When India’s Supreme Court declared privacy a fundamental right in 2017, it set the stage for a sweeping new data protection law. After years of drafting, the Digital Personal Data Protection (DPDP) Act was finally enacted in August 2023. From a consultant’s chair, I see this as a landmark shift – India is moving from the old, security-focused regime under the IT Act to a rights-based framework more in line with global norms. In practice, the DPDP Act is like a digital caution sign: it tells businesses to proceed carefully with users’ personal data. It codifies key principles (lawful, fair and transparent processing; purpose limitation; data minimization; accuracy; limited retention; security; and fiduciary accountability) much as GDPR does. However, the DPDP Act also brings its own twists. Let’s unpack its key features from the viewpoint of someone who’s built compliance programs and advises clients on privacy strategy.

The DPDP Act is focused squarely on digital personal data – that is, any information about a person collected in electronic form or later digitized. Importantly, it excludes data already public (made public by the individual or by law), unlike GDPR which treats all personal data as covered. The Act applies to data of “Data Principals” (essentially what GDPR calls data subjects) within India, and even to processing outside India if goods or services are offered to Indians. In other words, a U.S. or European company targeting Indian customers must heed DPDP just as GDPR. Domestic-only personal data, household data, and aggregate/non-identifiable data fall outside its scope.

At the heart of the law are some renamed roles. A Data Principal is simply the individual whose data is processed. A Data Fiduciary is the entity deciding why and how data is processed (analogous to a “controller” under GDPR). A Data Processor works on behalf of a fiduciary. Importantly, the Act allows the government to declare certain players “Significant Data Fiduciaries” – for example, those handling large volumes or sensitive profiles (such as children’s data or data affecting national security). These significant fiduciaries face extra duties: they must appoint a Data Protection Officer based in India and conduct periodic impact assessments and audits.

One novel concept is the Consent Manager. Think of this as an independent registry or platform where individuals (Data Principals) can centrally give, track, and withdraw consent. A Consent Manager (once rules are finalized) would be registered with the Data Protection Board and accountable to the user. In practice, this is India’s attempt to streamline the consent process. As a privacy founder, I’m intrigued: no other law (even GDPR) has a built-in consent-clearinghouse like this. It remains to be seen how Consent Managers integrate into real-world systems, but they underline the Act’s focus on user control.

Consent-Driven, with a Pinch of ‘Legitimate Use’

The DPDP Act enshrines a consent-oriented approach: Data Fiduciaries generally need the Data Principal’s permission to process data. Explicitly, one can process data only with free, informed, specific, unconditional and unambiguous consent, accompanied by clear affirmative action (no buried pre-ticked boxes). At the moment of consent, the fiduciary must give a notice explaining what personal data is collected and why, how the individual can exercise their rights, how to complain to the Data Protection Board, and who to contact (e.g. DPO). This is GDPR-level detail: essentially a privacy notice on steroids. As we advise clients, this means reviewing all forms and data collection points now, to craft notices and consent flows that are crystal clear and multilingual (the law specifically notes notices should be offered in major Indian languages).

There are limited exceptions: the Act permits processing for certain “legitimate uses” even without fresh consent. These include cases like data voluntarily shared by a person for a specific purpose (so long as the person doesn’t object), complying with court orders, employment-related processing, or responding to emergencies. Notably, routine employment data processing can fall under legitimate use. However, unlike GDPR, there is no broad carve-out for contract necessity or an all-purpose “legitimate interests” basis. In practice, most businesses will still want solid consent records. The draft rules are expected to flesh out details (e.g. what counts as “voluntary sharing”), but fundamentally DPDP positions India as a consent-first regime.

Rights of Data Principals: Summary Access and More

Data Principals under DPDP do have rights, but they’re somewhat narrower than in GDPR. Key rights include:

  • Access: Data Principals can obtain a summary of their personal data held by the fiduciary. This includes types of data collected, a description of processing activities, the identities of third parties with whom data was shared, and other relevant details. (Notably, they do not automatically get copies of raw data values – just summaries and descriptions.)
  • Correction and Erasure: Principals can request inaccurate or incomplete data be corrected or updated, and can request deletion of their data when it’s no longer needed. The fiduciary must erase data unless retaining it is legally mandated.
  • Grievance Redressal: Individuals have the right to a timely grievance process – they can get resolutions from either the Data Fiduciary or the Consent Manager.
  • Nomination: Unusually, one can nominate someone (like a family member) to exercise these rights on their behalf if the person dies or becomes incapacitated.

