A plain-English breakdown of India’s landmark data privacy law — and why it belongs on your radar right now
If your organization touches the personal data of anyone living in India — a customer, a user, an employee, a job applicant — India’s new data protection law applies to you. It doesn’t matter if your headquarters is in San Jose, London, or Singapore. It doesn’t matter if you have a single office in India or none at all. If you are collecting, storing, or processing digital personal data of Indian residents, you are in scope.
That law is called the Digital Personal Data Protection Act, or the DPDP Act. India’s Parliament passed it in August 2023, and while the supporting rules that will define some operational specifics are still being finalized as of early 2026, the core law is active. Smart CISOs aren’t waiting for the complete rulebook before they start preparing — because when enforcement kicks in, the clock won’t reset and the regulator won’t be sympathetic to organizations that watched the law develop and did nothing.
This is Part 1 of a three-part series designed to take you from ground zero to a working compliance program. Here we’ll cover what the law is, who it applies to, what rights it creates, and why DPDP demands CISO ownership rather than being handed off entirely to legal. In Part 2 we’ll go deep on each obligation. In Part 3 we’ll build the readiness roadmap.
Let’s start at the beginning.
Why Did India Create This Law?
India is home to one of the world’s largest and fastest-growing digital economies. With over 900 million internet users, a thriving fintech sector, a massive e-commerce market, and a global IT services industry, the country generates and consumes enormous volumes of personal data every day. For years, there was no comprehensive federal law governing how that data should be protected.
India had the Information Technology Act of 2000 and some sector-specific rules, but nothing that matched the scale or sophistication of the modern data landscape. As the European Union (GDPR, 2018), California (CCPA, 2020), Brazil (LGPD, 2020), and dozens of other jurisdictions built robust data protection frameworks, India faced growing pressure from citizens, from international trading partners, and from its own Supreme Court to act. A landmark 2017 Supreme Court ruling declared privacy a fundamental right under the Indian Constitution, setting the legal stage for comprehensive legislation.
After years of drafts, committee reviews, failed attempts, and extensive public consultation, the DPDP Act was passed in 2023. It represents a significant evolution in India’s relationship with personal data — and for global organizations doing business there, it represents a compliance obligation that demands serious attention.
The Core Idea: Two Roles, One Accountability Framework
At its heart, the DPDP Act is built on a simple premise: individuals have the right to control their personal data, and the organizations that collect it are accountable for how it’s used. The entire structure of the law flows from this idea, and understanding it helps you anticipate what the law requires even in areas where specific rules are still being finalized.
The law achieves this accountability through two primary roles.
Data Principals are the individuals whose data is being collected. They are the people your organization serves — your customers, app users, employees, students, or website visitors who happen to be in India. Under DPDP, Data Principals are not passive data sources. They are rights holders, and the law gives them meaningful tools to exercise those rights.
Data Fiduciaries are the organizations that determine the purpose and means of processing personal data. If your company collects or uses Indian personal data, you are a Data Fiduciary. The word “fiduciary” is intentional — it signals that the law expects you to handle this data with care and in the individual’s interest, not merely your own.
There is also the role of a Data Processor — a third party that processes personal data on behalf of a Data Fiduciary. Your cloud provider, your CRM vendor, your outsourced payroll platform — these are your Data Processors. You, as the Data Fiduciary, remain responsible for ensuring they handle the data appropriately. That accountability chain doesn’t break just because you’ve passed the work to a vendor.
Who Does DPDP Actually Cover?
Scope is one of the first questions to settle, and the answer is broader than many non-Indian companies expect.
In scope: Any entity that processes digital personal data of individuals in India. This includes organizations outside India that process data in connection with offering goods or services to individuals in India. Both fully automated data processing and certain types of manually digitized data are covered.
Out of scope: Processing for purely personal or domestic purposes. Data that individuals have voluntarily made publicly available. Certain government processing for national security, law enforcement, or public order. Offline, non-digitized personal data, which falls under older frameworks.
The extraterritorial reach is the provision that most surprises non-Indian companies. If you run a global SaaS platform, a travel booking app, a healthcare portal, or an e-commerce site — and Indian users register or transact on it — you are covered. This mirrors how GDPR works, and organizations that assumed privacy laws stop at national borders have learned expensive lessons in the European context. DPDP makes the same demand.
Don’t assume that because your company has no physical presence in India you’re outside scope. If Indian residents can sign up for your service, download your app, or interact with your platform — and you collect data from that interaction — you are a Data Fiduciary under DPDP. Conduct a scope assessment early. Include your product team and your legal counsel. Document the conclusion either way, because “we assessed our scope and determined we are/aren’t in scope because of X” is a far better position than “we never thought about it.”
