Introduction

The Digital Personal Data Protection Act, 2023 (DPDP Act) marks a turning point in India's approach to data privacy. Passed by Parliament in August 2023, the Act provides a comprehensive legal framework for the processing of digital personal data and seeks to balance individual rights with the need for lawful data processing.

In this article, we explore the key provisions of the DPDP Act, 2023, and what it means for individuals, startups, corporates, and data fiduciaries operating in India.

1. Who does the DPDP Act Apply To?

   The DPDP Act, 2023 applies to:

   • Data Fiduciaries: Entities (including companies, government bodies, startups) that determine the purpose and means of processing personal data.

   • Data Principals: Individuals to whom the personal data belongs.

   • Processing outside India: The Act also applies to entities outside India if they process digital personal data in connection with offering goods or services to individuals in India.

     
     

2. What Is Considered ‘Personal Data’?

   The Act defines personal data as any data about an individual who is identifiable by or in relation to such data and is in digital form. Notably, the law does not cover non-digital or manually processed data unless it is intended to be digitised.

   
   

3. Key Rights of Data Principals

Under the DPDP Act, individuals have the following rights:

• Right to Access Information about their personal data.

• Right to Correction and Erasure of inaccurate or misleading data.

• Right to Grievance Redressal through the Data Fiduciary’s internal mechanism.

• Right to Nominate another person in case of incapacity or death.

These rights must be exercised through clear, accessible interfaces and supported

by data fiduciaries in a time-bound manner.

4. Obligations of Data Fiduciaries

Entities processing personal data are required to:

• Obtain free, informed, specific, and unambiguous consent.

• Limit use of personal data to the stated purpose.

• Implement reasonable security safeguards to prevent data breaches.

• Notify the Data Protection Board of India and affected individuals in case of a data breach.

• Maintain transparency and accountability in data processing activities.

  
  

5. Special Class: Significant Data Fiduciaries

   The Central Government may notify certain entities as Significant Data Fiduciaries based on the volume and sensitivity of personal data handled, and their risk to national interest. These entities must:

   • Appoint a Data Protection Officer based in India.

   • Conduct periodic data protection impact assessments and audits.

     
     

6. Grounds for Data Processing

   Consent is the cornerstone of lawful data processing. However, certain "legitimate uses" are permitted without consent, including:

   • Performance of a legal function or duty by the State.

   • Voluntary sharing of personal data by the individual.

   • Employment-related purposes.

   • Emergencies and medical situations.

     
     

7. Cross-Border Data Transfers

   Unlike earlier drafts, the DPDP Act, 2023 adopts a permissive approach to cross- border data transfers. Data can be transferred to any country except those explicitly restricted by the Central Government via notification.

   
   

8. Penalties for Non-Compliance

   The Act prescribes hefty financial penalties for non-compliance:

   • Up to ₹250 crore for failing to prevent a data breach.

   • Up to ₹200 crore for non-fulfilment of duties by data fiduciaries.

   • Penalties are determined by the Data Protection Board of India based on severity and recurrence.

     
     

9. Role of the Data Protection Board of India

   The Board functions as an independent adjudicatory body to:

   • Enforce compliance.

   • Adjudicate disputes.

   • Impose penalties.

   • Conduct inquiries suo motu or upon complaints.

10. Impact on Businesses in India

    The DPDP Act, 2023 requires businesses of all sizes—especially those collecting consumer or employee data—to revisit their privacy policies, consent mechanisms, grievance redressal frameworks, and data security protocols. Failure to align with the Act may not only attract penalties but also result in reputational damage.

Conclusion

The DPDP Act, 2023 is a significant step forward in establishing a digital privacy framework in India. While the law offers stronger protection to individuals, it also places considerable compliance obligations on businesses and startups. Early preparation, legal audits, and policy updates will be key for organisations to stay ahead of enforcement.

Need help with data privacy compliance? Apar Law offers end-to-end advisory on drafting privacy policies, conducting compliance audits, and managing legal risk in the digital ecosystem. Contact us today.