Understanding the Digital Personal Data Protection Act (DPDPA)

With 1.4 billion people now protected by data privacy rights they previously lacked, businesses interested in serving the Indian market will need to become familiar with the Digital Personal Data Protection Act (DPDPA). Here, we’ll break down all the basics of the DPDPA—what’s unique about the law, what rights it confers to individuals and responsibilities it gives businesses, and more. 

Osano’s Head of Privacy, Rachael Ormiston, discusses the act at a high level in the video below. For a more in-depth exploration of the DPDPA, read on. 

India's Data Privacy Law: What Is the Digital Personal Data Protection Act (DPDPA)? 

India’s DPDPA is the culmination of efforts to address data protection and privacy concerns in India. Overall, businesses familiar with the EU’s GDPR will find many of the same concepts and requirements in the DPDPA, such as the need for consent, the provision of data subject rights (or rather, data principal rights—more on that later), and more. 

While the DPDPA resembles the GDPR, it does have several unique features. Its language, requirements, history, and concepts all make this law stand out compared to others. 

Who Must Comply With the DPDPA? 

The DPDPA applies to your organization if you: 

• Processes digital personal data within India, or 
• Process digital personal information related to offering goods and services to data principals in India. 

However, one of the controversial aspects of the DPDPA is its broad set of exclusions. Many government agencies are exempt, and the central government has the power to exclude certain categories of organizations in the future (such as startups). Processing publicly available personal data, processing for research purposes, and processing non-Indian citizens’ data under some circumstances are exempt as well. 

How Did We Get Here? 

Data privacy regulation in India has taken a long road. Here's a brief timeline that illustrates how long the road has been. 

• 2017: A nine-judge bench of the Indian Supreme Court recognized privacy as a constitutional right that needed protection. 
• 2019: The Parliament of India introduced a privacy bill addressing the need for legislation to reinforce privacy rights after the constitutional recognition. However, this initial bill was later revoked. The initial privacy bill faced opposition from various quarters, including Silicon Valley companies, due to perceived limitations, restrictions, data localization provisions, policy issues, and government exemptions. 
• 2019-2021: The dialogue on data protection and privacy continued over the years, addressing the broad and sometimes confusing provisions of the initial bill. 
• 2023: The DPDPA underwent rapid legislative progress, passing through both houses of Parliament within a week, receiving Presidential assent, and being published in the Official Gazette. 
• 2024: While the effective date of the DPDPA is yet to be determined as of this writing, it is anticipated to come into effect in 2024, with considerations for a short implementation period. 

It’s clear that both data privacy regulations in general and the DPDPA specifically have been controversial in India. Generally, that means we can expect rules and regulations to be tweaked and changed to satisfy all the different stakeholders as the law matures. 

Definitions Unique to the DPDPA 

If you’re familiar with other data privacy laws, then some of the terminology in the DPDPA may seem unusual, though their definitions should be mostly familiar. Here are some of the new terms introduced by the DPDPA: 

• Data Fiduciary: This is essentially the same as the GDPR’s controller. It’s the entity that is in charge of the data collection and processing activities. 
• Significant Data Fiduciary: These data fiduciaries are specifically identified by the government based on based on the fiduciaries’ data volume, sensitivity, risk, and impact on national interests. Significant Data Fiduciaries (or SDFs) will have to meet additional requirements, such as appointing an India-based Data Protection Officer (DPO). 
• Data Principal: This is equivalent to a data subject—i.e., the individual whose personal data is collected. 
• Consent Managers: Consent Managers are third-party, independent organizations authorized to manage, review, and withdraw the consent of the data principal through a transparent platform. Essentially, they serve as brokers and middlemen so that businesses can more easily comply with the law’s consent requirements. 

Why Does the DPDPA Matter? 

The Indian Digital Personal Data Protection Act holds significant importance for businesses for several reasons—not least because India is home to 1.4 billion people who previously had no data privacy protections. 

New Requirements Around Consent Managers 

The India data privacy law aligns with the bulk of international standards regarding data privacy regulation, but it has its own unique spin. The introduction of consent managers, for example, is one such difference. Businesses need to adhere to India's consent manager standards and framework to simplify their compliance. 

