India's Digital Personal Data Protection (DPDP) Act 2023 introduces a comprehensive framework for personal data governance that fundamentally changes how Indian enterprises collect, store, process, and share personal data. With penalties of up to ₹250 crore for serious violations, compliance is not optional — it is a business risk management imperative.
The Act establishes key obligations for data fiduciaries — organisations that determine the purpose and means of personal data processing. Consent is the primary lawful basis for data processing. Consent must be free, specific, informed, unconditional, and unambiguous — a pre-ticked checkbox or a buried paragraph in terms and conditions does not meet the standard. Consent collection mechanisms must be redesigned for many Indian digital products and services.
Data principals — the individuals whose data is processed — have a set of rights: the right to access information about their data being processed, the right to correction and erasure of inaccurate or incomplete data, and the right to grievance redressal. Enterprises must build mechanisms to receive and respond to these requests within specified timeframes.
Data localisation requirements for certain sensitive categories of data are among the most operationally complex aspects of the Act. Enterprises that currently store personal data in hyperscale cloud regions outside India may need to restructure their storage architecture to keep affected data within Indian borders.
The compliance roadmap for most enterprises has four phases: a data discovery exercise to identify all personal data being collected, stored, and processed; a gap analysis against the Act's requirements; remediation — consent mechanism updates, data subject rights workflows, retention policies, cross-border transfer controls; and ongoing governance through a data protection programme with regular audits.
Engaging a qualified Data Protection Officer, whether internal or external, is essential for organisations that process large volumes of personal data. The cost of compliance is orders of magnitude less than the cost of regulatory penalties and reputational damage from a violation.
