Understanding the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's first comprehensive legislation dedicated to the protection of digital personal data. Enacted by Parliament and receiving Presidential assent on 11 August 2023, the Act establishes a framework governing how organisations — referred to as "Data Fiduciaries" — collect, store, process, and share the personal data of individuals, termed "Data Principals." The DPDPA applies to the processing of digital personal data within India, as well as to processing outside India if it involves offering goods or services to individuals in India.

The DPDPA introduces several important definitions. "Personal Data" means any data about an individual who is identifiable by or in relation to such data. A "Data Fiduciary" is any person who alone or in conjunction with others determines the purpose and means of processing personal data. A "Data Processor" is any person who processes personal data on behalf of a Data Fiduciary. "Consent" under the Act must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. These definitions form the bedrock of compliance obligations under the legislation.

The DPDPA confers several rights upon individuals whose data is being processed. These include the right to access information about personal data being processed, the right to correction and erasure of inaccurate or incomplete data, the right to grievance redressal, and the right to nominate another individual to exercise rights on their behalf in the event of death or incapacity. These rights represent a significant shift towards individual empowerment in India's digital economy and must be honoured by all Data Fiduciaries within prescribed timelines.

Organisations processing personal data bear substantial obligations under the DPDPA. They must obtain valid consent before processing, provide clear and accessible privacy notices, implement reasonable security safeguards, notify the Data Protection Board and affected individuals in the event of a data breach, and ensure that personal data is erased once the purpose for which it was collected is fulfilled. Significant Data Fiduciaries — those processing large volumes of sensitive data — face additional obligations including data protection impact assessments and the appointment of a Data Protection Officer.

The DPDPA prescribes substantial financial penalties for violations. A failure to implement adequate security safeguards resulting in a data breach may attract a penalty of up to ₹250 crore. Failure to notify the Data Protection Board of a breach may result in a penalty of up to ₹200 crore. Non-fulfilment of obligations relating to children's data may attract penalties of up to ₹200 crore. The Act also establishes the Data Protection Board of India as the adjudicatory authority for complaints and enforcement. These penalties underscore the importance of proactive compliance for all organisations operating in India's digital space.