The Vocabulary You Need to Know
Getting fluent in DPDP’s terminology early will pay dividends when you’re communicating with legal, briefing the board, or reviewing vendor contracts. Here is the essential glossary.
Personal Data is any data that can identify an individual, directly or indirectly. Names, email addresses, phone numbers, device IDs, government ID numbers, location data, biometric information, IP addresses — all qualify. The definition is broad by design.
Processing covers everything your systems do with personal data — collection, storage, use, analysis, sharing, transmission, and deletion. If your systems interact with personal data in any way, that interaction is processing.
Consent is the primary legal basis for processing under DPDP. It must be freely given, specific, informed, and unambiguous. The individual must take a clear, affirmative action to grant it. Silence, pre-ticked boxes, and bundled consent don’t meet the standard.
Significant Data Fiduciary (SDF) is a designation the Indian government can assign to organizations that process large volumes of data, handle sensitive categories, pose elevated risks, or have significant impact on children or democratic institutions. SDFs face additional requirements including mandatory appointment of a Data Protection Officer, mandatory Data Protection Impact Assessments, and audits by independent data auditors.
The Data Protection Board of India (DPB) is the regulatory authority established by the Act. It handles individual complaints, conducts investigations, and imposes penalties. Think of it as India’s equivalent to the EU’s Data Protection Authorities — a body with real investigative and enforcement power.
Consent Managers are a novel concept unique to India’s law — government-registered intermediaries that help Data Principals manage their consent across multiple organizations through a single interface. It’s an attempt to make consent scalable at a national level and something your architecture may need to accommodate.
The Rights Data Principals Hold
Every right listed here translates directly into a technical or operational capability your organization must build and maintain. This is where privacy law becomes a technology project, and where the CISO’s role becomes unmistakably central.
Right to Information. Before collecting personal data, you must provide the individual with a clear notice explaining what data you’re collecting, why you’re collecting it, and how they can exercise their rights. The notice must be available in multiple languages and written in plain, accessible language. Dense legal jargon buried in a 50-page privacy policy will not satisfy this requirement.
Right to Access. Individuals can request a summary of the personal data you hold about them and information about how it has been processed. Your organization needs the technical infrastructure — data mapping, search capability, identity resolution across systems — to respond accurately and within required timeframes.
Right to Correction and Erasure. Individuals can ask you to correct inaccurate data, complete incomplete data, or erase their personal data entirely. The erasure right requires deletion not just from your primary database, but from backups, logs, data warehouse tables, and any third-party processors you’ve shared the data with. This is technically complex and operationally demanding to execute properly.
Right to Grievance Redressal. Individuals must have a clear, accessible mechanism to raise complaints with you directly. If you fail to resolve the grievance satisfactorily, they can escalate to the Data Protection Board. A non-functional complaint email or an auto-reply with no follow-up will not meet this standard.
Right of Nomination. Unique to India’s law: individuals can nominate another person to exercise their data rights on their behalf in the event of death or incapacity. It’s a thoughtful provision that acknowledges real-world circumstances your processes need to accommodate.
Map each individual right to a specific internal capability today — before you build anything. Write it out: “To respond to access requests, we need [X]. To respond to erasure requests, we need [Y].” That exercise will surface your gaps faster than any framework audit, and it will give you a capability-based requirements list that your engineering and data teams can actually build from. Waiting until you receive your first Data Principal rights request to discover you have no way to respond is a painful and avoidable lesson.
The Penalty Structure: Numbers That Get Leadership’s Attention
Budget conversations become significantly more productive when there are real penalty numbers on the table. The DPDP Act establishes a tiered penalty structure with fines that can reach up to ₹250 crore per instance — approximately USD $30 million.
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards, resulting in a data breach | ₹250 crore (~$30M) |
| Failure to notify the Data Protection Board of a breach | ₹200 crore (~$24M) |
| Violations involving children’s data processing | ₹200 crore (~$24M) |
| Breach of obligations by a Data Processor | ₹250 crore (~$30M) |
| Failure to fulfill Data Principal rights (access, erasure, correction) | ₹50 crore (~$6M) |
These penalties are assessed per instance. A systemic failure — a data breach affecting thousands of Indian users where you hadn’t implemented adequate security controls and you didn’t notify the DPB promptly — could trigger multiple penalty proceedings simultaneously. Beyond the direct financial exposure, the Data Protection Board’s orders are likely to be matters of public record, and the reputational cost of a high-profile enforcement action can dwarf the fine itself.
