Frequently asked questions

The Digital Personal Data Protection (DPDP) Act is India’s first comprehensive data protection law, enacted in 2023. It aims to regulate the processing of personal data, empower individuals (Data Principals) with rights over their data, and impose accountability on organizations (Data Fiduciaries) handling this data.

Key highlights include:

1. Consent-Based Processing: Personal data can only be processed based on free, informed, and specific consent, with a few exceptions.
2. Data Principal Rights: Individuals are granted rights such as data access, correction, erasure, and grievance redressal.
3. Data Security Obligations: Fiduciaries must ensure robust data protection and report breaches promptly.
4. Penalties: Non-compliance can attract penalties of up to ₹250 crores per instance.
5. Applicability: The law applies to Indian entities and foreign entities processing data of individuals in India.

The DPDP Act is a step toward strengthening data privacy in India, aligning with global standards like the GDPR.

The DPDP Act, 2023, has been enacted but is not fully in force yet. The government is expected to notify its provisions in phases, and has released the Draft DPDP Rules to guide implementation. The Draft Rules are out for public consultation but the final version of these rules are yet to be notified.

Additionally, the Act establishes the Data Protection Board (DPB), which will oversee enforcement, handle grievances, and impose penalties for non-compliance. Organizations are advised to proactively prepare by understanding the Act, updating data protection practices, and monitoring notifications for the DPDP Rules and operationalization of the DPB.

The DPDP Act and GDPR are both robust data protection frameworks, but they differ in key areas:

1. Scope: GDPR applies to both online and offline personal data, while the DPDP Act focuses only on digital personal data.
2. Legal Basis: GDPR allows multiple grounds for data processing, such as legitimate interests and contractual necessity. The DPDP Act primarily relies on consent, with limited exceptions for specific legitimate uses.
3. Children’s Data: DPDP sets 18 years as the age for requiring parental consent, while GDPR allows member states to lower the age to 13-16 years.
4. Data Processor Obligations: GDPR imposes direct compliance obligations on data processors, but under DPDP, the responsibility lies solely with data fiduciaries (controllers).
5. Consent Management: DPDP introduces "Consent Managers," a unique concept for centralized and verifiable consent management, which is not present in GDPR.
6. Breach Notifications: DPDP mandates reporting all breaches to the Data Protection Board and affected individuals, whereas GDPR requires notification only for breaches posing significant risks.
7. Cross-Border Transfers: GDPR restricts transfers to countries with adequate protection or specific agreements, while DPDP leaves this to government discretion.

While both laws aim to protect personal data, the DPDP Act is tailored to India's digital landscape, emphasizing consent and accessibility, particularly in local languages.

Under the DPDP Act, you must take user consent when processing personal data in digital form unless the processing falls under specific exemptions provided by the Act. Key scenarios requiring user consent include:

1. Collecting Personal Data: When collecting personal data for any purpose.
2. Sharing Data with Third Parties: Before sharing user data with external entities.
3. Using Data for New Purposes: If the purpose of processing changes from what was initially communicated.
4. Retention Beyond Purpose: If data needs to be retained for reasons other than the original purpose of collection.

Exceptions to consent include processing for state functions, legal obligations, health emergencies, or employment-related purposes. However, even in these cases, compliance with other provisions of the Act, such as data security and grievance redressal, remains mandatory.

Under the DPDP Act, consent is not required for processing employee personal data if the processing is necessary for employment-related purposes. Examples include:

1. Background Verification: Conducting pre-employment checks.
2. Payroll and Benefits Administration: Managing salaries, insurance, and other employee benefits.
3. Compliance with Legal Obligations: Maintaining records as required by labor or tax laws.
4. Workplace Security: Monitoring access to sensitive areas or systems.

However, businesses must ensure compliance with data protection obligations such as providing secure data storage, notifying employees of their rights, and processing data only to the extent necessary for legitimate employment purposes.

No, blanket consent notices, broad privacy policies, or generalized terms and conditions are not sufficient under the DPDP Act. The Act requires that user consent must be:

1. Specific: Consent must be for a clearly defined purpose and cannot be vague or open-ended.
2. Informed: Users must be fully aware of the type of data collected, the purpose of processing, and any third-party sharing.
3. Explicit: Consent must be given through a clear affirmative action, such as clicking a button or ticking a checkbox.
4. Unconditional: Users cannot be forced to provide consent as a condition for accessing a service unless the data is essential for providing that service.

