Executive Briefing: India’s Digital Personal Data Protection Act (DPDP), 2023
Purpose:
The DPDP Act is India’s new law regulating the collection, processing, storage, and transfer of “digital personal data.” It seeks to protect individual privacy while enabling lawful business use of data.
Effective Scope:
Applies to digital personal data of individuals in India.
Covers Indian and foreign businesses offering goods/services or monitoring behaviour of Indian users.
Introduces “Significant Data Fiduciaries” (SDFs) with higher obligations (audit, DPO, governance).
Key Differences from GDPR
Data scope – DPDP is limited to digital personal data; GDPR covers all personal data including offline/manual records.
Categories of data – DPDP does not classify sensitive vs. regular data.
Lawful basis – Consent is central under DPDP; GDPR allows broader legitimate interests.
Cross-border rules – DPDP is more permissive; GDPR requires adequacy or contractual safeguards.
Exemptions – DPDP provides broader government exemptions.
Rights & obligations – Some GDPR rights (e.g., portability, objection) are absent in DPDP.
Executive Action Checklist
Map your data flows in India: collection, storage, transfer, and processing.
Review consent mechanisms: update opt-ins, privacy notices, and withdrawal options.
Classify your organization: determine if you are an SDF and prepare for higher compliance obligations.
Prepare breach response plans: ensure detection, reporting, and communication processes.
Cross-border transfers: review contracts, vendors, and cloud providers for compliance.
Governance & accountability: maintain records, implement privacy-by-design, conduct audits if SDF.
Vendor & partner compliance: ensure fiduciary oversight of processors and sub-processors.
Monitor regulatory updates: watch for rules and guidance from India’s Data Protection Board.
Integrate global privacy efforts: align DPDP compliance with GDPR, CCPA, or other regimes.
Bottom Line:
This signals where privacy and data protection is heading globally. While this particular law applies to India, we usually see and updates or changes in other countries take into account ideas and policies from other laws.
DPDP is India’s strategic move to modernize digital privacy. While similar to GDPR, it is tailored to India’s legal and business context. Businesses must proactively map data, strengthen consent practices, prepare for breach notifications, and align governance to remain compliant. Customer trust is what we seek.
GDPR compliance alone does not ensure DPDP compliance.
