7 Steps to Comply with India’s Digital Personal Data Protection Act

After years of negotiation and several false starts, India’s Digital Personal Data Protection Act (DPDPA) is now law. 

Despite some ambiguities and controversial government carveouts, the DPDPA provides new rights and protections for the 1.4 billion people living in India—and extensive obligations on businesses operating in the country.

The upcoming DPDPA Rules will provide much-needed specifics on complying with the law. But implementing these seven foundational steps now will help you lay the groundwork for efficient and comprehensive DPDPA compliance.

1. Understand Your Position Under the DPDPA

The DPDPA will impact millions of businesses. An organization is covered by the DPDPA if: 

• It processes personal data (we define these terms below) within India, as long as the data is digital or will be digitized.
• It is located outside India and processes personal data in connection with offering goods and services to individuals in India.

Organizations of all sizes across all sectors are covered by the DPDPA, including nonprofits—but India’s central government may exempt startups from certain obligations in the future.

Business-to-business (B2B) and employee data are covered by the DPDPA, but government bodies are exempt from certain provisions.

Types of ‘People’ Under the DPDPA

Here are the three main types of entities recognized under the DPDPA:

• Data Fiduciary: “Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”—think “Data Controller” under the EU General Data Proection Regulation (GDPR).
• Data Processor: “Any person who processes personal data on behalf of a Data Fiduciary”.
• Data Principal: “The individual to whom the personal data relates” (think Data Subject under the GDPR).

Example: A software company uses a third-party analytics platform to track a user’s behavior on its app. The software company is a Data Fiduciary, the user is a Data Principal, and the analytics company is a Data Processor.

The DPDPA also introduces two new entities:

• Consent Manager:  A person who acts as “a single point of contact” to enable a Data Principal to “give, manage, review, and withdraw” consent through an “accessible, transparent, and interoperable platform”.
• Data Protection Board of India (“the Board”): The DPDPA’s regulator.

India’s central government says it will establish the Data Protection Board and clarify the roles and responsibilities of Consent Managers in late 2023.

2. Get Oversight of Personal Data

The DPDPA represents a significant step forward in India’s data protection and privacy framework. 

Companies covered by the DPDPA should implement a privacy governance program to help them comply with the law. Start by improving your data visibility.

Personal Data Under the DPDPA

Here are two essential definitions from the DPDPA:

• Personal data: “Any data about an individual who is identifiable by or in relation to such data”.
• Processing: “...a wholly or partly automated operation or set of operations performed on digital personal data”, such as collecting, storing, sharing, erasing, or otherwise using personal data.

Note that the DPDPA provides a broad “personal data” definition, covering technical information such as IP addresses, mobile IDs, and cookie IDs under certain circumstances.

The DPDPA has no explicit concept of “sensitive data”. 

But Data Fiduciaries must adopt appropriate measures and reasonable safeguards to protect personal data. You must consider the sensitivity of personal data to help determine what measures and safeguards are “appropriate” and “reasonable”.

DPDPA Data Mapping

Data visibility is the cornerstone of data protection compliance. Data mapping helps you gain visibility over:

• What personal data you process.
• Why you process personal data.
• Where you obtain, store, and transmit personal data.
• When you delete personal data.
• Who can access to the personal data.

Data mapping consists of several related processes:

• Data discovery: Scanning your systems to identify what types of personal data are present.
• Data inventory: A live record detailing the types of personal data in your control.
• Data flow mapping: Diagrams that visualize how personal data flows through your organization.

Consider using automated data mapping tools to help you develop a dynamic, comprehensive overview of your data processing operations.

3. Adopt Data Protection Measures and Safeguards

The DPDPA requires a Data Fiduciary to:

• Implement “technical and organizational measures” to ensure compliance with the DPDPA and the upcoming DPDPA Rules.
• Adopt “reasonable security safeguards” to prevent personal data breaches, including among its Data Processors.
• Notify the affected Data Principals and the Data Protection Board in the event of a personal data breach.

The DPDPA Rules will provide further details on personal data breach notification requirements. For now, let’s consider the measures and safeguards you can implement in advance.

Technical and Organizational Measures and Reasonable Security Safeguards

What “technical and organizational measures” and “reasonable security safeguards” should you adopt to ensure DPDPA compliance?

