Digital Personal Data Protection Act

A: It applies to all organizations (public or private) that process digital personal data, regardless of size. There is no blanket exemption for SMEs or startups. However, the government can grant exemptions or extend timelines for specific categories. In fact, officials have indicated that “entities like Startups, MSMEs & hospitals will get more time to comply” with some DPDP provisions. Such relief might include temporary exemption from specific obligations (like appointing a Data Protection Officer or conducting audits) or extra time to implement compliance measures. Any such concessions will be formally notified. Until then, even startups should prepare to comply with core requirements (such as consent, security, and user rights), albeit with the expectation of a practical enforcement approach that scales with an entity’s size and data risk.

A: Consent is the primary basis for lawful processing of personal data under DPDP. Organizations must obtain a person’s consent before collecting or using their personal data, unless a specific “Legitimate Use” exception in the Act applies. Consent has to be free, specific, informed, unconditional, and given through a clear affirmative action. In practice, this means consent requests should be in plain language (available in English or any scheduled Indian language) and clearly explain what data will be used and for what purpose. Importantly, consent can be withdrawn at any time, and the process to withdraw must be as easy as giving consent. Upon withdrawal, the data must be deleted unless retention is required by law.

To streamline consent handling, the Act provides for Consent Managers – specialized services that individuals can use to give, track, and revoke consent across multiple platforms. These Consent Managers will be registered with the Data Protection Board and must provide an interoperable platform for users to manage their consents centrally. In essence, organizations should implement consent management mechanisms that allow users to easily opt in, view what they have consented to, and opt out. Many may integrate with or become Consent Manager platforms once the government publishes regulations for their registration and technical standards. In preparation, MeitY has even released a technical framework (BRD) describing how a consent management system should function (e.g., dashboards for users, secure logs of consent, standardized APIs for consent withdrawal). Enterprises should review their consent collection forms and workflows now to ensure they meet the DPDP Act’s high standards for clarity and user control.

A: Yes. Unlike previous drafts, the DPDP Act 2023 imposes no blanket data localization requirement. Personal data can be transferred outside India by default, except if the Central Government designates certain countries or destinations as restricted. In other words, the Act adopts a “blacklist” approach: data flows to all foreign jurisdictions are permitted unless specifically disallowed. As of now, the government has not published any list of banned countries, so companies can continue to use global data storage or processing services. That said, organizations remain responsible for protecting the data even when it’s transferred abroad, and they must comply with any future government rules on cross-border transfer (for example, the government could introduce contractual or adequacy requirements via rules). It’s also worth noting that sectoral regulators in India (like RBI for banking data or IRDAI for insurance) have their own data localization norms that remain in force. The DPDP Act explicitly does not override stricter sectoral rules. In summary, cross-border transfers are permitted under the DPDP Act, provided that the Act’s overall obligations and any future specific restrictions are met; companies should monitor MeitY notifications on this topic.

A: The Act grants Data Principals a set of rights to give them more control over their personal data. Key rights include: Right to Information (to know what personal data of theirs is being collected and how it’s being used), Right to Access (to get a summary of their data held by a fiduciary), Right to Correction and Erasure (to correct inaccurate data or request deletion of data that is no longer needed), and Right to Grievance Redressal (to seek resolution of complaints about data handling). Individuals can also withdraw their consent at any time, as noted above, and the Act gives them the right to nominate a representative to exercise their rights in the event of death or incapacity. For minors, parents/guardians act as their data principals and have similar rights on the child’s behalf.

From a compliance perspective, organizations must be ready to fulfill these rights. This involves establishing procedures for providing privacy notices that cover all required information, verifying and responding to user requests (e.g., updating or deleting data) within prescribed timelines, and setting up a grievance mechanism (such as a helpdesk or portal) to handle complaints. Under DPDP, if an individual requests correction or erasure and it’s valid, the Data Fiduciary must comply and also notify any third parties with whom the data was shared (draft rules are expected to clarify process details). Companies should also maintain verification and record-keeping for requests to ensure they are genuine and to log compliance. Essentially, user rights under the DPDP Act are similar to those under GDPR, minus data portability, and companies need to treat them seriously by building the required workflows (access reports, rectification forms, deletion confirmation, etc.). Failing to honor data principal rights can attract penalties up to ₹50 crore per instance, so automation and clear policies here are critical.

