What is the DPDP Act?

The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) is India’s landmark law governing how digital personal data is collected, stored, and used. Enacted on 11 August 2023, it strikes a balance between two equally important goals: protecting every individual’s right to privacy and enabling organisations to process data for legitimate purposes.

At its core, the Act sets clear rules — if you collect someone’s data, you must have their consent, use it only for the stated purpose, keep it secure, and delete it when you no longer need it. Any breach of these rules can attract penalties of up to ₹250 crore.

The Act is India’s answer to a digital economy where personal data — names, phone numbers, health records, financial information — flows constantly between individuals, businesses, and government systems.

---

Who’s Involved?

The Act defines five key players in every data transaction:

Data Principal — The individual whose personal data is being collected. They are the owner of their data, with full rights to access it, correct it, and demand its deletion. For minors (under 18), their parents or guardians act on their behalf.

Data Fiduciary — Any organisation or person that decides why and how personal data is processed. Think banks, hospitals, e-commerce platforms, HR departments, or any app that collects your information. They carry the heaviest compliance responsibilities.

Data Processor — An entity that processes data on behalf of a Data Fiduciary under a contract. For example, a cloud service provider or a payroll processing company. They act on instructions — the Fiduciary remains accountable.

Consent Manager — A registered intermediary that lets individuals manage all their consents in one place — giving, reviewing, and withdrawing consent across multiple platforms through a single interoperable interface.

Significant Data Fiduciary (SDF) — A Data Fiduciary flagged by the Central Government as high-risk due to the volume or sensitivity of data they handle. They face additional obligations: appointing a Data Protection Officer (DPO) based in India, conducting annual Data Protection Impact Assessments (DPIAs), and undergoing independent audits.

The Data Protection Board of India — The regulatory authority that investigates complaints, adjudicates breaches, and imposes penalties. Appeals against its decisions go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

---

Is it Applicable to Me?

If you are an individual — Yes, as a Data Principal. Every time you share your name, phone number, email, or any other personal information with an app, a website, a hospital, or a government portal, the DPDP Act protects you. You have the right to know what data is collected, ask for corrections, demand erasure, and withdraw your consent. You also have duties — you must not submit false information or file frivolous complaints.

If you are a business or organisation — Yes, as a Data Fiduciary, if you collect or process digital personal data of individuals in India. This applies whether you are a startup, an enterprise, an NGO, or a government body. The Act applies to you even if you are based outside India, as long as you offer goods or services to people in India.

If you are a vendor or service provider — Yes, as a Data Processor, if you handle personal data on behalf of a client organisation. You must operate under a valid contract and implement appropriate security safeguards.

The Act does not apply to data processed purely for personal or domestic use, or to data that has already been made publicly available by the individual themselves.

In short — if your work or daily life involves digital personal data in any way, the DPDP Act is relevant to you.

---

Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.