Data compliance and privacy

India's Digital Personal Data Protection (DPDP) Act represents the most significant shift in data governance for Indian businesses since the IT Act. Passed in 2023 and with key provisions becoming enforceable through 2025 and 2026, the Act establishes a comprehensive framework for how personal data must be collected, processed, stored, and protected by organizations operating in India.

Unlike previous legislation that addressed data protection indirectly, the DPDP Act places explicit, enforceable obligations on businesses — with penalties that give the framework real teeth. For most Indian organizations, compliance requires meaningful operational and governance changes, not just policy updates.

What the DPDP Act Establishes

The Act introduces a set of core principles and obligations that govern how personal data — defined as any data about an identifiable individual — must be handled:

Lawful Purpose & Consent

Personal data can only be processed for lawful purposes and with clear, informed, and explicit consent from the data principal (the individual).

Data Minimization

Only the data necessary for the stated purpose may be collected. Collecting data speculatively or for undefined future use is not permitted.

Storage Limitation

Personal data must not be retained longer than necessary for the purpose for which it was collected. Retention schedules must be defined and enforced.

Data Principal Rights

Individuals have the right to access, correct, and erase their data — and to withdraw consent. Organizations must have mechanisms to honor these rights.

Security Safeguards

Reasonable security measures must be implemented to protect personal data from unauthorized access, disclosure, or breach.

Breach Notification

Data breaches that may affect data principals must be reported to the Data Protection Board and to affected individuals without delay.

Who Is Affected

The Act applies to any organization — domestic or foreign — that processes personal data of individuals in India. This is a broad definition that captures most Indian businesses of any meaningful size, including:

"For most Indian organizations, DPDP compliance is not a legal exercise. It is an operational and governance exercise that touches data collection, storage, consent mechanisms, and vendor contracts across the business."

The Practical Compliance Steps

Step 1: Data mapping and inventory

Before any compliance program can be designed, an organization needs to understand what personal data it holds, where it lives, how it was collected, who has access to it, and how long it is retained. This data mapping exercise is the foundation of DPDP compliance — and it frequently surfaces data handling practices that organizations didn't know were happening.

Step 2: Consent mechanism audit and redesign

Existing consent mechanisms — the checkboxes, privacy notices, and data collection forms on websites and apps — need to be reviewed against the Act's requirements for consent. Bundled, pre-ticked, or vague consent is not compliant. Consent must be specific, informed, and freely given, with an equally simple mechanism to withdraw it.

Step 3: Policies and documentation

A compliant privacy policy, data retention schedule, data breach response procedure, and data principal rights management process must be formally documented. These are not just legal documents — they need to reflect how the organization actually operates.

Step 4: Vendor and third-party review

Organizations that share personal data with third-party vendors — payroll processors, cloud providers, marketing platforms, CRMs — are responsible for ensuring those vendors process data appropriately. Data Processing Agreements (DPAs) need to be in place with all relevant third parties.

Step 5: Training and awareness

Data protection compliance fails when the people handling data don't understand their obligations. A targeted training program — tailored to different roles and their specific data handling responsibilities — is a compliance requirement, not just good practice.

Team working on compliance

Significant Data Fiduciaries: Additional Obligations

The DPDP Act introduces the concept of "Significant Data Fiduciaries" — organizations that process large volumes of sensitive personal data or whose data processing has significant implications for individuals. These organizations face additional requirements, including the appointment of a Data Protection Officer, mandatory data protection impact assessments, and periodic audits. The threshold criteria for Significant Data Fiduciary designation are to be prescribed by the government — organizations likely to fall into this category should begin preparing now.

Key Takeaways

For most Indian organizations, DPDP compliance is achievable — but it requires structured effort and genuine organizational commitment. The businesses that treat it as a legal checkbox exercise will find their compliance superficial and their exposure real. The businesses that treat it as an operational improvement program will emerge with data practices that are genuinely stronger and more trustworthy.

Need help navigating DPDP compliance?

Invictus helps organizations design and implement data privacy frameworks that meet DPDP requirements — from data mapping through policy development and training.

Schedule a Consultation
← ISO Certification for Exporters Next: Governance for SMEs →