that touches personal data in or from India is operating under a tighter, more clearly defined statutory regime. Data is no longer something that can be left to IT teams; it has become a core part of enterprise risk, reputation and strategy.
DPDP Act Overview
The basic design of the law is simple but far-reaching. Individuals termed “data principals”, are given explicit rights: to be told what is happening with their data, to give and withdraw consent, to access and correct their records, and in many cases to ask for their data to be erased. On the other side, organisations “data fiduciaries” must issue intelligible notices, record and retain consent, limit use to stated purposes, and respond to these rights within defined timelines. These are binding legal duties, not aspirational statements in privacy charters, and they will shape how products are built, how marketing is run and how customer journeys are designed.
The Rules convert the Act’s broad principles into operational requirements. They set out what a notice must cover, how consent should be logged and preserved, and the timeframes within which complaints and queries must be handled. They also harden expectations around children’s data: verifiable parental consent is required, and profiling or targeted advertising to minors is discouraged. For consumer-facing companies, this will mean reworking app flows and website journeys, aligning privacy language across brands and business units, and ensuring that back-end systems can produce evidence of compliance if a regulator or customer asks.
Rights and Responsibilities of Data Principals
On the regulatory side, the introduction of “Significant Data Fiduciaries” (SDFs) is likely to be a game-changer. An entity can be classified as an SDF based on the volume and sensitivity of data it handles, the nature of its operations and the potential impact on citizens and national interest. Once designated, it must appoint a senior Data Protection Officer located in India, conduct Data Protection Impact Assessments for higher-risk processing, undergo regular independent data audits and maintain more granular records of its activities. Large players in banking, insurance, telecom, e-commerce, health-tech, ad-tech and global capability centres (GCCs) should assume they are in the line of sight and start building SDF-level controls now rather than waiting for a formal notification.
The penalty regime under DPDP signals that this is not a soft-law framework. The Act allows for financial penalties that can run into several hundred crore rupees in serious cases. Exposure spans failure to implement “reasonable security safeguards”, delays or lapses in breach reporting, ignoring or mishandling data principal rights, and non-compliance with directions under the law.
Role of Significant Data Fiduciaries
A major practical implication is that oversight of personal data can no longer be episodic. To answer requests for access, correction, deletion or withdrawal of consent and to report breaches “as soon as possible” organisations need an almost real-time view of their data landscape: what they hold, where it resides (in-house, in the cloud or with vendors), who can access it, how long it is kept and on what legal basis it is processed. That requires a shift from one-off mapping exercises to a “living” inventory of personal data, supported by dashboards that track key flows, robust logging and alerting, and incident-response plans that are tested in drills, not discovered during a crisis.
Cross-border data flows under DPDP follow a “negative list” model, where data can move overseas except to countries specifically restricted by the government. Indian businesses with international footprints will now need compliance frameworks that work across regimes, aligning DPDP with GDPR-style controls in Europe and major US and Asian privacy rules.
Practical Implications for Businesses
In this environment, a few priorities stand out for corporate India:
* Elevate governance: DPDP should appear regularly on the agendas of boards, risk committees and audit committees. Larger organisations would be wise to move early on appointing a credible Data Protection Officer.
* Build a live data inventory: Static registers will not suffice. Companies need a dynamic, updated view of personal data and processing activities that can support timely rights responses, breach assessments and regulatory queries.
* Standardise core processes: Consent, privacy notices, complaint handling and breach management should follow common templates and playbooks across the group, with well-defined roles and escalation paths.
* Invest in security and resilience: Technical and organisational safeguards must track established good practice, and incident-response drills should be run periodically so teams know how to act when an incident occurs.
The DPDP Act and Rules give Indian businesses a chance to signal that they take data stewardship as seriously as they take growth. Treating personal data as a trust asset backed by clear accountability, continuous monitoring and user-centric design – will help companies manage regulatory risk and, at the same time, strengthen their licence to operate in an economy where privacy expectations are only going to rise.
(Ritika Loganey Gupta, Tax Partner, EY India.)
Views are personal and do not represent the stand of this publication.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
