India's data protection framework has entered a new era. The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes enforceable rights for data principals and binding obligations for data fiduciaries - terms that replace the familiar 'data subject' and 'data controller' vocabulary used in European law. Businesses operating in India, or processing data of Indian residents from abroad, must now build compliance programmes that satisfy a regulator with significant penalty powers. This article maps the legal architecture, identifies the highest-risk obligations, and offers a practical roadmap for international businesses navigating India's privacy landscape.
The DPDP Act received presidential assent in August 2023 and represents India's first standalone, comprehensive data protection statute. It supersedes the earlier Information Technology (Amendment) Act, 2008 provisions on data protection and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) in areas where the new law applies. The SPDI Rules remain partially operative for categories not yet covered by DPDP Act rules, creating a transitional dual-layer compliance obligation that many international businesses underestimate.
The Act establishes the Data Protection Board of India (DPBI) as the primary enforcement authority. The DPBI is empowered to receive complaints, conduct inquiries, impose financial penalties and direct remediation. It operates as a digital-first body: complaints are filed electronically, hearings may be conducted online, and orders are served through the digital infrastructure prescribed by the central government. This design reduces procedural friction but also means that enforcement can move faster than in traditional regulatory models.
The DPDP Act applies to processing of digital personal data within India, and to processing outside India where the purpose is to offer goods or services to data principals located in India. This extraterritorial reach mirrors the logic of the EU General Data Protection Regulation (GDPR) and means that a Singapore-based e-commerce platform serving Indian consumers is a data fiduciary subject to Indian law, regardless of where its servers sit.
Rules under the Act - the Digital Personal Data Protection Rules - are expected to operationalise key provisions including consent manager frameworks, cross-border transfer restrictions and the obligations of Significant Data Fiduciaries (SDFs). Until the Rules are notified in final form, businesses must work from the Act's text and the draft Rules published for public comment, while monitoring the government's implementation timeline.
Under the DPDP Act, consent is the foundational lawful basis for processing personal data. Section 6 of the Act requires that consent be free, specific, informed, unconditional and unambiguous. Consent must be obtained through a notice that is clear and plain, presented before or at the time of collection, and available in multiple languages if the data principal requests it. A consent request bundled with terms of service, or pre-ticked by default, does not satisfy the statutory standard.
The Act also recognises 'legitimate uses' - a closed list of processing activities that do not require consent. These include processing for the performance of a contract to which the data principal is a party, compliance with a legal obligation, medical emergencies, employment-related processing, and processing by the state for subsidies or services. This list is narrower than the six lawful bases available under the GDPR, which means businesses accustomed to relying on 'legitimate interests' as a catch-all basis will need to restructure their legal grounds for processing in India.
A common mistake made by international clients is to assume that a GDPR-compliant consent mechanism automatically satisfies the DPDP Act. The two frameworks differ in important ways. The DPDP Act does not require a lawful basis assessment to be documented in the same way as GDPR Article 6 requires. However, it imposes a strict notice-before-collection rule and requires that the notice be linked to a specific, identifiable purpose. Processing for a purpose not stated in the original notice requires fresh consent.
In practice, it is important to consider that the consent manager framework - once the Rules are finalised - will introduce a new intermediary layer. Consent managers will be registered entities through which data principals can give, manage, review and withdraw consent across multiple fiduciaries. Businesses that collect consent directly today may need to integrate with consent manager infrastructure once the Rules take effect, adding a technical and contractual compliance dimension.
The right to withdraw consent is guaranteed under Section 6(4) of the Act. Withdrawal must be as easy as giving consent, and the data fiduciary must cease processing within a reasonable period after withdrawal. A non-obvious risk is that withdrawal of consent triggers a downstream obligation to delete data and to notify data processors who received the data, unless retention is required by law.
To receive a checklist on consent compliance and notice requirements for India, send a request to info@vlo.com.
The DPDP Act places a set of affirmative obligations on data fiduciaries that go beyond consent management. Section 8 requires every data fiduciary to implement reasonable security safeguards to prevent personal data breaches. The Act does not prescribe a specific technical standard, but the SPDI Rules' requirement of ISO/IEC 27001 certification or equivalent remains a relevant benchmark during the transitional period. Businesses should treat this as a floor, not a ceiling.
Data retention is addressed in Section 8(7): personal data must be erased once the purpose for which it was collected is no longer served, and once the data principal has not approached the fiduciary for the specified period. The Act does not set a universal retention period - this is left to the Rules and sector-specific regulations. In practice, this means a data fiduciary must maintain a documented retention schedule aligned with each processing purpose, a requirement that many mid-sized businesses operating in India have not yet implemented.
The obligations relating to children's data are among the most demanding in the Act. Section 9 prohibits processing of personal data of children - defined as persons under 18 years of age - without verifiable parental consent. It also prohibits tracking, behavioural monitoring or targeted advertising directed at children. The verifiable consent requirement creates a significant technical challenge: the Act does not specify the verification mechanism, and until the Rules clarify this, businesses must design their own age-verification and parental consent workflows. A common mistake is to rely on a self-declaration checkbox, which is unlikely to satisfy 'verifiable' consent once the DPBI begins enforcement.