Broad terms and conditions or privacy policies often fail to meet these criteria, risking non-compliance and penalties under the Act. It’s essential to design consent notices that are clear, purpose-specific, and in compliance with the DPDP Act.

The distinction between a Data Fiduciary and a Data Processor lies in who decides the purpose and means of processing personal data:

• Data Fiduciary:
  You determine why and how personal data is processed.
  
  
  • Example: An e-commerce platform collecting customer data for targeted marketing or order processing.
  • Obligations: Full compliance with DPDP Act, including managing user consents, providing data rights, ensuring security, and addressing grievances.
• Data Processor:
  You process personal data on behalf of a Data Fiduciary without deciding the purpose or method.
  
  
  • Example: A payment gateway facilitating transactions for an online retailer.
  • Obligations: Follow contractual terms from the fiduciary, implement security measures, and delete data promptly when instructed.

Aggregators and Dual Roles
Aggregator businesses often act as both fiduciaries and processors in different contexts:

As a Fiduciary:

• Collecting customer data for user accounts, marketing, or analytics.
• Example: A food delivery platform using customer preferences to suggest restaurants.

As a Processor:

• Facilitating services based on a partner’s instructions.
• Example: A logistics platform managing deliveries for retailers without deciding how data is used.

How to Assess Your Role:

1. Map Data Processing Activities: Identify who controls the purpose of data use at each stage.
2. Clarify Contractual Terms: Ensure your role is explicitly defined in agreements.
3. Monitor Data Usage: Avoid overstepping into fiduciary responsibilities if you’re a processor.
4. Implement Best Practices:
   
   
   • Collect and manage consents where required.
   • Automate data deletion processes upon withdrawal of consent or fulfillment of purpose.
   • Regularly audit and verify compliance across data flows.

By understanding your role and obligations under the DPDP Act, you can streamline compliance, minimize risks, and build trust with customers and partners.

The Digital Personal Data Protection (DPDP) Act affects all sectors handling digital personal data. Some of the key sectors impacted include:

1. Banking, Financial Services, and Insurance (BFSI)Handles large volumes of sensitive customer data, requiring strict compliance with consent management, secure data storage, and breach notifications.

2. E-commerce
Relies heavily on personal data for account creation, order management, and personalized marketing, necessitating robust consent mechanisms and secure payment processing.

3. Healthcare
Processes sensitive health data such as patient records and diagnostics, requiring heightened security measures and minimal data usage.

4. Technology and IT Services
Processes vast amounts of data for analytics, software services, and cloud storage, with obligations for managing consents and third-party vendor compliance.

5. Telecom and Internet Service ProvidersCollects data for connectivity and billing, with a focus on obtaining clear user consent and implementing strict data retention policies.

6. Education
Manages sensitive data about students and parents, with requirements for parental consent when processing children’s data and securing academic records.

7. Retail and Consumer Goods
Uses personal data for loyalty programs and marketing, emphasizing the need for clear consent and data security.

8. Media and Advertising
Relies on user data for targeted ads and content personalization, requiring explicit consent for tracking and cookie usage.

9. Public Sector and Government Agencies
Collects large-scale citizen data for public services and schemes, with exemptions for specific state functions but a need for robust security measures.

10. Startups and Aggregators
Operate as both data processors and fiduciaries, requiring clear agreements, consent management, and adherence to compliance obligations across data flows.

The DPDP Act’s broad scope makes it relevant across industries, with the degree of compliance tailored to the nature and volume of data processed.

