The Complete Guide to DPDP Act Compliance in India

Understanding India’s New Data Protection Landscape

The Digital Personal Data Protection Act, 2023 represents India’s most significant regulatory shift in data governance. For compliance leaders at regulated enterprises, this DPDP Act compliance guide provides the operational clarity needed to navigate these new requirements alongside existing sectoral regulations from RBI, SEBI, IRDAI, and CERT-In.

Unlike the principle-based frameworks that preceded it, the DPDP Act introduces specific, enforceable obligations with substantial penalties. The challenge for regulated industries is not merely understanding the law, but integrating its requirements into existing compliance infrastructure without creating parallel governance structures.

This guide breaks down what the Act requires, who it applies to, the penalties at stake, and how enterprises should structure their preparation. The rules under the Act are still awaited, but the core framework is clear enough to begin operational planning.

What the DPDP Act Requires: Core Framework

The DPDP Act establishes a consent-centric framework for processing personal data of Indian residents. Its scope extends to both data collected within India and data processed outside India in connection with offering goods or services to individuals in India.

The Act introduces two key entity classifications that determine compliance obligations. Data Fiduciaries are entities that determine the purpose and means of processing personal data. Data Processors are entities that process data on behalf of fiduciaries. Most regulated enterprises will operate as data fiduciaries, with their vendors and service providers functioning as processors.

Lawful Grounds for Processing

The Act permits processing of personal data only on two grounds. The first is consent, which must be free, specific, informed, unconditional, and unambiguous. The second comprises certain legitimate uses, including voluntary data provision, government subsidies and benefits, compliance with legal obligations, medical emergencies, employment purposes, and public interest scenarios.

For BFSI entities, this creates an interesting intersection with existing RBI guidelines on customer data. A bank processing customer data for KYC purposes under RBI’s Master Direction on KYC operates under a legitimate use ground. The same bank processing the same customer’s data for marketing requires explicit consent under DPDP.

Rights of Data Principals

Data principals, the individuals whose data is being processed, receive several enforceable rights under the Act. These include the right to access information about processing, the right to correction and erasure of data, the right to grievance redressal, and the right to nominate another person to exercise these rights in case of death or incapacity.

Enterprises must establish mechanisms to receive and respond to these requests within timelines that will be specified in the rules. For organizations already handling customer complaints under RBI’s Integrated Ombudsman Scheme or SEBI’s SCORES platform, this adds another grievance channel requiring dedicated workflows.

Who the DPDP Act Applies To

The Act applies to the processing of digital personal data within India, whether collected online or collected offline and subsequently digitized. It also applies to processing outside India if connected to offering goods or services to individuals in India.

Data Fiduciaries and Their Obligations

As a data fiduciary, an enterprise bears primary responsibility for compliance. This includes ensuring processing occurs only for lawful purposes, implementing reasonable security safeguards, maintaining accuracy of data, deleting data once the purpose is fulfilled, and establishing grievance redressal mechanisms.

Consider a mid-sized NBFC with operations across twelve states. Under DPDP, this entity must ensure that every branch, every digital touchpoint, and every vendor processing customer data operates within the Act’s framework. The compliance surface area extends well beyond the organization’s direct control.

Significant Data Fiduciaries

The Act creates a higher tier of obligations for entities designated as Significant Data Fiduciaries by the Central Government. This designation will be based on factors including volume and sensitivity of data processed, risk to data principals, potential impact on sovereignty and integrity of India, and risk to electoral democracy.

Large banks, insurance companies, and capital market intermediaries should anticipate this designation. Significant Data Fiduciaries face additional requirements including appointing a Data Protection Officer based in India, appointing an independent data auditor, conducting Data Protection Impact Assessments, and undergoing periodic audits.

Data Processors: The Vendor Dimension

Data processors do not face direct obligations under the Act, but data fiduciaries remain accountable for their processors’ compliance. This means vendor contracts must be revisited to include DPDP-compliant data processing agreements, security requirements, breach notification obligations, and audit rights.

For IT services companies that process data on behalf of clients, this creates dual exposure. They must ensure their own compliance as fiduciaries for employee and business data, while also meeting the contractual obligations imposed by clients seeking to manage their own DPDP compliance.

Key Obligations Under the DPDP Act

The Act establishes several specific obligations that require operational implementation. Understanding these obligations as a complete system, rather than isolated requirements, is essential for effective compliance.

Purpose Limitation

Personal data can only be processed for the specific purpose for which consent was obtained or the legitimate use that applies. Secondary uses require fresh consent. This sounds straightforward until you consider the complexity of data flows in a typical regulated enterprise.

