DPDP Act 2023: Compliance Requirements for Businesses

The Digital Personal Data Protection Act 2023 (DPDP Act) represents India's first comprehensive data protection legislation. Now in full force, it establishes a framework for processing personal data that balances individual privacy rights with legitimate business needs.

Who Does This Apply To?

The DPDP Act applies to every entity that processes digital personal data within India, and to entities outside India that process data of individuals in India in connection with offering goods or services. This means virtually every business with an online presence serving Indian customers falls within scope.

Key Obligations

For Data Fiduciaries (Controllers)

1. Lawful Basis: Personal data can only be processed based on consent or certain "legitimate uses" specified in the Act.

1. Purpose Limitation: Data must be collected for a specific, stated purpose and cannot be repurposed without fresh consent.

1. Data Minimisation: Only data that is necessary for the stated purpose should be collected.

1. Accuracy: Reasonable efforts must be made to ensure data accuracy, particularly when decisions affecting the individual are based on such data.

1. Storage Limitation: Personal data must be erased when it is no longer needed for the purpose for which it was collected, unless retention is required by law.

1. Security Safeguards: Reasonable security measures must be implemented to prevent data breaches.

Consent Requirements

Consent must be free, specific, informed, unconditional, and unambiguous. It must be given through a clear affirmative action. Importantly, consent can be withdrawn at any time, and the process for withdrawal must be as easy as the process for giving consent.

Data Breach Notification

In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board of India and affected individuals. The notification must be made without undue delay.

Penalties

The Act prescribes significant penalties for non-compliance:

• Up to INR 250 crore for failure to take reasonable security safeguards resulting in a data breach
• Up to INR 200 crore for failure to notify the Board and affected individuals of a breach
• Up to INR 150 crore for non-compliance with obligations regarding children's data

What Businesses Should Do Now

1. Audit your data: Map what personal data you collect, where it's stored, how it's processed, and who has access.

1. Update privacy policies: Ensure your privacy notices meet the Act's requirements for clarity and specificity.

1. Implement consent mechanisms: Build or update consent collection workflows that meet the "free, specific, informed" standard.

1. Establish breach protocols: Have a documented incident response plan that includes notification procedures.

1. Appoint a DPO: Consider appointing a Data Protection Officer if you process data at significant scale.

For specific compliance guidance tailored to your business, schedule a consultation with our Technology & AI Law practice.