‍

The Digital Personal Data Protection (DPDP) Act imposes significant penalties for non-compliance, emphasizing the importance of adhering to its provisions. Key penalties include:

1. Processing Personal Data Without Consent
   
   
   • Up to ₹50 crore per instance for failing to obtain valid user consent or not maintaining records of consent.
2. Failure to Prevent Data Breaches
   
   
   • Up to ₹250 crore per instance for not implementing adequate security measures to protect personal data or failing to notify breaches promptly.
3. Non-Compliance with Children’s Data Provisions
   
   
   • Penalties up to ₹200 crore for mishandling children’s personal data, such as not obtaining verifiable parental consent or processing data that could harm children.
4. Violation of User Rights
   
   
   • Fines for not fulfilling user rights such as access, correction, or erasure of data, ranging up to ₹50 crore per violation.
5. Cross-Border Data Transfer Breaches
   
   
   • Substantial penalties for transferring data to restricted jurisdictions without government approval.
6. Failure to Respond to Grievances
   
   
   • Heavy fines for not providing grievance redressal mechanisms or addressing user complaints in a timely manner.

The penalties are adjudicated by the Data Protection Board (DPB), which considers factors such as the severity of the violation, duration, recurrence, and mitigation efforts when determining fines. Non-compliance can lead to severe financial and reputational damage, making adherence to the DPDP Act critical for all businesses.

Complying with the Digital Personal Data Protection Act (DPDP) involves a structured approach to ensure personal data is handled securely and lawfully. Here’s a concise guide:

1. Understand and Assess
   
   
   • Determine how the DPDP Act applies to your business.
   • Appoint a Data Protection Officer (DPO) to oversee compliance.
2. Audit and Map Data
   
   
   • Identify all personal data you collect, its source, storage, access, purpose, and retention period.
   • Develop a data inventory to track data flows and ensure compliance.
3. Implement Consent Management
   
   
   • Collect explicit, informed, and unconditional consent with detailed notices in local languages.
   • Enable users to view, manage, and withdraw consent easily.
   • Send a one-time notice for previously collected data.
4. Enable User Rights
   
   
   • Provide mechanisms for users to access, correct, or erase their data.
   • Establish grievance redressal and allow users to nominate someone to manage their data in case of incapacity.
5. Manage Third Parties
   
   
   • Conduct due diligence on vendors’ data practices and include data protection clauses in contracts.
   • Ensure third parties comply with withdrawal of consent or erasure requests.
6. Enhance Data Security
   
   
   • Implement encryption, firewalls, and access controls.
   • Regularly audit and update security measures.
   • Prepare an incident response plan for data breaches.
7. Monitor Regulatory Updates
   
   
   • Stay informed about the establishment of the Data Protection Board and DPDP Rules for evolving compliance requirements.

Taking these steps ensures legal compliance, builds user trust, and safeguards your business from penalties of up to ₹250 crores.

The Digital Personal Data Protection (DPDP) Act mandates robust measures to prevent, manage, and respond to personal data breaches. Here’s a concise overview:

Breach Prevention Obligations

1. Reasonable Security Safeguards:
   
   
   • Encryption, access control, and secure backups are mandatory to protect personal data.
   • Logs must be retained for at least one year to enable breach detection and investigation.
   • Data processors must comply with the same security standards as data fiduciaries through contractual obligations.
2. Additional Safeguards for Significant Data Fiduciaries:
   
   
   • Conduct regular risk assessments and audits to identify vulnerabilities.
   • Implement technical and organizational measures such as regular training, penetration testing, and updated security protocols.

Breach Notification Obligations

1. Immediate Notification:
   
   
   • Notify the DPB and affected individuals without delay.
   • Include breach details, consequences, mitigation measures, and steps individuals can take to protect themselves.
2. Content and Timing:
   
   
   • Notifications must be clear, concise, and follow the DPDP Rules' format.
   • Timely reporting (within 72 hours) is critical to avoid penalties.

Penalties for Non-Compliance

• Failure to implement adequate safeguards: ₹250 Crores per breach.
• Failure to notify the DPB or users: ₹200 Crores per instance.

Compliance with the DPDP Act ensures data security, user trust, and protection from severe penalties. Implementing robust preventive measures and having a clear breach response plan are key to managing personal data responsibly.

Under the Digital Personal Data Protection (DPDP) Act, personal data must only be retained for as long as necessary to fulfill the purpose for which it was collected. Here's how retention and deletion are governed:

Retention Period

1. Purpose Limitation:
   
   
   • Retain personal data only for the time necessary to achieve the specific purpose for which it was collected.
   • Data must not be retained indefinitely without a valid reason.
2. Legal Requirements:
   
   
   • Retention may be extended if required by other laws or regulations (e.g., tax records, compliance obligations).

