With the rapid growth of the digital ecosystem, the need to protect personal data and
privacy has become crucial. Given the regulatory requirements like GDPR and CCPA that
have brought significant changes to data processing in the EU and the US respectively,
it is imperative for India to develop its own privacy regulations.
In August, the Ministry of Electronics and Information Technology (Government of India)
had made the decision to withdraw the Personal Data Protection Act of 2019. This
decision came after considering numerous recommendations received through public
consultation. Introducing it as a revised version of its predecessor, the Indian
Government introduced the Digital Personal Data Protection Act (DPDP) on November 18th,
2022, to oversee the processing of personal data. This new Act is one component of a
comprehensive set of legislations, which includes IT rules, the National Data Governance
Framework Policy, and a proposed Digital India Act.
After six years and four attempts the Digital Personal Data Protection Act was passed as an Act after the President's assent in the Monsoon session of the Parliment.
In this guide, we will explore:
- What the Digital Personal Data Protection Act is
- The key aspects of the Digital Personal Data Protection Act
- Implications of this significant legislation proposed by the Indian government
- How to comply with this proposed Act
Understanding the Digital Personal Data Protection Act
What is the Digital Personal Data Protection Act?
The DPDP Act is a comprehensive legislation aimed at safeguarding the privacy and
protection of individuals' personal data. The DPDP Act seeks to establish a robust
framework for data protection, ensuring accountability, transparency, and consent-based
data handling practices across various sectors.
The DPDP Act defines personal data as any information that can be used to identify an
individual, including their name, address, phone number, email address, and biometric
data. It also defines indirectly identifiable information such as vehicle numbers,
location data, employee codes, etc. The DPDP Act proposes to give certain rights to
users including the right to information about personal data, the right to the
correction and erasure of personal data, the right of grievance redressal, and the right
What these rights mean is that every individual should know what items of their personal
data are being collected and the purpose of collection of such data. In fact, an entity
collecting data will need to give an itemized notice containing a description of
personal data sought to be collected and a purpose for the processing of such personal
data. Also a clear consent of individuals is needed to process personal data except in
certain cases, for example to comply with any legal judgment or in case of medical
Why is a data protection Act needed in India?
With the exponential growth of digital technologies and online services, the collection
and processing of personal data has become more prevalent. A data protection Act is
essential to address concerns related to privacy, data security, and individual rights.
The DPDP Act aims to fill this crucial gap by providing a comprehensive legal framework
for data protection in India.
Apart from this, there is a lack of clarity about the legal rights of individuals in
relation to their personal data. This means that individuals often do not know what
their rights are or how to exercise them. Also, there is a lack of accountability for
organizations that collect and process personal data. This means that there is no one to
hold these organizations accountable if they misuse or abuse personal data. The DPDP
Act would create a new Data Protection Authority (DPA) that would be responsible for
enforcing the law and holding organizations accountable for their actions, thereby
giving individuals more control over their personal data.
Who does the DPDP Act apply to?
The DPDP Act applies to a wide range of entities and individuals involved in the
processing of personal data within India. The DPDP Act covers both government and
private organizations, as well as individuals who act as data fiduciaries or data
The DPDP Act's applicability extends to organizations of varying sizes, including large
corporations, small and medium-sized enterprises (SMEs), startups, and government
agencies. It encompasses various sectors such as healthcare, finance,
telecommunications, e-commerce, social media platforms, and any other entities that deal
with personal data.
Furthermore, the DPDP Act takes into account cross-border data transfers and applies to
entities that transfer personal data outside of India if the transfer involves
individuals in India. It ensures that adequate safeguards are in place when personal
data is shared or processed internationally.
Key features of the Act
- The Act grants individuals greater control over their personal data by providing
them with rights such as the right to information, correction, erasure, objection,
and data portability, as well as the right to be forgotten.
- In order to ensure data sovereignty and strengthen data security measures, the Act
introduces provisions for data localization, which require certain categories of
personal data to be stored and processed within India.
- The Act recognizes certain categories of data as "sensitive personal data" and
mandates higher standards of protection for such information. This includes
financial data, health data, sexual orientation, biometric data, genetic data, and
other categories requiring heightened protection.
- To oversee and enforce data protection regulations, the Act intends to establish an
independent regulatory body called the Data Protection Authority (DPA).