Consent Is King 

Under the DPDPA, consent will likely serve as businesses’ primary basis for data processing. The DPDPA does feature legitimate interest as a legal basis for processing as well, just like the GDPR does; but unlike the GDPR, legitimate interest is highly restricted. Most of the time, data principal consent is going to be the main legal basis for processing.  

Higher Requirements for Certain Entities 

If your organization is considered an SDF (a significant data fiduciary, as designated by the Indian government), then you’ll need to have a data protection officer (DPO) in your organization. Again, this is similar to the GDPR. But where the GDPR allows you to have a DPO based anywhere in the world, the DPDPA requires your DPO to be locally based in India. 

Hefty Penalties for Noncompliance 

Of course, one of the primary reasons any business will want to comply with the DPDPA is to avoid the fines and penalties associated with noncompliance. 

The DPDPA grants the government the power to create a board charged with enforcement. The board has a preset list of penalties it may impose depending on the nature of the violation, which ranges from INR 10,000 (roughly $120 USD) to INR 250 Crores (roughly $30M USD). 

Need to Respond to Rights 

The DPDPA establishes a comprehensive rights-based framework for data protection, focusing on individual rights and consent as a primary legal ground for data processing. Compared to the GDPR and other privacy laws, however, data principals have fewer rights under the DPDPA. They include: 

• The right to access their information. 
• The right to request its erasure. 
• The right to correct their information. 
• The right to receive notice before consent is sought. 
• The right of grievance redressal, which is unique to the DPDPA and requires data fiduciaries to provide a tiered redressal process to establish relationships with aggrieved individuals. Under the DPDPA, aggrieved individuals must consult the data fiduciary’s grievance redressal process before escalating to the Data Protection Board of India. 

Note that unlike other data privacy laws, the DPDPA does not include the right to data portability or to not be subject to automated decision-making. 

How to Comply with the India Data Privacy Law 

Compliance with any data privacy law is an ongoing endeavor that can’t be summed up in a single blog post. (Despite our best efforts!) However, there are a few key steps that you can take to meet some of the DPDPA’s more particular requirements. 

Focus on Consent Management 

Given the heavy emphasis on consent as a legal ground for data processing, businesses should develop robust consent management processes. Consent should be obtained in clear, plain language, and individuals should have the ability to withdraw consent at any time. Consent management platforms (CMPs) can help businesses handle consent in an automated way without requiring the R&D that it takes to develop a homegrown solution.  

Develop a Grievance Redressal Process and Appoint a Grievance Officer 

You’ll want to establish, document, and budget for a method of grievance redressal. Because grievance redressal is a data principal right under the DPDPA, the act also requires every data fiduciary to appoint a grievance officer. This individual’s contact information must be published and made available to consumers.  

Appoint a Data Protection Officer (DPO) 

If classified as a significant data fiduciary (SDF), businesses must appoint a DPO based in India to oversee compliance with the DPDPA. This individual is responsible for ensuring compliance, managing data audits, and performing other DPO tasks as outlined in the law.  

Obviously, this requirement can be quite onerous if you don’t already have an office based in India. The decision to label an organization as an SDF lies solely with the central government, but they have indicated that SDFs will only be organizations that process high-volume, high-risk, and highly sensitive data. 

Other Requirements 

Businesses should also establish processes for: 

• Data handling and deletion—once the purpose behind data processing has been met, the DPDPA requires that you delete the data. 
• Security and protection of personal data. 
• International data transfers—where the GDPR requires countries to meet a level of adequacy before transfers can occur, the DPDPA allows for the creation of a “negative list” of countries. Data fiduciaries will not be permitted to transfer data to countries included on this list. 

Take Your First Steps 

Compliance with any data privacy law can be complicated, but given the unique provisions of the DPDPA and the sheer number of individuals it protects, businesses may struggle to get compliant quickly. 

Fortunately, Osano can help with a number of DPDPA requirements. Businesses using the Osano platform will be able to: 

• Secure, manage, and record data principals’ consent. 
• Automate subject rights requests. 
• Map their data to avoid unnecessary data sprawl (and therefore, unnecessary risk). 
• Score and identify trustworthy vendors to partner with. 
• And more. 

Schedule a demo of Osano today to take your first steps toward DPDPA compliance.