What Should Enterprises Do to Understand DPDPA Compliance?

The Digital Personal Data Protection Act 2023 (DPDPA) represents the most significant development in Indian data protection law in decades. Modeled on principles similar to the GDPR but tailored to the Indian context, the DPDPA creates comprehensive obligations for organizations that process the personal data of Indian citizens — including obligations that many organizations are simply not aware of yet.

Understanding the DPDPA starts with understanding who it applies to. The Act applies to the processing of digital personal data within India, and also to the processing of personal data outside India if it is in connection with any activity related to offering goods or services to Data Principals in India. This extraterritorial scope means that foreign companies with Indian customers are also covered.

The Act introduces several key concepts that organizations need to internalize. The Data Principal is the individual whose data is being processed. The Data Fiduciary is the organization that determines the purpose and means of processing — what GDPR would call the Data Controller. A Significant Data Fiduciary (SDF) is a category of Data Fiduciary that the government can designate based on the volume and sensitivity of data processed, and SDFs face additional obligations including mandatory appointment of a Data Protection Officer and annual data protection impact assessments.

Consent is a central pillar of the DPDPA. Data Fiduciaries must obtain free, specific, informed, unconditional, and unambiguous consent before processing personal data — except in specific legitimate use cases defined in the Act. Existing consent mechanisms — buried checkbox agreements, bundled consent, pre-ticked boxes — will not meet the DPDPA standard.