A health insurer collects customer data during policy issuance, processes it for underwriting, shares it with TPAs for claims processing, and may wish to use it for product development or cross-selling. Each of these purposes requires either explicit consent or must fall within a legitimate use category. Purpose creep, where data collected for one purpose gradually gets used for others, becomes a compliance risk.

Data Minimization and Storage Limitation

The Act requires collection of only such data as is necessary for the specified purpose. Once the purpose is fulfilled, data must be erased unless retention is required by law.

For regulated enterprises, this creates tension with existing regulatory retention requirements. RBI mandates retention of customer records for specified periods. SEBI requires brokers to maintain transaction records. IRDAI has its own retention requirements. The DPDP Act’s erasure obligation operates subject to these legal retention requirements, but once those periods expire, the DPDP obligation to erase kicks in.

This requires enterprises to map data retention schedules across all applicable regulations, something few organizations have done comprehensively.

Data Accuracy

Data fiduciaries must ensure the completeness, accuracy, and consistency of personal data, particularly when it is likely to be used for decisions affecting the data principal or disclosed to another fiduciary.

For financial services entities making credit decisions, this obligation aligns with existing practices. For others, it may require new data quality processes and periodic verification mechanisms.

Security Safeguards

The Act requires reasonable security safeguards to prevent personal data breaches. The specific standards will be detailed in rules, but the expectation is clear. Enterprises must implement technical and organizational measures appropriate to the risk.

For entities already complying with RBI’s cybersecurity framework, SEBI’s cyber resilience guidelines, or CERT-In’s directives, existing security investments provide a foundation. The DPDP Act adds a data-specific lens to these broader security requirements.

Breach Notification

Personal data breaches must be notified to the Data Protection Board and affected data principals. The timeline and format will be specified in rules.

This creates a third notification regime for many regulated enterprises. CERT-In already requires incident reporting within six hours. Sectoral regulators like RBI require breach notifications under their specific guidelines. DPDP adds the Data Protection Board and individual notification requirements.

Coordinating these notifications, which may have different triggers, timelines, and formats, requires careful incident response planning. Platforms like eQomply that unify compliance tracking across multiple regulatory regimes become particularly valuable when managing these overlapping obligations.

Consent Requirements: The Operational Challenge

Consent under DPDP must be free, specific, informed, unconditional, and unambiguous. It must be given through a clear affirmative action. Pre-ticked boxes, bundled consent, or consent inferred from silence do not meet the standard.

Consent Managers

The Act introduces the concept of Consent Managers, entities registered with the Data Protection Board that serve as single points of contact for data principals to manage consent across multiple fiduciaries. Enterprises will need to integrate with these consent managers once the framework is operationalized.

Withdrawal of Consent

Data principals can withdraw consent at any time, with the same ease as giving consent. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal, but processing must cease going forward.

For regulated enterprises, this creates operational complexity. A mutual fund investor who withdraws consent for processing cannot have their data deleted entirely because SEBI requires retention of transaction records. The enterprise must distinguish between processing that must cease and data that must be retained for regulatory compliance.

Children’s Data

Processing of children’s data, those below eighteen years, requires verifiable consent from a parent or lawful guardian. Tracking, behavioral monitoring, and targeted advertising directed at children are prohibited.

For insurance companies offering child plans, banks with minor account products, or healthcare providers treating pediatric patients, this requires specific consent workflows and verification mechanisms.

Penalties and Enforcement Under DPDP

The Act establishes substantial penalties that place data protection firmly in the board-level risk category.

These penalties are per instance and can be cumulative. For a large data breach affecting multiple data principals where the enterprise failed to maintain adequate security, failed to notify the Board, and failed to notify affected individuals, exposure could reach ₹450 crore or more.

The penalty amounts are designed to be material even for large enterprises. A mid-sized NBFC with a ₹500 crore net worth faces existential risk from a major violation. This changes the compliance calculus significantly.

The Data Protection Board: Structure and Powers

The Data Protection Board of India serves as the adjudicatory body under the Act. It is not a regulator in the traditional sense but rather a tribunal focused on determining non-compliance and imposing penalties.

The Board will receive complaints from data principals, references from the government, and intimations of breaches from fiduciaries. It can conduct inquiries, impose penalties, and direct remedial measures. Appeals from Board decisions go to the Appellate Tribunal and then to the Supreme Court.

The Board’s composition, procedures, and operational frameworks are still being established. Regulated enterprises should monitor these developments as they will determine the practical enforcement landscape.