A: The Act obligates Data Fiduciaries to notify the Data Protection Board of India and affected data principals in the event of a “personal data breach” (i.e., unauthorized access or disclosure of personal data). While the Act itself does not specify a timeframe, the draft DPDP Rules 2025 propose a strict timeline (likely within 72 hours) for reporting breaches once detected, which is akin to global standards (hoganlovells.com). In practice, this means organizations must implement a robust incident response plan: as soon as a data breach is identified, an assessment should be done, and a report containing details of the breach, its impact, and mitigation steps should be prepared for the DPB. Additionally, impacted individuals may need to be informed with recommendations on what they can do (e.g. reset passwords, watch for scams).

The DPDP Act also emphasizes the importance of reasonable security safeguards to prevent breaches in the first place. Compliance entails not only reactive measures but also proactive ones, such as encryption, access controls, and regular security audits. Suppose a company fails to protect personal data or fails to notify of a breach. In that case, the penalties are severe – up to ₹250 crore for failing to implement reasonable security measures to prevent a breach, and up to ₹200 crore for failing to notify a breach properly. Enterprises should invest in security infrastructure and also formulate a clear breach reporting protocol. In summary, if a breach happens: contain it, inform the authorities and users quickly, and take steps to prevent future incidents. Documentation of all these actions will be essential to demonstrate compliance with the DPB during any investigation.

A: The DPDP Act introduces steep financial penalties to enforce compliance. The Data Protection Board (DPB) can impose fines ranging from ₹50 crore up to ₹250 crore per violation, depending on the provision breached. The highest penalties (up to ₹250 Cr) are reserved for critical failures like not implementing security safeguards (leading to a personal data breach). Penalties up to ₹200 Cr apply to serious violations such as failing to notify the DPB and users about a data breach, or mishandling children’s personal data. For “routine” violations of obligations (e.g., not obtaining valid consent, ignoring data principal rights, processing data for unauthorized purposes), fines up to ₹50 crore per incident can be levied. Importantly, these fines are “per instance”, so a recurring or large-scale lapse can multiply liability.

The Act empowers the DPB to determine the exact penalty within the allowed range by evaluating factors such as the nature and gravity of the breach, whether it was repetitive, whether the company gained financially, and the mitigation steps taken. There is no fixed minimum fine of ₹50 crore; rather, ₹50 crore is the maximum for certain categories of violations, but the DPB could impose a lower amount after considering the circumstances. On the other end, ₹250 Cr is the absolute cap per violation in the law. There is also a provision to discourage misuse by individuals: a Data Principal who files frivolous complaints or knowingly provides false information can be fined up to ₹10,000. Enforcement is expected to be digital and swift – organizations will likely be allowed to be heard. Still, there is no long grace period once the law is in effect. In short, non-compliance can be extremely costly, so investing in a compliance program is far cheaper than facing even a single penalty order.

A: Maybe – it depends on the scale of your data processing. The Act introduces the concept of Significant Data Fiduciaries (SDF), which are companies that handle large volumes of personal data or carry a high risk (criteria to be defined in the Rules, likely based on the number of users or the nature of sensitive activities). If your organization is designated as an SDF by the government, then yes, you will have extra obligations: you must appoint a Data Protection Officer (DPO) to oversee compliance, conduct periodic data protection impact assessments (DPIAs) for high-risk processing, undergo independent data audits, and possibly register with the DPB. The DPO would have to be a senior official (or independent person) acting as a point of contact for the Board and data principals. These additional requirements aim to ensure stronger accountability for bigger players, similar to how GDPR treats large data controllers.

If you are not an SDF, the law does not mandate a formal DPO or audits – but you still need to implement appropriate internal controls and a grievance officer. Many organizations may voluntarily assign a privacy officer or conduct self-assessments as best practice. We are awaiting clear thresholds in the upcoming Rules to know who exactly falls into the “Significant” category. In the meantime, a good rule of thumb is: if you’re a sizable company or processing very sensitive personal data, prepare to meet these higher compliance standards. Regulators have indicated that they will consider factors such as the volume of data processed, turnover, and risk profile when classifying SDFs. Therefore, while small companies may avoid these specific obligations, large enterprises should be prepared to incorporate DPIAs, appoint a capable DPO, and engage certified auditors once the regime takes effect.