DPDP Act: What India’s Digital Data Law Means for You

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s dedicated statute governing the processing of digital personal data.

The legal foundation for this framework lies in the Supreme Court’s decision in Justice K.S. Puttaswamy v. Union of India (2017), where a nine‑judge Bench unanimously held that the right to privacy is a fundamental right under the Constitution, rooted in Article 21 and Part III.

Against this backdrop of rapid digitisation — where payments, government benefits, communication and commerce increasingly depend on phone numbers, email addresses and other personal identifiers—the DPDP Act aims to ensure that India’s digital growth is accompanied by clear, enforceable rules on data protection.

How Did the DPDP Act Come Into Existence? A Brief Timeline

The evolution of India’s digital data protection framework can be traced through the following key milestones:

2017: Privacy recognised as a fundamental right

On 24 August 2017, the Supreme Court in Justice K.S. Puttaswamy v. Union of India unanimously held that the right to privacy is a fundamental right, intrinsic to life and liberty under Article 21 and protected across Part III of the Constitution.

2017–2018: Justice B.N. Srikrishna Committee

The Justice B.N. Srikrishna Committee on data protection released a White Paper in 2017 and then its final report along with a draft Personal Data Protection Bill, 2018. This work is widely regarded as the starting point of India’s modern data protection architecture.

2019–2021: Personal Data Protection Bill, 2019

A revised Personal Data Protection Bill, 2019 was introduced in Parliament and referred to a Joint Parliamentary Committee (JPC). The JPC submitted its report with extensive recommendations in December 2021, including suggestions to widen the scope and re‑title the legislation.

2022: Withdrawal and reset

In August 2022, the Government withdrew the 2019 Bill and announced that a fresh framework would be introduced. A new draft was subsequently placed for public consultation later in 2022, signalling a reset of the approach while retaining the core objective of a comprehensive digital data protection law.

2023: Enactment of the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Bill, 2023 was introduced in Parliament and, following passage by both Houses, received Presidential assent on 11 August 2023 as the Digital Personal Data Protection Act, 2023 (Act 22 of 2023).

2025: Commencement of the Act and notification of the DPDP Rules, 2025

By notification dated 13 November 2025, specified provisions of the DPDP Act were brought into force in a staggered manner, including provisions on definitions, the Data Protection Board of India, rule‑making powers and transitional timelines for full compliance.

Why Was the Digital Personal Data Protection Act Created?

The DPDP Act expressly states that its purpose is to provide for the processing of digital personal data in a manner that recognises both (i) the right of individuals to protect their personal data, and (ii) the need to process such data for lawful purposes and related matters.

1. Setting clear ground rules for digital personal data
   Section 4 provides that personal data may be processed only in accordance with the Act and for a lawful purpose, based either on the Data Principal’s consent or on specified “certain legitimate uses”.
2. Balancing privacy with legitimate data use
   The Preamble describes the objective as recognising both the right of individuals to protect their personal data and the need to process such data for lawful purposes.
3. Giving Data Principals enforceable rights
   Chapter III grants Data Principals rights to:
   1. obtain information about what personal data is processed and with whom it is shared (section 11);
   1. seek correction, completion, updating and erasure of personal data (section 12);
   1. access grievance‑redress mechanisms (section 13); and
   1. nominate another individual to exercise rights in the event of death or incapacity (section 14).

These rights must be supported by clear processes that Data Fiduciaries put in place under the Act and the 2025 Rules.

• Embedding transparency through notice and consent
  Sections 5 and 6 require that any request for consent must be preceded or accompanied by a notice that describes the personal data proposed to be processed, the purposes of processing, the Data Principal’s rights and how complaints can be made to the Data Protection Board.
• Improving data security and reducing breaches
  Section 8(5) obliges every Data Fiduciary to protect personal data in its possession or under its control (including that processed by Data Processors on its behalf) by taking reasonable security safeguards to prevent personal data breaches.
• Creating accountability through the Data Protection Board of India
  Chapter V establishes the Data Protection Board of India as a body corporate responsible for, among other things, inquiring into personal data breaches, contraventions of the Act and rules, and imposing penalties as specified in the Schedule.
• Providing a common baseline across private and public entities
  The Act applies to a wide range of entities, both private and public, that process digital personal data, while allowing specific exemptions for sovereign and public‑interest functions under section 17.
• Regulating cross‑border data transfers
  Section 16 empowers the Central Government to restrict transfers of personal data for processing to specified countries or territories, where necessary, while clarifying that any stricter sector‑specific transfer rules continue to apply.
• Building trust in India’s digital ecosystem
  The Statement of Objects and Reasons to the Act emphasises that protection of personal data is a prerequisite for the growth of the digital economy and that the legislation is designed to confer rights on individuals, place obligations on entities and provide for a digital‑by‑design compliance framework.

