Categories: Corporate Law

DPDP Act, 2023: Compliance Guide, Requirements & Penalties

Digital Personal Data Protection (DPDP) Act, 2023: Complete Compliance Guide, Requirements, Penalties & Implementation Framework

The Digital Personal Data Protection (DPDP) Act, 2023, regulates how organizations collect, use, share, store, and delete digital personal data of individuals (Data Principals). It applies to almost every business, startup, NGO, professional firm, e-commerce platform, employer, and service provider processing personal data in digital form.

The Digital Personal Data Protection (DPDP) Act, 2023 requires organizations to collect only necessary personal data, obtain valid consent, secure the data, respect user rights, promptly report breaches, and delete data when no longer needed, while maintaining strong governance and accountability across the organization

Applicability of the Digital Personal Data Protection (DPDP) Act,

The Act applies to personal data collected in digital form, personal data collected offline and later digitized, and processing of personal data within India. And processing outside India if goods or services are offered to individuals in India. The Act applies to

  • Data Fiduciaries: Organizations deciding the purpose and means of processing personal data.
  • The Data Processors: Third parties processing data on behalf of fiduciaries, such as Cloud providers, Outsourced service providers and Technology vendors
  • Significant Data Fiduciaries: Entities notified by the government due to scale or sensitivity of data handled. These may need Data Protection Officer (DPO), periodic audits, and Data Protection Impact Assessments (DPIA).

Exclusions in Digital Personal Data Protection (DPDP) Act,

Digital Personal Data Protection (DPDP) Act, 2023 does not apply to personal or domestic activities, publicly available personal data, certain government functions, and approved research, archiving, and statistical purposes.

Why the DPDP Act Matters

Digital Personal Data Protection (DPDP) Act, 2023 aims to help businesses become compliant with the Digital Personal Data Protection (DPDP) Act, 2023 before enforcement actions begin. Key points mentioned in the proposal:

Item Details
Compliance Window 18 months
Enforcement Date 13 May 2027
Maximum Penalty INR 250 Crore
Coverage Almost all organizations processing digital personal data of Indian individuals

The proposal emphasizes that the Data Protection Board of India has been constituted, and enforcement is expected to begin from 13 May 2027.

What the DPDP Act Requires

Businesses must implement Clear and informed consent mechanisms, Privacy notices, Data minimization practices, Security safeguards, Breach notification systems, Grievance redressal processes, Protection for children’s data and User rights management procedures

Notice Requirement

Before collecting personal data, every data fiduciary must provide a clear privacy notice.

The notice must contain:

  • What data is being collected: Name, Email, Mobile number, Aadhaar details, employment information, financial information, etc.
  • Why it is being collected: Specific purpose must be stated. Examples: Account creation, Employee onboarding, Service delivery, marketing communication, and Payroll processing
  • Rights of Data Principal Information regarding Access rights, Correction rights, Erasure rights, Nomination rights and Complaint mechanism
  • Complaint Process: How users can approach Organization, grievance officer, and Data Protection Board

The notice must be clear, simple language, Itemized and available in English and/or an Eighth Schedule language.

Consent Requirements

Processing is principally based on consent. Consent must be free, specific, informed, unconditional, unambiguous, and Given through clear affirmative action. Following Examples:

✔ Tick-box

✔ App consent button

✔ Digital signature

✘ Pre-ticked boxes

✘ Implied consent

✘ Hidden clauses

Users must be allowed to withdraw consent as easily as they gave it.

Legitimate Uses (No Consent Required)

Personal data may be processed without consent in certain situations:

  • Government Benefits: Subsidies, Licenses, Permits and Approvals
  • Legal Compliance: Court orders, judgments, and Statutory obligations
  • Emergencies: Medical emergencies, Disaster response, Public health emergencies and Epidemics
  • Employment Purposes: Employee attendance, Payroll, Benefits administration, and Prevention of loss or liability to employer
  • Voluntarily Provided Data: Where the individual voluntarily shares the data for a specific purpose.

Data Minimization Principle

Collect only data that is necessary. Example: For a newsletter, email is necessary. ✅

  • Aadhaar number is unnecessary. ❌

For recruitment: Resume ✅ and PAN/Aadhaar only when justified ✅

Organizations should avoid excessive collection of personal information.

