India's Digital Personal Data Protection Act, 2023 (DPDP Act) received Presidential assent in August 2023. It is now law โ€” though most operational rules (how exactly you comply, what the penalties look like in practice) are still being notified by the government.

That's not a reason to wait. The framework is clear enough to act on, and businesses that start now will be ahead when enforcement begins.

Who Does It Apply To?

The DPDP Act applies to any entity that processes digital personal data of individuals in India โ€” regardless of where the data processor is located. So this applies to:

  • Indian companies collecting data from Indian users
  • Foreign companies targeting Indian users
  • B2B software companies whose clients collect Indian user data

If you run an app, website, or software product with Indian users, this applies to you.

Key Concepts to Understand

Data Principal โ€” the individual whose data is being processed (your user/customer).

Data Fiduciary โ€” the company that determines the purpose and means of processing (you).

Data Processor โ€” a third party that processes data on behalf of the Data Fiduciary (your cloud host, analytics provider, etc.).

Significant Data Fiduciary (SDF) โ€” a category the government will notify for companies with high data volumes or sensitivity. SDFs face stricter requirements including a Data Protection Officer and an annual audit.

What You Must Actually Do

1. Obtain Valid Consent

You must have a valid lawful basis for processing data. For most businesses, this means explicit consent. The consent request must be:

  • Written in clear, plain language (not legalese)
  • Specific to each purpose โ€” bundled consent doesn't cut it
  • Easily withdrawable โ€” users must be able to withdraw consent as easily as they gave it

Pre-ticked boxes, buried consent in terms and conditions, and "by using this service you agree" clauses are not valid.

2. Honour Data Principal Rights

Under the DPDP Act, every Indian user has the right to:

  • Access information about what data you hold about them
  • Correct inaccurate data
  • Erase their data (right to be forgotten, with exceptions)
  • Nominate someone to exercise rights on their behalf after death
  • Raise a grievance with your company and with the Data Protection Board

You need a working mechanism to receive and respond to these requests โ€” not a policy document, but an actual process.

3. Notify Breaches

The DPDP Act requires you to notify both the Data Protection Board and affected individuals in the event of a personal data breach. "Without delay" is the standard โ€” specific timelines will be in the rules, but treat 72 hours as your target (in line with GDPR practice).

4. Manage Your Data Processors

If you share Indian user data with third parties (cloud providers, analytics, email services), those processors must handle the data in compliance with the Act. You remain responsible โ€” verify your vendors have adequate protections.

5. Children's Data

Processing data of children under 18 requires verifiable parental consent. You cannot target advertising at children. This is a high-risk area โ€” if your product can be used by minors, take this seriously now.

What the Penalties Look Like

The DPDP Act provides for penalties up to โ‚น250 crore per violation. The actual penalty schedule will be notified by the government, but the maximum figures are:

  • Failure to implement reasonable security safeguards: up to โ‚น250 crore
  • Failure to notify a breach: up to โ‚น200 crore
  • Violation of children's data obligations: up to โ‚น200 crore
  • Non-compliance with Data Protection Board orders: up to โ‚น150 crore

Where to Start

  1. Data audit โ€” map every type of personal data you collect, where it's stored, who has access, and how long you keep it
  2. Consent mechanism review โ€” audit every data collection touchpoint (forms, app permissions, cookies)
  3. Privacy notice rewrite โ€” your privacy policy needs to clearly state what you collect, why, and users' rights under DPDP
  4. Grievance mechanism โ€” designate a point of contact and build a response workflow
  5. Vendor review โ€” check your data processors

iSocialize offers DPDP compliance assessments for Indian businesses โ€” gap analysis, consent mechanism review, privacy notice drafting, and remediation roadmap. See our compliance services.