Digital Personal Data Protection Act, 2023 — Comprehensive Guide
From consent to cross-border: defensible controls, records, and governance that stand scrutiny.
Lawful Processing & Rights Enablement
Security, Breach Response & Evidence
Cross-Border, SDF Duties & Audits
What the Law Expects
Scope & Applicability
Digital personal data in India, and extraterritorially when goods/services target individuals in India.
Consent & Legitimate Uses
Free, specific, informed, unambiguous consent; permitted uses include legal duties, State functions, emergencies.
Data Principal Rights
Access, correction, erasure, grievance redressal, and nomination to exercise rights.
Security & Breach Duties
Reasonable safeguards; prompt notice to the Board and affected individuals, with evidence preserved.
Cross-Border Transfers
Permitted subject to notified conditions; document destinations, recipients, and safeguards.
Significant Data Fiduciary
Heightened controls by risk/volume: DPO, DPIA, independent audits, and governance reporting.
Penalties & Enforcement
Up to ₹250 crore depending on contravention/impact; compliance directions and blocking orders.
Sector Playbooks
Healthcare, BFSI, e-commerce, IT/tech, telecom — role-based guidance and templates.
Detailed Compliance Topics
Scope & Applicability
- Applies to digital personal data processed in India and processing outside India when offering goods/services to individuals in India.
- Extraterritorial reach; calibrated exemptions (national security, legal proceedings, domestic purposes).
- Roles: Data Fiduciary (purpose/means), Data Processor (on instructions), Data Principal (individual).
Consent & Legitimate Uses
- Consent: free, specific, informed, unambiguous via clear affirmative action; withdrawal as easy as grant.
- Notice: identity, purpose, rights mechanism, withdrawal path, grievance channel.
- Legitimate uses: State functions, legal obligations, emergencies, employment, safeguarding interests, reasonable purposes.
- Children: verifiable parental/guardian consent; no behavioural tracking/targeting under 18.
Data Principal Rights
- Access & information (processing summary; identities of fiduciary, processors, recipients).
- Correction & erasure post-purpose fulfilment unless retention is legally required.
- Grievance redressal with timelines; nomination recognised.
- Data quality: reasonable accuracy and completeness aligned to purpose.
Security & Breach Duties
- Risk-commensurate technical/organisational measures; privacy-by-design.
- Notify the Board and affected individuals as prescribed; keep artefacts and delivery proofs.
- Retention schedules and verifiable deletion; processors hold equivalent safeguards.
- Maintain IR playbooks; preserve logs/evidence; support audits and legal holds.
Cross-Border Transfers
- Transfers permitted subject to notified conditions; restricted-country approach may apply.
- Document recipients, destinations, legal basis, and safeguards; constrain onward transfers.
- Use contractual clauses: security obligations, sub-processor governance, audit rights.
Significant Data Fiduciary (SDF)
- Designation by factors like volume and risk; obligations may include DPO, DPIA, periodic audits.
- Publish contact channel (DPO/India contact); Board-level reporting cadence.
Penalties & Enforcement
- Financial penalties up to ₹250 crore based on severity and impact.
- Compliance directions and blocking orders may be issued; independent audits can be directed.
Sector Playbooks
- Healthcare: health-data consent, secure EHRs, confidentiality, clinical-sharing controls.
- BFSI: RBI-aligned controls, secure KYC, marketing consent, payment data security.
- E-commerce: opt-in marketing, secure payments, deletion portals, transparent recommendations.
- Technology/IT: privacy-by-design, DPIA, algorithmic transparency, cross-border governance.
- Telecom: subscriber privacy, consented promotions, lawful-interception safeguards.
Step-by-Step Implementation
- Inventory & Gap Analysis: map data flows, lawful bases, gaps vs. DPDPA.
- Notice & Consent: publish clear notices; capture/withdraw consent with logs.
- Rights Engine: portal or tracked workflow with SLAs and audit trail.
- Security Controls: RBAC, encryption, monitoring, breach response.
- Vendors: refresh DPAs; govern sub-processors; audit/onward-transfer limits.
- Cross-Border: record destinations & safeguards; monitor restrictions.
- SDF Toolkit: DPO, DPIA, independent audits, training cadence.
Need help implementing DPDPA?