Significant Data Fiduciaries face additional obligations. The central government will designate entities as SDFs based on the volume and sensitivity of data processed, the risk to data principals, national security considerations and other factors. SDFs must appoint a Data Protection Officer (DPO) based in India, conduct periodic Data Protection Impact Assessments (DPIAs), and submit to audits by an independent data auditor. The DPO must be a senior management official accountable to the board, not an external consultant. Many underappreciate that the DPO's accountability to the board - rather than to a compliance team - creates a governance structure that requires board-level engagement with data protection strategy.
Cross-border transfer of personal data is one of the most commercially significant aspects of the DPDP Act for international businesses. Section 16 of the Act empowers the central government to restrict transfers of personal data to certain countries or territories by notification. Conversely, transfers to countries not on the restricted list are permitted. This is a 'blacklist' model, in contrast to the GDPR's 'whitelist' (adequacy decision) model.
Until the restricted-country list is published, the default position is that cross-border transfers are permitted. This creates a window of operational flexibility that businesses should use to map their data flows and prepare contractual and technical safeguards. Once the restricted list is notified, transfers to listed jurisdictions will require either a government exemption or cessation of the transfer.
The Act does not currently mandate Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) as transfer mechanisms, unlike the GDPR. However, the Rules may introduce contractual requirements for transfers to permitted jurisdictions. Businesses that already have GDPR-compliant transfer mechanisms in place should not assume these satisfy Indian requirements - the legal basis and documentation requirements differ, and Indian law may impose additional localisation or mirroring obligations for specific sectors such as financial services, health data and government-related processing.
A practical scenario: a European multinational with an Indian subsidiary processes employee personal data on servers in Germany. Under the DPDP Act, this is a cross-border transfer subject to Section 16. If Germany is not on the restricted list, the transfer is currently permitted. However, if the subsidiary is designated an SDF, additional obligations - including DPIA and audit requirements - apply to the processing, regardless of where the data is stored. The multinational must therefore maintain a dual compliance posture: GDPR compliance for the German processing and DPDP Act compliance for the Indian-origin data.
Data localisation requirements exist outside the DPDP Act framework for specific sectors. The Reserve Bank of India (RBI) mandates that payment system data be stored exclusively in India. The Insurance Regulatory and Development Authority of India (IRDAI) and the Securities and Exchange Board of India (SEBI) have issued sector-specific data storage directions. These sectoral requirements operate independently of the DPDP Act and must be assessed separately.
To receive a checklist on cross-border data transfer compliance for India, send a request to info@vlo.com.
The DPDP Act introduces a mandatory breach notification obligation. Section 8(6) requires every data fiduciary to notify the DPBI and affected data principals of a personal data breach 'in such manner and within such period as may be prescribed.' The Rules will set the specific notification timeline. Draft Rules have indicated a 72-hour notification window to the DPBI, mirroring GDPR Article 33, but this has not yet been finalised. Businesses should design their incident response procedures around a 72-hour internal escalation timeline to ensure readiness.
Notification to data principals must be in plain language and must describe the nature of the breach, the data affected, the likely consequences and the remediation steps taken. A non-obvious risk is that notification to data principals may trigger secondary legal exposure: affected individuals may file complaints with the DPBI, and the DPBI may initiate an inquiry even if the fiduciary has already notified proactively.
The penalty framework under Schedule 1 of the DPDP Act is graduated by violation type. Failure to implement reasonable security safeguards resulting in a data breach attracts a penalty of up to INR 250 crore (approximately USD 30 million). Failure to notify the DPBI of a breach attracts up to INR 200 crore. Non-fulfilment of obligations relating to children's data attracts up to INR 200 crore. Breach of any other provision of the Act attracts up to INR 50 crore per violation. These are per-incident caps, not annual turnover-based penalties as under the GDPR, which means the financial exposure for a single large breach is substantial but bounded.
The DPBI inquiry process begins with a complaint or suo motu action. The Board issues a notice to the data fiduciary, which has an opportunity to respond. The Board may call for documents, conduct hearings and appoint technical experts. The process is designed to be completed within a defined period, though the Rules will specify exact timelines. Appeals from DPBI orders lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and from there to the High Court on questions of law.
A practical scenario: a fintech startup processes payment data for 2 million Indian users. A misconfigured cloud storage bucket exposes names, phone numbers and partial account details. The startup must notify the DPBI within the prescribed period, notify affected users, and document its remediation steps. If it fails to notify, it faces a penalty of up to INR 200 crore. If the breach is found to result from inadequate security safeguards, the penalty exposure rises to INR 250 crore. The startup's legal costs, reputational damage and regulatory scrutiny will far exceed the cost of a properly resourced compliance programme.
A second scenario: a large e-commerce platform collects data from minors without verifiable parental consent, relying on a self-declaration mechanism. The DPBI receives a complaint from a parent. The platform faces a penalty of up to INR 200 crore and must redesign its onboarding flow. The cost of non-specialist mistakes in this area - building a consent mechanism without legal review - can be orders of magnitude higher than the cost of getting it right initially.