Purpose Limitation

Data must only be used for the purpose communicated at the time of collection. Example:

If email is collected for Service updates ✅

Then using it later for: Marketing campaigns ❌ (unless consent exists)

Security Safeguards

Organizations must implement “reasonable security safeguards.” The rules specifically mention the following:

  • Technical Controls: Encryption, Data masking, Obfuscation, Access controls, User authentication, activity monitoring, and Log management
  • Operational Controls: Incident response process, Backup systems, disaster recovery, and Business continuity planning
  • Monitoring: Security reviews, continuous monitoring, retention of logs for at least one year, and failure may attract a penalty of up to INR 250 crore.

Personal Data Breach Reporting

When a breach occurs:

  • Immediately Notify: Affected individuals and Data Protection Board
  • Within 72 Hours: Submit a detailed report to the Board covering the nature of breach, Cause of breach, Data affected, mitigation actions, and Corrective measures

Failure can attract a penalty of up to INR 200 crore.

Data Principal Rights

Individuals receive the following rights.

  • Right to Access: Can ask, “What data is held?” , Why is it being processed?, With whom is it shared?
  • The Right to Correction: Can request correction of Name, Address, contact details, and Other inaccurate information
  • Right to Erasure: Can request deletion where retention is no longer required.
  • The Right to Grievance Redressal: Can complain about misuse or denial of rights.
  • Right to Nominate: Can nominate another person to exercise rights upon death or incapacity.

Grievance Redressal Mechanism

Every data fiduciary must publish grievance contact details, create a complaint-handling process, provide online channels, and resolve grievances within 90 days.

Children’s Data Requirements

A child means a person below 18 years old. Before processing a child’s data:

  • Mandatory: Obtain verifiable parental consent, verify age of child, and verify identity of parent/guardian.
  • Prohibited: Behavioural monitoring, Tracking, profiling, and Targeted advertising directed at children

Penalties may reach INR 200 crore.

Persons with Disabilities

  • Where a lawful guardian exists: The organization must verify guardian identity, verify guardianship appointment, and obtain verifiable consent from the guardian.

Data Retention & Deletion

  • Organizations should not keep personal data forever. The following are requirements like defining a retention period, erasing data once the purpose is fulfilled, and retaining transaction logs for at least one year. And inform individuals 48 hours before deletion where applicable.
  • Certain large e-commerce entities, social media platforms, and online gaming platforms must delete data after specified retention periods.

Cross-Border Data Transfer

The Digital Personal Data Protection (DPDP) Act, 2023, permits the transfer of personal data outside India. However, one must comply with restrictions notified by the central government and destination countries, and conditions may be prescribed in the future.

Significant Data Fiduciaries

The government may classify certain organizations as SDFs based on volume of data, sensitivity of data, risk to individuals, and impact on sovereignty and public interest. Additional obligations include:

  • Annual DPIA: Data Protection Impact Assessment
  • Required Annual Audit: Independent compliance audit
  • Risk Assessments: Review algorithmic and automated processing systems
  • Reporting to the Board: Submit important observations and findings.

Major Penalties—Penalties Highlighted

Violation Maximum Penalty
Security safeguards failure—Failure to implement security safeguards INR 250 Crore
Data breach notification failure- Failure to report breaches or violations involving children INR 200 Crore
Children’s data violation INR 200 Crore
SDF obligations violation INR 150 Crore
Other Act violations Up to INR 50 Crore
Data Principal duty violation INR 10,000

 The proposal also stresses reputational damage and business disruption risks beyond monetary penalties.

Digital Personal Data Protection Act  2023: Practical Compliance Checklist for Businesses

A business should immediately do the following:

  • Conduct Data Mapping.
  • Prepare Record of Processing Activities (RoPA).
  • Update Privacy Policy.
  • Implement Consent Management.
  • Update Website/App Notices.
  • Appoint Grievance Officer.
  • Create Breach Response Plan.
  • Review Vendor Agreements.
  • Implement Encryption & Access Controls.
  • Define Retention and Deletion Policy.
  • Train Employees.
  • Conduct DPDP Gap Assessment.

