What is DPDP Act, 2023?

The Digital Personal Data Protection (DPDP) Act, 2023 is India’s comprehensive data privacy law. It establishes a legal framework for how organizations and government bodies collect, process, store, and share individuals’ personal digital data. The law balances citizens’ rights to privacy with the need for lawful data processing.

Key Terminologies

  • Data Principal: The individual to whom the personal data belongs (the citizen/consumer).
  • Data Fiduciary: The entity (companies, organizations, or government) that determines the purpose and means of processing the data.

Rights of the Data Principal

  • Right to Access: Individuals can ask to access their personal data and know how it is being processed.
  • Right to Correction/Erasure: Users can request corrections to their data, or have it deleted when it is no longer needed.
  • Right to Grievance Redressal: Individuals have the right to file complaints or nominate a representative to act on their behalf if they feel their rights are violated.
  • Right to Nominate: Users can nominate someone to manage their data rights in the event of death or incapacity.

Core Obligations for Data Fiduciaries

  • Clear Consent: Fiduciaries must provide a clear, itemized notice of what data they are collecting and why, and obtain clear consent from the Data Principal.
  • Data Security: Organizations are legally required to implement reasonable security safeguards to prevent data breaches.
  • Breach Notifications: If a data breach occurs, fiduciaries must notify both the Data Protection Board of India and the affected Data Principals.
  • Child Protection: Organizations must obtain parental or guardian consent before processing the personal data of anyone under the age of 18.

Penalties

Non-compliance can result in substantial financial penalties. Depending on the nature of the violation, fines can range from ₹10,000 up to ₹250 crore for significant breaches.

Applicability of DPDP act, 2023 in India

Is your organization ready for India’s DPDP Act? MeitY’s 18-Month Phased Implementation Roadmap is officially in motion. Waiting until the final deadline is a high-risk strategy that could expose your business to penalties up to ₹250 Crores.
Here are the key milestones your leadership team must track:
1. Nov 13, 2025 (Initial Rollout): The Data Protection Board of India (DPBI) is operative, and inquiry frameworks are set.
2. Nov 13, 2026 (Phase II): Registration opens and the Consent Manager Framework goes live.
3. May 13, 2027 (Mandatory Compliance): Full enforcement of Data Principal rights, strict children’s data protocols, and heavy non-compliance penalties.
Data privacy is no longer optional—it’s a business necessity.
Let’s operationalize your privacy posture before the clock runs out.
#DPDPAct #DataPrivacy #Compliance #RiskManagement #DPDPConsultants

About Us

Established in 2002, Saurabh Shrivastava and Associates LLP. has grown into a progressive Chartered Accountancy firm known for its unwavering commitment to excellence, integrity, and long-standing client relationships. Over the years, the firm has seamlessly evolved from a conventional practice into a modern advisory partner, aligned with the changing dynamics of the business environment.