What is the Digital Personal Data Protection Act (DPDPA)?

India’s DPDPA governs processing of digital personal data, sets out duties of Data Fiduciaries, and grants rights to Data Principals including access, correction, erasure, grievance redressal, and nomination.

Who is a Significant Data Fiduciary (SDF)?

An entity designated based on factors like volume and sensitivity of data and risk to Data Principals; SDFs must appoint a DPO in India and undertake periodic DPIA and independent audits.

Are cross‑border personal data transfers allowed under DPDPA?

Transfers are permitted to jurisdictions notified by the Central Government, subject to any prohibitions for security or foreign policy reasons and contractual safeguards with processors.

What is valid consent under DPDPA?

Consent must be free, specific, informed, unconditional, and unambiguous, and withdrawal must be as easy as giving consent.

Decoding the Digital Personal Data Protection Act (DPDPA)

Comprehensive insights and readiness guidance for India’s new era of data governance.

Compliance starts with Valid Consent

Key DPDPA Provisions at a Glance

Scope & Definition

Applicability to digital personal data within India and extra‑territorially; core definitions of Personal Data, Data Principal, and Data Fiduciary.

Penalties for Non‑Compliance

Tiered financial penalties for breaches, failure to protect data, and non‑adherence to Data Principal rights.

Cross‑Border Transfer

Rules for transferring personal data outside India, subject to Central Government notifications.

Significant Data Fiduciary (SDF)

Criteria for SDF designation and heightened obligations, including DPO appointment and independent audits.

Detailed Compliance Topics

Exercising Rights Under DPDPA

Right to Access Information: Request confirmation of processing and a summary of personal data held.
Right to Correction and Erasure: Correct inaccuracies, complete incomplete data, and request erasure.
Right to Grievance Redressal: Escalation to the DPBI after exhausting internal grievance mechanisms.
Right to Nominate: Nominate another individual to exercise rights upon death or incapacity.

The Mandate for Clear and Affirmative Consent

Consent must be free, specific, informed, unconditional, and unambiguous, clearly signifying acceptance by the Data Principal.

Notice Requirement: Provide itemised, plain‑language notice detailing purposes before collecting consent.
Withdrawal: Enable withdrawal that is as easy as giving consent.
Deemed Consent: Limited circumstances such as compliance with law or medical emergencies.

Steps to Achieve DPDPA Readiness

Data Mapping & Audit: Catalogue collection, storage, processing, and sharing of personal data.
Revise Privacy Policy: Align transparency and notice elements with DPDPA requirements.
Implement Consent Mechanisms: Granular, explicit, auditable consent flows.
Strengthen Security Measures: Reasonable security safeguards to prevent breaches.
Training & Awareness: Organisation‑wide education on DPDPA principles and SOPs.
Appoint Personnel: For SDFs, appoint DPO in India and conduct independent audits/DPIA.