In other words, DPDP grants access, correction, erasure, and complaint rights, but no explicit portability or right-to-object. (GDPR’s data portability and objection rights are absent here.) As a privacy practitioner, I see this as India striking a balance: giving individuals clear minimum rights while keeping the regime streamlined.

Data Fiduciary Obligations and Accountability

On the organizational side, the DPDP Act imposes several obligations on any Data Fiduciary:

  • Valid Consent: Ensure any consent collected meets the Act’s strict standard (free, informed, specific, unambiguous). If processing sensitive categories (like health or children’s data), consent must be “verifiable and informed” (a bit stricter).
  • Privacy Notice: Provide the mandatory pre-consent notice detailing data categories, purposes, rights, and complaint mechanisms.
  • Consent Management: If using Consent Managers, integrate your systems to allow opt-in/withdrawal via those platforms.
  • Data Protection Officer: Large/significant fiduciaries must appoint a DPO based in India, who serves as a contact for data principals and the Board.
  • Security & Breach Response: Implement reasonable security measures to prevent breaches. In case of a personal data breach, notify the Data Protection Board and all affected principals without undue delay. (Draft rules hint this may be within 72 hours, in line with GDPR-style practice.)
  • Assessments for Significant Fiduciaries: If classified as significant, conduct periodic privacy impact assessments and audits.

Although DPDP itself doesn’t mandate a general DPIA for every processing, the Significant category effectively forces compliance reviews for high-risk players. In many ways, these duties mirror GDPR’s pillars – consent, notice, purpose limitation – but we see some twists. For example, the Act allows the government to exempt certain entities (like startups or those with low-volume data) from parts of these obligations based on scale. Those carve-outs cover items like detailed notice, retention obligations, and children’s data rules. My advice to lean startups is simple: even if the law might spare you initially, adopt these practices anyway. It’s both good policy and great marketing to say “we treat your data like fortune with transparent notices and rights”.

Enforcement, Penalties, and the Data Protection Board

Who polices all this? The DPDP Act establishes a Data Protection Board of India – a centralized authority (still to be set up) that will hear complaints and enforce the law. The Board conducts inquiries (online), orders remediation, and imposes penalties for non-compliance. Appeals from the Board go first to a Telecom Appellate Tribunal (TDSAT) and ultimately the Supreme Court of India. This contrasts with GDPR’s multiple EU Data Protection Authorities – India’s approach is a single, specialized online tribunal.

Penalties are significant: violations can incur fines up to ₹250 crore (about $30 million). The exact amount will depend on factors like the severity and duration of the breach, how quickly it was fixed, and whether the offender profited from it. (Even Data Principals themselves face small penalties for flouting certain duties – up to ₹10,000.) In practice, I encourage organizations to align breach response with global best practice: for example, begin breach containment and notification as soon as possible, aiming for the same 72-hour target used in GDPR. Early transparency and remediation can be favorable factors if the Board examines a case.

How DPDP Stacks Up Globally

From abroad, the DPDP Act will look familiar yet distinct. It draws heavily on GDPR language – consent standards are identical, and even many rights overlap (access, correction, erasure). But there are some notable differences:

