Discover India's New Data Era: Unveiling the Digital Personal Data Protection Act 2023. Your Data, Your Rights, Your Privacy.

The President of India gave assent to the Digital Personal Data Protection Act, 2023 (Act or DPDP Act) on August 11, 2023. The Act is brief, and its provisions are principle-based and high-level, with implementation specifics laid out in regulations.

The DPDP Act only applies to the processing of digital personal data in India, where the personal data is either

  1. collected in digital form or
  2. collected in a non-digitized manner and thereafter digitised.

 Personal data is defined as any data about an individual who may be identified by or in connection to such data.

The following are some of the important components of the DPDP Act:

  • The Legal Foundation: Only with the data subject's consent may digital personal data be handled (called the data principal). Companies will very certainly need to get fresh consent, even if they previously had approval from the data principal. Companies will be obligated to stop processing digital personal data within a reasonable time frame if consent is revoked. In certain circumstances, a data controller (also known as a data fiduciary) may rely on "legitimate use" rather than consent as an appropriate legal basis for processing, such as when data:
    • has been provided voluntarily by an individual; or
    • relates to a government benefit or service; a medical emergency; or employment.
  • Breach Of Personal InformationPersonal data breaches must be reported to impacted data principals and the Data Protection Board of India under the DPDP Act. According to the DPDP Act, a "personal data breach" is any unauthorised processing, disclosure, use, alteration, or loss of personal data that jeopardises the data's confidentiality, integrity, or availability. The reporting duty under the DPDP Act does not modify any current reporting responsibilities under India's existing Cert-In Rules.
  • Data Ownership: Individuals are allowed specific rights under the DPDP Act, including:
    • The right to access;
    • The right to seek rectification or deletion;
    • The right to file grievances with the data fiduciary; 
    • The right to choose another person to exercise rights on their behalf.
  • Important Data Fiduciaries: The DPDP Act allows an entity to be designated as a "Significant data fiduciary" based on parameters such as the volume of personal data handled, the kind and sensitivity of such data, and the danger to the data principal's rights. If a company achieves this classification, it will be required to meet extra standards such as engaging an independent data auditor and undertaking periodic data protection impact assessments in India.
  • Data Concerning ChildrenThe DPDP Act requires verified parental consent for any processing of data on minors under the age of 18. Certain processing of children's data is typically forbidden, even with consent, including processing that is likely to damage a child, tracking, behaviour monitoring, and targeted advertising.

The Importance of DPDP Act:

Data is critical in today's environment, but data protection is also important. The way society is exchanging data on multiple applications and social media platforms, data privacy is a major worry. If you install one programme on its mobile device, it requests access to all of our information, and we agree to the terms and conditions without reading them. The major goal of the Act is to regulate the processing of digital personal data and respect individuals' right to data protection while recognising the necessity of processing and using such data for authorised reasons. Breach of data is getting more common. Some of the most serious privacy violations happened when the personal data of users provided to the CoWIN portal was stolen and the personal data of vaccinated individuals was made public on Instagram. To avert such effects, the Digital Data Protection Act was enacted.


Noncompliance is punishable by hefty fines ranging from Rs 200-250 crore. However, such punishments are reserved under the DPDP Act for persistent and repetitive infractions involving the processing of children's data or major control failures.

The DPDP Act also enables the establishment of an independent organisation whose primary tasks will be to:

  1. Monitor compliance with the DPDP Act;
  2. Impose fines;
  3. Provide guidance for remediating or minimising data breaches;
  4. Investigate data breaches; 
  5. Hear grievances;


The DPDP Act represents India's specific approach to personal data protection, representing the culmination of extensive deliberations after its first development. This data protection law is an important step toward protecting personal data, addressing long-standing demands in the context of rising internet usage, data creation, and cross-border trade. The DPDP Act, in its whole, represents India's distinctive perspective on contemporary data protection, enriched by extensive post-draft consultations. While its requirements are less specific than those of standards such as GDPR, it requires a fundamental change in how Indian enterprises manage privacy and personal data.


For quick updates follow: click here

To check our Compliances service vist click here

Leave a Comment

Recent Insights

Maharashtra Factories (Safety Audit) (Amendment) Rules, 2024
Mandatory compliance for a Limited Liability Partnership (LLP)
Master Direction – Reserve Bank of India (Asset Reconstruction Companies) Directions, 2024