Deletion Obligations

1. Upon Purpose Fulfillment:
   
   
   • Delete data when the original purpose for processing is fulfilled.
2. Upon Consent Withdrawal:
   
   
   • If the user withdraws consent, the data must be erased unless another legal ground justifies retention.
3. Retention Policy:
   
   
   • Fiduciaries are responsible for establishing clear policies to periodically review and delete unnecessary data.

Best Practices

• Automated Deletion: Implement automated systems for data lifecycle management to ensure timely deletion.
• Data Minimization: Collect only the necessary data to reduce the burden of retention and compliance risks.
• Audits and Compliance Checks: Conduct regular audits to ensure that no data is retained longer than required.

By adhering to these retention and deletion rules, businesses can comply with the DPDP Act, minimize risks, and build trust with users. Check out for Guide to Data Retention for more details.

‍

The Data Protection Board (DPB), established under the DPDP Act, is India’s central authority for enforcing data protection laws. It investigates breaches, adjudicates complaints, and imposes penalties of up to ₹250 Crore for non-compliance. The DPB requires businesses to report data breaches within 72 hours, resolve grievances, and maintain transparency in handling personal data. It also facilitates online complaint filing, hearings, and mediation, operating as a digital-first office.

To comply, businesses must align with DPDP obligations, such as securing personal data, managing consents, and preparing for DPB scrutiny. Establishing grievance mechanisms, conducting regular audits, and ensuring robust documentation are key steps to stay compliant and mitigate risks. With its enforcement set to begin soon, the DPB represents a significant shift in India’s data protection framework.

The Digital Personal Data Protection (DPDP) Act provides certain exemptions from compliance requirements to ensure flexibility in specific scenarios:

1. Government Agencies: Public authorities processing data for national security, public order, sovereignty, or maintaining friendly relations with foreign states are exempt. This includes intelligence and law enforcement operations.
2. Legal and Regulatory Compliance: Data processing for court orders, regulatory obligations, or to comply with laws is exempt from consent and other compliance requirements.
3. Employment-Related Data: Employers are exempt from obtaining consent for processing employee data necessary for hiring, employment contracts, or workplace administration.
4. Personal or Domestic Use: Individuals processing data for personal or household purposes are exempt from the Act's requirements.
5. Research and Archival Purposes: Data processing for research, statistical analysis, or archiving in the public interest, such as historical documentation or scientific research, may be exempt under specified conditions.

These exemptions aim to balance privacy rights with operational, legal, and societal needs while ensuring that misuse is minimized.

The Digital Personal Data Protection (DPDP) Act applies to digital personal data that can identify an individual. This includes data collected digitally or later digitized, such as names, contact information, financial details, and Aadhaar numbers. The Act defines two primary stakeholders: Data Principals (individuals whose data is processed) and Data Fiduciaries (entities determining the purpose and means of processing). It applies to personal data processed within India and to processing activities outside India if they pertain to business activities involving Indian individuals.

The DPDP Act was notified on August 12, 2023, but its enforcement depends on the release of DPDP Rules and the establishment of the Data Protection Board. Specific exemptions include personal/domestic use, publicly available data, state functions, and employment-related processing. Businesses are advised to start their compliance efforts now, as penalties for non-compliance can reach up to ₹250 crores.

The Digital Personal Data Protection (DPDP) Act is a transformative regulation for Indian businesses, requiring explicit consent for all personal data use and empowering users with rights to manage their data. Companies must now implement seamless consent mechanisms, enable easy withdrawal of consent, and ensure data deletion across their systems and third-party vendors. This mandates businesses to overhaul their data management processes to align with the principles of data minimization and accountability.

The Act also introduces enforceable user rights, such as access, correction, and erasure of personal data, compelling businesses to establish robust systems for compliance. With the formation of the Data Protection Board (DPB), enforcement mechanisms are now stronger, and violations can attract penalties of up to ₹250 crores. Indian businesses must act swiftly to adapt their practices and avoid stringent penalties while building trust in a more privacy-focused digital ecosystem.