Who Does the DPDP Act Apply To?

General Scope

Section 3 sets out the core applicability rule:

• The Act applies to processing of digital personal data within India where the data is:
  • collected in digital form; or
  • collected in non‑digital form and digitised subsequently.
• It also applies to processing outside India if such processing relates to the offering of goods or services to Data Principals in India.

This means that once personal data is brought into digital form (for example, through entry into a spreadsheet, CRM or cloud system), the processing generally falls within the Act’s scope, regardless of whether the original collection was online or offline.

Key Categories of Covered Organisations

Although the Act uses functional terms (Data Fiduciary, Data Processor, etc.), in practice it covers a wide variety of entities:

1. Private companies and startups
   Any entity that determines the purpose and means of processing digital personal data is a Data Fiduciary (section 2(i)), regardless of scale.
2. Vendors and service providers as Data Processors
   Any person who processes personal data on behalf of a Data Fiduciary is a Data Processor (section 2(k)).
3. Government entities
   “State” is expressly included in the definition of “person” and “State” itself is defined by reference to Article 12 of the Constitution, meaning governmental bodies can be Data Fiduciaries under the Act.

Key Actors Defined in the Act

The key roles referred to in the blog correspond to the following statutory concepts:

• Data Principal: the individual to whom the personal data relates, including parents or lawful guardians in the case of children and persons with disabilities (section 2(j)).
• Data Fiduciary: any person who alone or jointly determines the purpose and means of processing personal data (section 2(i)).
• Consent Manager: a person registered with the Board who acts as a single point of contact to enable Data Principals to give, manage, review and withdraw consent via an accessible, transparent and interoperable platform (section 2(g) read with section 6(9)).

What Does Not Fall Under the DPDP Act?

Section 3(c) specifies two principal exclusions:

• Purely personal or domestic use: personal data processed by an individual for personal or domestic purposes is excluded.
• Certain publicly available personal data: personal data that is made or caused to be made publicly available either by the Data Principal or by a person who is under a legal obligation to make it publicly available is excluded.
• Offline personal data that is never digitised is outside the DPDP Act’s scope, because the Act is limited to digital personal data or data that has been digitised.

How Is Compliance Structured Under the DPDP Act?

The DPDP Act itself lays down high‑level obligations on Data Fiduciaries, while the DPDP Rules, 2025 provide detailed operational requirements, particularly around notices, consent flows, breach reporting, retention triggers, grievance redressal, processing of children’s data and enhanced duties for Significant Data Fiduciaries.

From a legal standpoint, several of the practical themes highlighted in the original text correspond directly to specific statutory obligations:

• Data mapping, purpose limitation and minimisation: Section 4(1) and the definition of “specified purpose” in section 2(za) require that processing be tied to purposes notified to the Data Principal, and section 6(1) limits consent to such data as is necessary for those specified purposes. This includes data across every touchpoint, like Website forms, WhatsApp chats, CTWA attribution, call logs, demo bookings, app signups, support tickets etc.
• Notice and consent mechanisms: Sections 5 and 6, along with Rules 3–5 of the DPDP Rules, prescribe the structure and content of notices and consent flows, including language options and contact details for Data Protection Officers or designated representatives. For every piece of information collected, write the specific purpose for doing so.
• Rights‑enablement and grievance handling: Sections 11–14 set out the rights of Data Principals, and section 8(10) requires Data Fiduciaries to establish an effective grievance redressal mechanism. This could include setting up a “privacy requests” page where data principals are able to deal with their data, including seeking deletion thereof.
• Security safeguards and breach response: Section 8(5) and (6) impose direct obligations to implement reasonable security safeguards and to notify the Board and affected Data Principals in the prescribed form. For this purpose, it should be identified what constitutes a breach, who is to be alerted, how to assess impact and how quickly the data principals and the Data Protection Board of India is notified.
• Retention and erasure: Section 8(7) requires erasure of personal data upon withdrawal of consent or when it is reasonable to assume that the specified purpose is no longer served, subject to legal retention requirements. This has been specified to be one year under the DPDP Rules.
• Vendor management: Section 8(1) and (2) require that any engagement of Data Processors be under a valid contract and make the Data Fiduciary responsible for compliance even where processing is outsourced. It is recommended that all vendors are listed and then a checklist is created to ensure that compliant contracts are executed with the vendors.