- The Act emphasizes accountability by imposing significant penalties for
non-compliance. It establishes mechanisms for addressing grievances and provides
remedies for individuals affected by data breaches or violations of their data
Before we delve further into the aspects of the DPDP Act, it is imperative to
understand definitions for crucial terms used throughout this guide, ensuring clarity
and consistency in interpretation. Some key definitions include:
The DPDP Act defines personal data as any information used to identify an individual. It
covers a broad range of data, including but not limited to name, address, identification
numbers, and online identifiers.
Sensitive personal data
The DPDP Act recognizes certain categories of data as "sensitive personal data" and
mandates higher standards of protection for such information. This includes data related
to financial, health, sexual orientation, biometric, genetic, and other categories
requiring heightened protection.
The DPDP Act introduces the concept of a "data fiduciary," which refers to entities or
individuals who decide the objective of and ways to process personal data. Data
fiduciaries have specific responsibilities and obligations under the DPDP Act.
The DPDP Act also defines "data processor" as entities or individuals who process
personal data on behalf of data fiduciaries. Data processors have certain obligations
and responsibilities in handling personal data.
Data protection authority
The DPDP Act mandates the establishment of a Data Protection Authority (DPA), to oversee
and enforce data protection regulations. The DPA plays a vital role in monitoring
compliance, resolving disputes, and promoting a culture of data protection.
Rights of individuals
This chapter delineates the personal data rights conferred upon individuals, empowering
them with control over their data and promoting transparency and accountability in data
processing. The fundamental rights encompass:
Right to information
Individuals possess the entitlement to receive comprehensive information about the
collection, processing, and purpose of collecting their personal data. Data fiduciaries
are obligated to furnish clear and concise details concerning the utilization of
Right to correction
Individuals retain the prerogative to request rectification or have their personal data
updated if found inaccurate or incomplete. Data fiduciaries are required to promptly put
into effect the necessary amendments and inform relevant entities with whom the data has
Right to erasure
Individuals have the right to request the deletion or erasure of their personal data
under specific circumstances. Data fiduciaries must comply with such requests, ensuring
that the data is no longer retained or utilized.
Right to object
Individuals possess the right to object to the processing of their personal data in
particular situations. Data fiduciaries are obligated to respect these objections unless
there exist legitimate grounds for data processing that outweigh the individual's
Right to data portability
Individuals enjoy the right to acquire and transfer their personal data from one service
provider to another. This facilitates healthy competition and enables individuals to
switch between services while retaining control over their data.
Right to be forgotten
Individuals possess the right to request the erasure of their personal data under
specific circumstances. Data fiduciaries must undertake necessary measures to ensure the
permanent removal of such data, rendering it no longer visible or accessible.
Responsibilities of data fiduciaries
Data fiduciaries must obtain explicit consent from individuals before collecting and
processing their personal data. The DPDP Act emphasizes the importance of informed
consent, requiring data fiduciaries to provide clear and easily understandable
information regarding the purpose, scope, and duration of data processing.
Keeping data secure
Data fiduciaries are required to implement appropriate security measures to protect
personal data from unauthorized access, disclosure, alteration, or destruction. This
includes adopting robust security practices, conducting regular audits, and implementing
necessary safeguards to mitigate data breaches.
Data fiduciaries must delete personal data once the purpose for which it was collected
has been fulfilled or when the individual withdraws consent, unless there are legal
obligations or legitimate interests to retain it. The DPDP Act provides specific
guidelines for the deletion and anonymization of personal data.
Data fiduciaries are required to ensure secure and lawful transfer of personal data,
especially when it involves cross-border data transfers. Adequate safeguards must be
implemented to protect the data during transit and at the receiving end.
Data fiduciaries must maintain a record of their data processing activities, including
the purpose of processing, the categories of personal data involved, and any third-party
data sharing. Additionally, they are required to conduct data protection impact
assessments to identify and mitigate risks associated with data processing activities.
The Data Protection Authority of India
This chapter focuses on the establishment and powers of the Data Protection Authority of
India (DPAI). The key aspects include:
Composition of the DPAI
The DPAI will be an independent regulatory body comprising members with expertise in data
protection and privacy. The selection process will ensure a diverse and competent
composition, enabling effective decision-making and enforcement.