How DPDP Compares to GDPR
If you’ve navigated GDPR, you have a meaningful head start with DPDP. The two laws share foundational DNA: consent, individual rights, accountability, and cross-border applicability. But the differences are real enough that a deliberate gap analysis is necessary before assuming your GDPR compliance program carries over.
GDPR provides six legal bases for processing. DPDP is more consent-centric, with consent as the primary mechanism and a defined set of “deemed consent” scenarios for employment, public health, state functions, and similar situations. The absence of a broad “legitimate interests” basis is a significant operational difference for many companies.
GDPR requires a Data Protection Officer under specific conditions. DPDP mandates one only for Significant Data Fiduciaries, though many privacy-mature organizations will appoint one proactively.
GDPR has a well-established 72-hour breach notification requirement to supervisory authorities. DPDP requires notification to both the Data Protection Board and affected individuals, with specific timeframes to be defined in the rules.
GDPR restricts cross-border transfers and relies on adequacy decisions and Standard Contractual Clauses. DPDP restricts transfers to countries not on a government-approved whitelist — and that whitelist hasn’t been published yet.
DPDP may impose data localization requirements on Significant Data Fiduciaries. GDPR has no blanket localization requirement. This is one of the most consequential and watched provisions for global technology companies with Indian operations.
The bottom line: GDPR compliance is a genuine foundation for DPDP, but it is not a free pass. The differences require deliberate gap analysis and targeted remediation.
Why This Is a CISO Problem, Not Just a Legal Problem
Some CISOs make the mistake of treating privacy laws as purely legal matters — hand it to the lawyers, update the privacy policy, check the box. That approach fails with DPDP for the same reason it fails with GDPR: the obligations are deeply technical.
To respond to access requests, you need data discovery and identity resolution capabilities that can reliably locate all personal data associated with a specific individual across every system in your environment. To execute erasure requests, you need deletion workflows that cascade across primary systems, backups, and third-party processors. To fulfill consent obligations, you need consent management infrastructure that records what was consented to, when, in what form — and that immediately ceases data processing when consent is withdrawn. To meet breach notification obligations, you need detection and response capabilities fast enough to assess, document, and notify within tight timeframes. To govern your processors, you need vendor management processes backed by contractual obligations and audit rights.
None of those are legal deliverables. Legal defines what the law requires. You figure out how to build it, operate it, and prove it works.
Before moving into program design, make sure you can check these off:
- Scope confirmed — You’ve assessed whether your organization is covered and documented the conclusion
- Data Fiduciary role understood — You know you’re a Data Fiduciary and understand what that means operationally
- Data Processor inventory started — You’re tracking which third parties process Indian personal data on your behalf
- Key definitions internalized — Your team knows the difference between Data Principal, Data Fiduciary, SDF, DPB, and Consent Manager
- GDPR gap acknowledged — If you’re GDPR-compliant, you’ve recognized that DPDP requires its own gap analysis
- Penalty exposure shared with leadership — Your executive team understands the financial stakes
What’s Coming in This Series
You now have the foundation: what DPDP is, who it covers, what rights it creates, and why it demands CISO ownership.
In Part 2, we go deep on the specific obligations — consent mechanics and privacy notices, children’s data requirements, breach notification duties, cross-border transfer rules, and what “reasonable security safeguards” actually means under this law.
In Part 3, we build the CISO’s DPDP Readiness Roadmap — a step-by-step, phased action plan you can take to your leadership team and start executing today.
Bookmark this series. Share it with your privacy team, your GRC analysts, and your legal partners. This is the regulatory literacy that separates the strategic CISO from the reactive one.
Privacy laws that apply extraterritorially are easy to ignore until they aren’t — and by the time enforcement becomes real, the organizations that waited are the ones scrambling. The DPDP Act is not a distant regulatory rumor. It’s a passed law, with a functioning regulatory body, and a penalty structure designed to make non-compliance economically painful. The CISOs who will navigate this well are the ones who start building their program now, while the rules are still being finalized, rather than waiting for every detail before they move. You don’t need perfect information to take the right first steps. You need enough understanding to get started — and that’s exactly what this series is designed to give you.
Questions about DPDP? Drop them in the comments or connect with us at www.infosecmadeeasy.com.
Disclaimer: This article is for educational purposes only and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your organization and jurisdiction.
Comments
Post a Comment