Digital Personal Data Protection (DPDP) Act, 2023 Services

  • Phase 1 – Gap Assessment & Data Mapping includes Review current data practices, identify compliance gaps and Prepare data inventories and flow maps
  • Phase 2 – Policy & Documentation includes Privacy Policies, consent notices, and Internal Compliance Frameworks
  • Phase 3 – Implementation includes Consent management systems, Rights handling processes and Vendor agreement updates
  • Phase 4 – Ongoing Compliance includes DPO-as-a-Service, Advisory support, employee training, and Breach-response readiness programs

Digital Personal Data Protection (DPDP) Act, 2023 Compliance Methodology: The compliance methodology/approach consists of four stages:

  • Assess: Review current systems, policies, and data practices.
  • Design: Create required policies, consent workflows, and procedures.
  • Implement: Deploy controls across departments and vendors.
  • Sustain: Provide ongoing compliance monitoring and training.

Value Proposition:

Digital Personal Data Protection (DPDP) Act, 2023 consultants claim to provide Practical implementation support rather than just legal advice, End-to-end compliance assistance, Customized solutions based on industry and organizational size, Ongoing advisory support after implementation.

What Rajput Jain and Associates offer

The Digital Personal Data Protection (DPDP) Act 2023 positions itself as an end-to-end consulting partner for data privacy compliance.

It provides financial, legal, and compliance consulting services; focuses on practical and actionable business solutions; works with professional experts across India; and helps organizations implement compliance without disrupting operations.

DPDP Act compliance and advisory services to help organizations prepare for India’s Digital Personal Data Protection (DPDP) Act, 2023. DPDP Act compliance and advisory services to help organizations prepare for India’s Digital Personal Data Protection (DPDP) Act, 2023.

As a proposal, it is well-structured and useful as a marketing/introduction document, but it currently lacks:

  • Detailed scope of work
  • Deliverables for each phase
  • Project timelines
  • Resource allocation
  • Commercials/fees
  • Service Level Agreements (SLAs)
  • Responsibilities of client vs consultant

For conversion into a formal engagement proposal, It is recommended to add a detailed compliance roadmap, department-wise action plan (HR, IT, Marketing, Legal, Operations), deliverable matrix, implementation timeline, professional fee structure, risk assessment methodology, and sample DPDP compliance checklist.

Overall, it serves as a good business development and client acquisition proposal, but would need a more detailed technical and commercial section before execution

Rajput Jain & Associates

Rajput Jain & Associates is a Chartered Accountants firm, with it's headquarter situated at New Delhi (the capital of India). The firm has been set up by a group of young, enthusiastic, highly skilled and motivated professionals who have taken experience from top consulting firms and are extensively experienced in their chosen fields has providing a wide array of Accounting, Auditing, Taxation, Assurance and Business advisory services to various clients and their stakeholders. Rajput jain & Associates, a professional firm, offers its clients a full range of services, To serve better and to bring bucket of services under one roof, the firm has merged with it various Chartered Accountancy firms pioneer in diversified fields. We have associates all over India in big cities. All our offices are well equipped with latest technological support with updated reference materials. We have a large team of professionals other than our Core Team members to meet the requirements of our prospective clients including the existing ones. However, considering our commitment towards high quality services to our clients, our team keeps on growing with more and more associates having strong professional background with good exposure in the related areas of responsibility.

Recent Posts

ITR-2 vs ITR-3 Inconsistencies: Foreign Listed Share Reporting & FA

Inconsistency in ITR Forms – Intentional or Merely an Oversight? The issues highlighted are genuine practical concerns arising from the… Read More

13 hours ago

Form 26AS Replaced by Form 168 Under Income-tax Act 2025

Form 26AS Replaced by Form 168 Under the Income-tax Act, 2025 With the implementation of the Income Tax Act, 2025,… Read More

14 hours ago

Penalty for Non-Reporting of Crypto Transactions

Finance Bill 2026: Penalty for Non-Reporting of Crypto Transactions – Detailed Analysis The Finance Bill, 2026, has introduced a stricter… Read More

2 days ago

ICAI New Policy on Extremely Low Fee Quotation in CA Tender

ICAI's Policy on Extremely Low Fee Quotations in Tenders: Disciplinary Ethical Implications & Practical Guidance Very Important Decision by ICAI… Read More

2 days ago

How JioFinance Makes ITR Return Filing Easier

How JioFinance Makes Income Tax Return Filing Easier Filing your income tax return (ITR) is an essential financial responsibility. Besides… Read More

2 days ago

ITR filling for Salaried Individual for AY 2026-27

Income Tax Return filling for Salaried Individuals for AY 2026-27 Income Tax Return (ITR) Forms ITR-1 (Sahaj) ITR-1 (Sahaj) is… Read More

5 days ago
Call Us Enquire Now