DPDPA 2023: A Practical Compliance Roadmap for Indian Businesses

Understanding the DPDPA Framework

Let's be clear about what the DPDPA actually does. Unlike the GDPR, which runs to nearly 100 articles, India's data protection law is deliberately lean—33 sections that establish principles rather than prescriptive rules. The devil, as always, lies in the subordinate legislation that will follow.

The Act introduces a consent-based architecture. Every processing of personal data requires either the data principal's consent or a "legitimate use" ground specified in Section 7. There's no equivalent of GDPR's "legitimate interests" balancing test here—the legitimate uses are narrowly defined and mostly relate to State functions, employment relationships, and medical emergencies.

What practitioners need to understand is that consent under DPDPA isn't merely a checkbox exercise. Section 6 requires consent to be "free, specific, informed, unconditional and unambiguous." The Act explicitly prohibits bundled consent and consent obtained through deceptive design patterns. If your current consent mechanisms rely on pre-ticked boxes or make consent a condition for service access, you have work to do.

The concept of "Data Fiduciary" replaces what other jurisdictions call data controllers. But the obligations go further—the fiduciary relationship implies a duty of care that courts may interpret expansively. Data Processors, meanwhile, face direct statutory obligations for the first time in Indian law.

The Consent Architecture: Getting It Right

We've reviewed consent mechanisms across dozens of Indian businesses, and most fall short of DPDPA standards. The common failures are instructive.

First, granularity. You cannot obtain a single blanket consent for all processing purposes. If you're collecting data for service delivery, marketing, and analytics, each purpose requires separate consent. This has significant implications for user experience design.

Second, withdrawal mechanisms. Section 6(4) requires that withdrawing consent must be as easy as giving it. If your consent is obtained through a single click, withdrawal cannot require emailing a support address and waiting 30 days. We recommend building consent dashboards that give data principals real-time control.

Third, the notice requirements under Section 5 are more demanding than most businesses realize. The notice must be in clear, plain language—not the wall of legalese that passes for privacy policies today. It must specify each processing purpose, describe the data principal's rights, and provide complaint mechanisms. Critically, for cross-border transfers, you must disclose the countries involved.

Our recommendation: treat consent management as a product feature, not a legal compliance afterthought. The businesses that build trust through transparent data practices will have a competitive advantage as awareness grows.

Cross-Border Data Transfers: The Practical Reality

Section 16 creates a "blacklist" approach to cross-border transfers—data can flow anywhere except to countries the Central Government specifically restricts. This is more permissive than GDPR's adequacy-based whitelist approach, at least initially.

But don't be complacent. The Government has signaled that restrictions will follow, likely targeting jurisdictions with weak data protection standards or geopolitical concerns. Businesses should map their data flows now, identifying which jurisdictions receive Indian personal data and through which service providers.

The practical challenge for multinationals is that cloud infrastructure often involves data transiting through multiple jurisdictions. Your AWS or Azure deployment may replicate data across regions for resilience. You need visibility into these flows, and you may need to implement data residency controls.

We're advising clients to adopt a "compliance by design" approach: assume restrictions will come and architect your systems to enable data localization if required. The cost of retrofitting is always higher than building it right initially.

Significant Data Fiduciaries: Enhanced Obligations

If the Central Government designates you as a Significant Data Fiduciary under Section 10, your compliance burden increases substantially. The criteria for designation aren't yet final, but expect them to capture large platforms, financial institutions, and businesses processing sensitive categories of data at scale.

SDFs must appoint a Data Protection Officer based in India—not merely a contact point, but a senior executive with genuine authority over data protection matters. The DPO must report directly to the board and cannot have conflicting responsibilities.

SDFs must also conduct periodic Data Protection Impact Assessments and independent audits. The audit requirements are significant: they require an independent evaluation of compliance posture, conducted by auditors the Data Protection Board will eventually empanel.

Perhaps most notably, SDFs processing children's data or data likely to affect children face additional restrictions. They cannot undertake processing likely to cause "detrimental effect" on child wellbeing—a standard that will require careful interpretation in sectors like EdTech and gaming.

Building Your Compliance Programme

Effective DPDPA compliance isn't about documents—it's about operational capability. Here's our recommended approach, developed through implementing privacy programmes across sectors.

Start with data mapping. You cannot protect what you don't understand. Identify every system that processes personal data, document the data elements captured, understand the flows between systems, and map the legal basis for each processing activity. This exercise invariably reveals processing that shouldn't be happening.

Next, assess your vendor ecosystem. Most data breaches originate with third-party processors. Your contracts need to be updated with DPDPA-compliant data processing terms, and you need mechanisms to verify processor compliance—not just contractual representations, but actual audits.

Build response capabilities. The Act requires breach notification to the Board, and we expect timelines will be tight (potentially 72 hours, following global norms). Your incident response plan needs to account for DPDPA notifications, and your teams need to be trained.

Finally, governance. Compliance isn't a one-time project—it's an ongoing programme. Establish clear accountability, regular review mechanisms, and continuous improvement processes. Privacy regulations evolve; your programme must evolve with them.

Enforcement and Penalties: A Realistic Assessment

The DPDPA's penalty regime is significant. The maximum penalty of ₹250 crore for certain violations exceeds what most Indian regulators can impose. But let's be realistic about how enforcement will likely unfold.

The Data Protection Board is yet to be constituted. Once established, it will need to build institutional capacity before undertaking significant enforcement. We expect an initial focus on egregious violations and complaints-driven enforcement, rather than proactive compliance audits.

That said, businesses shouldn't treat the runway as license to delay. The reputational consequences of data breaches are immediate, and customers increasingly care about privacy. Moreover, the Act's provisions on children's data and consent are likely to see early enforcement focus.

Our advice: use the transition period to build genuine compliance capability, not paper compliance that will crumble under scrutiny. The businesses that view privacy as a trust-building exercise, rather than a regulatory burden, will be best positioned.