Powers of the DPAI
The DPAI will have extensive powers to monitor, investigate, and enforce data protection
regulations. It will have the authority to issue orders, conduct inquiries, and impose
penalties for non-compliance with the provisions of the DPDP Act.
Enforcement of the law
The DPAI will play a crucial role in the enforcement of the DPDP Act. It will be
responsible for conducting audits and investigations, as well as taking necessary
actions to ensure compliance with the data protection framework.
Impact and way forward
Impact of the DPDP Act on organizations
India's data protection regime has taken a significant step towards digitization with the
introduction of this Act. According to a report from KPMG, the Act adopts a progressive approach to bolster India's capacity
to attract foreign investments, support the startup ecosystem, and reduce compliance
burdens for organizations of various sizes. However, certain open-ended requirements in
the DPDP Act need to be addressed by the Central Government, as they could play a
pivotal role in shaping the future of data protection.
The Government has chosen a phased approach to address the need for a data protection
regime in India, starting with the release of the initial DPDP Act, which may be
followed by supplementary rules and guidelines. The inclusion of phrases such as "as may
be prescribed" indicates that there is still further scope for development.
Large-scale consumer-centric organizations processing personal data on a significant
scale—including but not limited to technology, telecommunications, healthcare, banking,
financial, and e-commerce sectors—are likely to face more stringent obligations. The
DPDP Act explicitly highlights parameters such as the volume and sensitivity of
personal data, subjecting these organizations to heightened compliance requirements.
Organizations leveraging or focusing on emerging technologies such as virtual reality,
artificial intelligence, Internet of Things (IoT), robotic process automation (RPA), Web
3.0, and the metaverse generate and process substantial amounts of personal data. This
Act encourages innovation and enables such organizations to handle personal data with
adequate safeguards and ethical considerations.
The DPDP Act introduces a revamped approach to cross-border data transfer, facilitating
smoother data flows for multinational corporations (MNCs). By excluding data
localization requirements, the DPDP Act allows small, medium, and large enterprises to
store data across different geographies, resulting in cost reduction and minimizing the
time spent on localized data storage.
The DPDP Act places greater emphasis on and encourages organizations to digitize
personal data. Currently, the cost of collecting and managing offline data in physical
form is significantly higher and unsustainable compared to digital data. Moreover,
consumers tend to favour organizations that handle personal data in digital formats
because it falls under the purview of this Act, ensuring adequate protection. However,
it would be interesting to observe the decisions made by small-scale organizations and
family-run businesses in response to these changes.
Checklist to ensure compliance
The DPDP Act is a proposed law that is expected to be presented in the Indian
Parliment's monsoon session. Here is a checklist of activities that an help your
organization to stay ahead of DPDP Act's compliance requirements.
- Understand the importance and business implications of the DPDP Act.
- Assess your current compliance posture and identify any gaps.
- Appoint a Data Protection Officer (DPO).
- Evaluate you data processing principles and change them if need be.
- Notify the Data Principals on what data is being collected and the purpose of
- Establish processes to Data Principals' redressal requests.
- Immediately report data breaches.
- Deploy a SIEM solution that not only averts data breaches but also helps you
automatically comply with regulatory mandates and avoid hefty fines for
It is important to note that the Digital Personal Data Protection Act of 2023 has been granted approval by the President on August 11, 2023. Hence, there is a possibility of differences between the current version and the final rules and regulations.
About the author
Harshni is a devoted cybersecurity enthusiast, deeply fascinated by the intricacies of
this rapidly evolving field. With a passion for learning and writing about new
regulatory mandates that shape the cybersecurity landscape, Harshni brings fresh
perspectives and valuable insights. When not delving into the world of cybersecurity,
she likes singing, and learning new melodies on the ukulele.
About ManageEngine Log360
ManageEngine Log360, a comprehensive security information and event management (SIEM)
solution, helps enterprises to thwart attacks, monitor security events, and comply with
The solution bundles a log management component for better visibility into network
activity, and an incident management module that helps quickly detect, analyse,
prioritise, and resolve security incidents. Log360 features an innovative ML-driven user and entity behaviour analytics (UEBA) add-on that baselines normal user behaviours and
detects anomalous user activities, as well as a threat intelligence platform that brings
in dynamic threat feeds for security monitoring.
Log360 helps ensure organizations combat and proactively mitigate internal and external
security attacks with effective log management and in-depth AD auditing.