The DPDP Act grants data principals a set of enforceable rights. Section 11 provides the right to access information about personal data processed by a fiduciary. Section 12 provides the right to correction and erasure. Section 13 provides the right to grievance redressal. Section 14 provides the right to nominate another person to exercise rights in the event of death or incapacity. These rights must be exercised through a mechanism established by the data fiduciary, and the fiduciary must respond within the period prescribed by the Rules.
The right to erasure under Section 12 is not absolute. A data fiduciary may retain data where retention is required by law or where the data principal has not withdrawn consent and the purpose has not been fulfilled. This creates a tension between the erasure right and legitimate retention obligations - a tension that must be resolved through a documented retention and deletion policy.
The grievance redressal mechanism is a pre-condition to filing a complaint with the DPBI. A data principal must first approach the data fiduciary's designated grievance officer, and only if the grievance is not resolved satisfactorily may the principal escalate to the DPBI. This two-stage process mirrors the approach used in consumer protection law and is designed to reduce the volume of complaints reaching the regulator. In practice, it is important to consider that a poorly designed grievance mechanism - one that is difficult to access or that provides generic responses - will generate DPBI complaints and reputational risk.
For Significant Data Fiduciaries, the DPO is a mandatory appointment. The DPO must be a person based in India, must be a senior management official, and must be the point of contact for the DPBI. The DPO is not personally liable for the fiduciary's violations, but is responsible for ensuring that the fiduciary's compliance programme is operational and that the board receives accurate information about data protection risks. A common mistake by international groups is to appoint a global DPO based outside India and assume this satisfies the Indian requirement. The Act is explicit: the DPO must be India-based.
Non-SDF businesses are not required to appoint a DPO, but must designate a grievance officer. The grievance officer's contact details must be published on the fiduciary's website or app. Many underappreciate that the grievance officer role carries reputational exposure: if the officer's responses are inadequate, the data principal's complaint to the DPBI will reference those responses, and the DPBI may draw adverse inferences.
A third practical scenario: a mid-sized Indian software company processes personal data of its employees and customers. It is not designated an SDF. It must still appoint a grievance officer, publish that officer's contact details, respond to data principal requests within the prescribed period, implement reasonable security safeguards and maintain a retention schedule. The compliance burden for a non-SDF is lighter than for an SDF, but it is not trivial. Businesses that treat the DPDP Act as relevant only to large technology companies are misjudging their exposure.
We can help build a compliance strategy tailored to your business model and data processing activities in India. Contact info@vlo.com for an initial assessment.
What is the most significant practical risk for a foreign company processing data of Indian residents?
The most significant risk is the extraterritorial application of the DPDP Act combined with the DPBI's power to impose penalties without the company having a physical presence in India. A foreign company that offers goods or services to Indian residents is a data fiduciary subject to the Act, regardless of where it is incorporated or where its servers are located. If the company has not established a grievance mechanism, does not respond to data principal requests and suffers a breach, it faces penalty exposure and reputational damage in a market it may be actively trying to grow. The practical mitigation is to appoint a local representative or legal counsel in India who can interface with the DPBI and manage compliance obligations on the ground.
How long does a DPBI inquiry typically take, and what are the likely costs?
The DPBI is a newly established body and its procedural timelines will be set by the Rules. Based on the Act's design as a digital-first, time-bound process, inquiries are intended to be resolved more quickly than traditional regulatory proceedings. Legal costs for responding to a DPBI inquiry typically start from the low thousands of USD for straightforward matters and can rise significantly for complex cases involving large data sets or multiple violations. The more important cost consideration is the penalty exposure: up to INR 250 crore for security failures. Investing in compliance before an inquiry is initiated is almost always more cost-effective than managing enforcement after the fact.
Should a business prioritise GDPR compliance or DPDP Act compliance if it operates in both India and the EU?
The two frameworks are complementary but not identical, and a business operating in both jurisdictions must satisfy both independently. GDPR compliance does not automatically satisfy the DPDP Act, and vice versa. The most efficient approach is to build a compliance programme that maps the obligations of both frameworks, identifies where they align and where they diverge, and implements controls that satisfy the stricter requirement in each area. For example, the DPDP Act's children's data rules are stricter than GDPR in some respects, while GDPR's lawful basis documentation requirements are more detailed. A dual-framework compliance programme, designed with legal input from both jurisdictions, avoids duplication of effort and reduces the risk of gaps.
India's DPDP Act creates a comprehensive, enforceable data protection regime with significant implications for domestic and international businesses. The consent framework, breach notification obligations, cross-border transfer rules and children's data requirements each demand specific compliance actions. Businesses that treat the Act as a future concern - waiting for all Rules to be finalised before acting - risk being caught unprepared when enforcement begins. The time to build compliance infrastructure is now, while the regulatory framework is still taking shape and the DPBI is establishing its enforcement priorities.
To receive a checklist on DPDP Act compliance priorities for businesses operating in India, send a request to info@vlo.com.
Our law firm Vetrov & Partners has experience supporting clients in India on data protection and privacy matters. We can assist with compliance programme design, data breach response, DPBI inquiry management, cross-border transfer structuring and DPO advisory. To receive a consultation, contact: info@vlo.com.