The Digital Personal Data Protection Act, 2023 (DPDP Act) represents India's most significant data privacy legislation to date. Passed in August 2023, it sets out the rights of data principals (individuals) and the obligations of data fiduciaries (businesses that process personal data).
Who Does It Apply To
The DPDP Act applies to any business that processes the digital personal data of Indian citizens — whether the processing happens within India or outside India. This has extraterritorial reach similar to the EU's GDPR.
Key Obligations for Businesses
Consent: Personal data can only be processed with the individual's free, specific, informed, unconditional, and unambiguous consent. Pre-ticked boxes are not valid.
Purpose Limitation: Data may only be used for the specific purpose for which consent was obtained.
Data Minimisation: Collect only what you need.
Data Retention: Delete personal data once the purpose is fulfilled.
Breach Notification: Significant data breaches must be reported to the Data Protection Board of India and affected individuals.
Penalties
The Act provides for penalties up to Rs.250 crore for significant breaches of obligations related to children's data, and up to Rs.200 crore for failure to implement security safeguards. These are not trivial amounts even for large enterprises.
Steps to Comply
Start with a data audit — know what personal data you collect, where it's stored, and why. Update your privacy policy and consent mechanisms. Appoint a Data Protection Officer if you are a Significant Data Fiduciary. Kapitalyze processes data in Indian data centres and has implemented DPDP-compliant data handling practices across all modules.