Data PrivacyThe Digital Personal Data Protection Act, 2023 in India : Decoded – I

October 10, 20230
The Digital Personal Data Protection Act, 2023 in India : Decoded – I

The Digital Personal Data Protection Act, 2023 (DPDPA, 2023) is a comprehensive legal framework that aims to regulate the collection, storage, and processing of personal data in India. As a corporate lawyer specializing in Data Protection, understanding the nuances of this Act is crucial for advising clients effectively.

Key Provisions and Their Implications
  1. Scope and Applicability: The Act applies to both public and private entities, irrespective of their size. This means that even small startups must comply, which can be a legal minefield for those unaware of their obligations.
  2. Data Subject Rights: The Act empowers individuals with several rights, including the right to access, correct, and delete their data. This places a significant burden on organizations to create mechanisms for data subjects to exercise these rights.
  3. Data Controllers and Processors: The Act clearly defines the roles and responsibilities of data controllers and processors. This distinction is crucial for legal contracts and compliance programs.
  4. Consent Mechanism: The Act mandates explicit consent for data collection and processing. The consent form should be easily understandable, devoid of legalese, and must clearly state the purpose of data collection.
  5. Data Localization: The Act requires that certain types of sensitive data must be stored within India. This has implications for cloud storage and data management strategies.
  6. Data Protection Board (DPB): An independent authority will oversee the enforcement of the Act. The DPB will have the power to impose penalties and conduct audits, making it a key player in the data protection ecosystem.
  7. Penalties and Liabilities: Non-compliance can result in severe penalties, including hefty Penalties. This makes it imperative for organizations to invest in robust data protection measures.
  8. Data Protection Officer (DPO): Organizations that process large volumes of sensitive personal data must appoint a DPO. The DPO will be responsible for ensuring compliance with the Act.
  9. Impact Assessment: A Data Protection Impact Assessment (DPIA) is mandatory for certain types of data processing activities. The DPIA must be submitted to the DPA for approval.
  10. Cross-Border Data Transfers: The Act has stringent requirements for transferring data outside India. This is particularly relevant for multinational corporations and those using overseas data centers.

For any query or feedback, please feel free to get in touch with or


© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.