Penalties and Consequences of Non‑Compliance

Statutory Monetary Penalties

Section 33 empowers the Data Protection Board of India, upon concluding an inquiry and determining that a breach is “significant”, to impose monetary penalties as specified in the Schedule, after considering factors such as nature and gravity of the breach, repetitive patterns, gain or loss avoided, mitigation steps and proportionality.

Thus, the blog’s references to penalties of up to ₹250 crore for failure to implement reasonable security safeguards and up to ₹200 crore for failure to notify breaches and for violations relating to children’s data are consistent with the Schedule.

Consequences Beyond Fines

1. Forced disclosure and damage to customer trust – A breach or complaint turning public is often more expensive than the fine. There is a risk of losing the trust of customers, the churn rate might increase and sales cycles can get adversely affected. For this reason, “Are you DPDP-compliant?” becomes a question in enterprise deals and partner contracts.
2. Operational disruption may result in diverting engineers, support and leadership into incident response, audits, access reviews and clean-up.
3. Contract and vendor risk may cause partners demanding stronger compliances, audits or may even stop data sharing if data security is weak. Example: your enterprise customer asks you to prove you have breach response, retention policies and access controls in place.
4. Repeat non-compliance becomes a pattern if the same issues keep happening (missing notice, weak consent records, messy deletion handling), it may become harder to defend and cause recurring penalties.

telecrm’s commitment to data protection

As India moves toward stronger data protection standards under the Digital Personal Data Protection (DPDP) Act, businesses must ensure that their internal systems and technology partners follow structured security frameworks.

telecrm has achieved ISO 27001 certification, one of the most globally recognised standards for information security management. This certification confirms that our internal processes — across technology, operations and business functions — follow internationally accepted best practices to safeguard customer data.

While compliance with the DPDP Act ultimately depends on how each organisation handles its customer data, we provide a secure and structured foundation to support DPDP-aligned operations:

• Globally recognised security framework: ISO 27001 ensures that we follow rigorous risk assessment and data protection controls
• Strict access controls: Role-based permissions restrict data access to authorised personnel only
• Data protection & risk management processes: Continuous monitoring and structured security practices reduce vulnerabilities
• Operational accountability: Defined processes across teams ensure the responsible handling of sensitive customer information
• Enterprise-grade trust signal: Externally verified security standards strengthen confidence for data-sensitive businesses

At telecrm, being ISO 27001 verified is not just about getting a certification — it reflects our ongoing commitment to strengthening data protection, improving internal controls and supporting responsible data management in line with evolving regulatory standards like the DPDP Act.

Conclusion

The Digital Personal Data Protection Act, 2023, together with the Digital Personal Data Protection Rules, 2025, establishes India’s first comprehensive, rights‑based regime for digital personal data.

• defines who is responsible for data processing (Data Fiduciaries and Data Processors);
• specifies lawful bases for processing, grounded in consent and certain legitimate uses;
• grants individuals enforceable rights over their personal data;
• imposes obligations on organisations to ensure security, transparency, retention discipline and grievance redressal;
• creates an independent Data Protection Board with powers to impose significant monetary penalties where breaches occur.

As enforcement timelines under the 2025 Rules take effect, the DPDP regime will increasingly shape expectations in contracts, due‑diligence processes and public trust for any organisation handling digital personal data in or relating to India. At telecrm, data protection has been our top priority from day one. User data is collected only for clear purposes, access is controlled and information is stored securely. This helps businesses stay aligned with DPDP guidelines without extra effort.