  • Sensitive Data: GDPR has a special category with extra rules for sensitive data (race, health, etc.). DPDP has no such separate category; all personal data is treated equally, although certain processing (e.g. children’s data) triggers stricter care.
  • Legal Bases: GDPR allows processing for contract, legal obligation, vital interests, public task, and legitimate interests beyond consent. DPDP does not: only consent or specified “legitimate uses” are allowed.
  • Data Transfers: GDPR requires strict mechanisms (adequacy decisions, Standard Contractual Clauses) for cross-border transfers. The DPDP Act by contrast does not currently restrict international transfers by default. Instead, it empowers the Indian government to later block transfers to certain countries if it chooses. For now, data can freely flow out of India unless and until rules say otherwise.
  • Scope of Processing: Interestingly, DPDP defines “processing” as wholly or partly automated operations. GDPR’s definition also covers certain non-automated handling. This means, technically, the DPDP Act only covers electronic/automated processing, reflecting its digital focus.
  • Supervisory Structure: GDPR has multiple national authorities; DPDP has a single Board and appeal path. For companies, that means dealing with one Indian regulator instead of a patchwork.
  • Penalties: Both regimes allow heavy fines, but GDPR ties penalties to a percentage of global turnover (up to 4%). DPDP sets absolute caps (up to ₹250 Cr). Depending on your business size, one regime might be “harder” than the other.

To give another perspective: compared to the U.S. approach (like California’s CCPA/CPRA), DPDP is more comprehensive (covering any sector) but less “consumer-empowering” in some ways (no private right to sue, no opt-out of profiling or sale, etc.). It’s India’s own blend of international best practices and local priorities.

Preparing for DPDP: Advice from Experience

So what should organizations do? For large enterprises and multinationals, the message is clear: get ready. DPDP’s core provisions become enforceable only once the government notifies dates and releases rules, but that’s coming. Start mapping all processing of Indian users’ data now. Update consent flows, notice templates, breach procedures and data inventory. Where you already follow GDPR, many tasks (like consent revocation, security audits, DPOs) are similar. But pay attention to the gaps: implement the new nomination or grievance processes, and plan how to integrate with any Consent Manager.

For startups and smaller firms, there is some temporary relief: the government may exempt certain obligations based on scale and nature. However, my counsel is to use that breathing room to embed good habits. In privacy, early simplicity is far cheaper than fixing after a breach or scandal. Even if you qualify for exemptions on notice or deletion duties, think twice about skipping them. For example, even if the law doesn’t force you to delete old data immediately, having a clear retention policy is just sound risk management. And remember, savvy customers will ask about data protection – often they use GDPR as a benchmark. If you’ve already told a user “we follow GDPR standards,” you’ll have to live up to it once DPDP is live.

Ultimately, the DPDP Act is an opportunity. It signals India’s commitment to privacy, and gives us a chance to build trust. As a founder, I see it as a competitive advantage to say “we were DPDP-ready before it was even enforced.” Human users value transparency; being proactive about privacy can set a company apart.

The bottom line: DPDP is serious business. It echoes global trends, especially GDPR, but also has unique Indian features. Our role as privacy professionals is to translate it into actionable strategy – for example, training teams on the new consent standard, overhauling legacy cookie banners, or flagging cross-border flows that might hit future restrictions. By treating DPDP’s principles (like data minimization and accountability) as organizational values, not just compliance checkboxes, businesses can both avoid penalties and earn goodwill. In today’s world, data protection is part of a company’s brand promise. As we decode the DPDP Act, we should do so not just with legal rigor but with a human touch – remembering that at its core, this law is about empowering real people (Data Principals) in the digital age.

Key Takeaways:

  • The DPDP Act applies to all digital personal data and goes beyond borders – affecting any company offering goods/services to Indians.
  • “Data Fiduciaries” must get explicit consent (free, informed, etc.) or fit a narrow legitimate-use exception for processing.
  • Consumers (“Data Principals”) get rights like access (to data summaries), correction, erasure, grievance redressal, and nomination.
  • Unlike GDPR, DPDP has no sensitive data categories and no right to object or portability, but introduces unique elements (Consent Managers, a single Data Protection Board).
  • Enforcement includes severe fines (up to ₹250 Cr) and an appeal path through India’s telecom tribunal. Draft rules (expected soon) will clarify obligations on issues like breach notifications and cross-border transfers.
  • From a strategic standpoint, companies should treat DPDP as an extension of global privacy best practices. Start compliance now by mapping Indian data flows, updating notices/consents, and embedding privacy by design. In doing so, you’ll not only avoid penalties, but also build customer trust in India’s digital economy.