How Regulated Enterprises Should Prepare: A DPDP Act Compliance Guide for Implementation

Preparation for DPDP compliance should proceed in parallel with existing compliance programs rather than as a separate initiative. The most effective approach treats DPDP as an overlay on existing governance structures.

Phase 1: Data Mapping and Gap Assessment

Begin with a comprehensive inventory of personal data processing activities. This includes what data is collected, from whom, for what purpose, where it is stored, who has access, what vendors process it, and how long it is retained.

Many regulated enterprises have conducted similar exercises for sectoral regulations. An RBI-regulated entity likely has data classification under the Information Technology framework. A SEBI-regulated broker has records for its compliance with cyber audit requirements. These existing inventories provide a starting point but must be expanded to cover DPDP’s broader scope.

Phase 2: Consent Architecture Review

Audit existing consent mechanisms against DPDP requirements. Most organizations will find gaps. Legacy consent obtained through terms buried in lengthy documents may not meet the “specific, informed, unconditional” standard.

This does not necessarily require re-consenting your entire customer base, as existing legitimate use grounds may cover ongoing processing. But new data collection and new processing purposes will require DPDP-compliant consent mechanisms.

Phase 3: Process and Policy Updates

Update privacy policies to meet DPDP’s disclosure requirements. Establish or strengthen grievance redressal mechanisms. Document lawful grounds for each processing activity. Update data retention schedules to incorporate DPDP erasure obligations alongside regulatory retention requirements.

For organizations managing compliance across multiple frameworks, maintaining a unified policy repository becomes essential. Having DPDP policies managed separately from RBI compliance documentation creates inconsistency risk and audit challenges. Enterprise GRC platforms like eQomply that consolidate policy management across regulatory domains help maintain coherence.

Phase 4: Vendor Contract Updates

Review contracts with every vendor that processes personal data on your behalf. Contracts must specify the purpose of processing, security requirements, breach notification obligations, and restrictions on sub-processing.

For large enterprises with hundreds of vendor relationships, this is a substantial undertaking. Prioritize based on sensitivity and volume of data processed, starting with core technology vendors, cloud providers, and outsourced processing partners.

Phase 5: Technical Controls

Implement or strengthen technical controls to support DPDP requirements. This includes access controls ensuring only authorized personnel access personal data, encryption for data at rest and in transit, audit logging to demonstrate compliance, and mechanisms to respond to data principal requests for access, correction, and erasure.

Phase 6: Incident Response Updates

Update breach response procedures to incorporate DPDP notification requirements alongside existing CERT-In and sectoral regulator notifications. Define clear escalation paths, notification templates, and coordination protocols.

Test these procedures. A data breach creates time pressure that does not allow for figuring out processes on the fly. Tabletop exercises that simulate breach scenarios across multiple notification regimes can identify coordination gaps before they become compliance failures.

Phase 7: Training and Awareness

DPDP compliance requires behavior change across the organization, not just policy changes in the compliance function. Training programs should reach everyone who handles personal data, with role-specific content for customer-facing teams, IT staff, and leadership.

Phase 8: Governance Structure

Establish clear accountability for DPDP compliance. If your organization anticipates designation as a Significant Data Fiduciary, begin planning for the DPO appointment and audit requirements. For others, ensure the existing compliance function has clear ownership and adequate resources.

Building Sustainable Compliance

The DPDP Act represents one layer in India’s increasingly complex regulatory environment. For regulated enterprises already managing compliance with multiple sectoral regulators, the challenge is integration rather than isolation.

Treating DPDP as a separate compliance track creates duplication, inconsistency, and gaps. The more sustainable approach builds DPDP requirements into existing governance structures, leveraging current investments in risk management, policy frameworks, and compliance monitoring.

This requires technology infrastructure that can handle multi-regulatory compliance coherently. Spreadsheet-based tracking that worked for single-regulator compliance breaks down when managing overlapping obligations from RBI, SEBI, IRDAI, CERT-In, and now the Data Protection Board.

The organizations that navigate DPDP most effectively will be those that treat it as an opportunity to strengthen their overall governance capabilities rather than a burden to be minimized. The Act’s requirements around data mapping, consent management, and breach response align with good data governance practices that create value beyond compliance.

Whether you are beginning your DPDP preparation or refining an existing program, the time to act is now. The rules are still awaited, but the core framework is clear. Organizations that build their compliance foundations today will be better positioned to adapt as implementation details emerge.

For a detailed assessment of how your current compliance infrastructure maps to DPDP requirements and how eQomply can help unify your regulatory compliance across DPDP and sectoral regulations, schedule a conversation with our team.