.png)
In our rapidly digitalizing world, personal data is both the greatest asset and the greatest liability for users. Liabilities range from emotional to financial losses. On the other hand, organizations are heavily relying on user data to drive innovation and personalization.
This has led to an idea for having a clear, robust, and enforceable data protection framework which has transpired in the form of Digital Personal Data Protection (DPDP) Act for Indian citizens.
So, before we move ahead, let’s understand who the law is meant for. The statement from the law aptly states - “The DPDPA 2023 establishes a legal framework for the collection, storage, processing, and transfer of personal data in India. It aims to protect individual privacy while promoting data-driven governance and economic growth. The law applies to both Indian and foreign entities that process personal data related to individuals in India.”
There are a few key principles from the law that individuals and organizations need to be aware of:
1.Informed Consent: Organizations must obtain clear and specific consent from users before collecting or processing their data.
2.Purpose Limitation: Data should only be used for the purpose stated at the time of collection.
3.Data Minimization: Collect only the data necessary for the intended purpose.
4.Storage Limitation: Retain data only as long as necessary, and delete it when it is no longer required.
5.Security Safeguards: Implement technical and organizational measures such as encryption and access controls to protect data.
6.Accountability: Assign data protection roles and ensure organizational responsibility through audits and impact assessments.
Now, let’s dwell into the key actors, roles and responsibilities outlined in the Act:
1. Data Fiduciaries: Entities processing personal data are known as "Data Fiduciaries" and must adhere to all obligations under the Act.
2. Significant Data Fiduciaries (SDF): Entities handling large volumes of sensitive data may be classified as SDFs, requiring:
3. Data Principals: Individuals (users) whose data is collected/stored/processed.
4. Consent Management: Data Fiduciaries must ensure users can easily grant, manage, or withdraw consent.
5. Rights of Data Principals: Individuals (data principals) have the right to access, correct, and erase their personal data, as well as lodge grievances.
6. Data Breach Reporting: Breaches if any, must be reported promptly to the Data Protection Board and affected individuals are also to be notified.
7. Cross-Border Transfers: Transfers of personal data outside India are subject to government-specified safeguards.
So when is all this coming into effect? As of May 2025, the DPDP Act 2023 is pending to be notified into an Act. After the notification, organizations shall have 2 years to comply with the Act.
So as an organization, what steps need to be taken in order to be compliant with DPDP Act 2023?
Data Discovery: Many organisations are not completely aware that where all their customer data is stored. So, the first step will be identifying the various sources of data within the organization
Data classification: After you discover the data the next big task that comes is classification of the data. It can be based on the sensitivity of the data, requirement of data and various other categories.
Update Data Privacy Policies: Organizations shall be required to update the Data Privacy Policies to make them DPDP Act 2023 compliant.
Regularly train employees on data protection: Regular training to staff shall educate them about the effective and efficient way of using personal data.
Invest in secure IT infrastructure and monitoring tools: Storing personal data along with consent data securely will be of utmost importance. Companies shall need to invest in infrastructure to support this initiative.
Establish a robust grievance redressal mechanism: DPO (Data Protection Officer) shall have the mandate of addressing grievances..
India’s Digital Personal Data Protection Act, 2023 (DPDP Act 2023) marks a significant step towards responsible data management and legal compliance for Indian citizens personal data, if you are looking to start your journey towards DPDP compliance, we would be happy to engage with you.
We will be sharing more information with respect to this Act in the next few posts.
© 2025 SK International.
All rights reserved.