Ultimately, the Data Fiduciary is responsible for determining how to meet the DPDPA’s security and compliance requirements, accounting for its resources, the types of personal data it processes, and the context in which it operates.

Take a “privacy by design” approach by implementing privacy and security protections throughout all of your systems and processes. 

Some measures and safeguards to help achieve DPDPA compliance include:

• Access controls: Ensure personal data is only accessible to people who require access.
• Data obfuscation: Adopt methods such as pseudonymization and encryption at every opportunity.
• Privacy code scanning: Software companies should scan their code throughout development to detect privacy vulnerabilities and ensure transparency.
• Policies and procedures: Implement “organizational measures” such as internal privacy policies and staff training programs.
• Automated data mapping: As noted above, gaining visibility over data flows is essential. Automated tools can help you understand how personal data flows into and out of your organization.

4. Determine When to Get Consent

Under the DPDPA, obtaining a Data Principal’s consent is mandatory in most—but not all—circumstances. 

Valid consent under the DPDPA fulfills all the following conditions:

• It is a “clear affirmative action”.
• It signifies a Data Fiduciary’s “free, specific, informed, unconditional, and unambiguous” agreement.
• It only allows the Data Fiduciary to process personal data:

• For a “specified purpose” and 
• “Limited to such personal data” as is necessary for that purpose.

The DPDPA’s “consent” definition is arguably stricter than the EU GDPR’s. In practice, the following principles likely apply whenever you request consent:

• Always provide notice (as explained below).
• Don’t rely on a pre-ticked box or “assumed consent”.
• Don’t make access to your services conditional on consent.
• Ensure the Data Principal can easily withdraw consent.
• Make separate consent requests for separate purposes.

Giving Notice When Requesting Consent

When requesting consent under the DPDPA, you must provide the following information to the Data Principal:

• The types of personal data you intend to process and your purposes for doing so.
• How the Data Principal can exercise their DPDPA rights (we explore these below).
• How to make a complaint to the Data Protection Board of India.

If you obtained consent from any Data Principal before the DPDPA commences, you must send them a consent notice as soon as “reasonably practicable” once the law takes effect.

Certain Legitimate Uses

The DPDPA provides “certain legitimate uses” of personal data that do not require consent.

The first of the DPDPA’s “legitimate uses” is likely relevant to most Data Fiduciaries. It applies when the Data Principal has:

• Voluntarily provided their personal data for a specified purpose.
• Not indicated that they do not consent to the processing of their personal data for that purpose.

This condition might be relevant in the following circumstances: 

• To collect contact details during account setup.
• To store personal data with a cloud services provider.
• To provide location-based services via GPS.

Note that these purposes must be “specified”—so you must explain why you are collecting or using the Data Principal’s personal data before doing so.

In total, there are eight “legitimate uses” under the DPDPA. We won’t cover them all, but the following three legitimate uses are likely to be relevant to many organizations:

• To fulfill legal obligations, such as responding to lawful requests from the state.

• In response to a medical emergency involving a threat to the life or health of any individual.
• For employment purposes, including safeguarding the employer or providing services and benefits to an employee.

5. Prepare for Data Rights Requests

People in India get a new set of data protection rights under the DPDPA. As a Data Fiduciary, it’s your job to facilitate these rights.

The DPDPA identifies four core Data Principal rights. Note that the first two of these rights only apply if: 

• You have obtained the Data Principal’s consent, or 
• The first of the DPDPA’s “certain legitimate uses” (explained above) applies.

Right to Access Information About Personal Data

A Data Principal has the right to request:

• A summary of their personal data and how you process it.
• A description of any of the personal data you have shared.
• The identities of each of the Data Fiduciaries and Data Processors with which you have shared their personal data.
• Any other information as required under the upcoming DPDPA Rules.

You do not need to comply with points two or three (above) under certain conditions, such as if you lawfully shared the data for crime-detection purposes.

Right to Correction and Erasure of Personal Data

A Data Principal may request that you correct, complete, or update personal data that is incorrect, incomplete, or out-of-date.

A Data Principal may request that you erase their personal data. You must erase personal data on request unless you need to retain it for one of the following reasons: 

• To fulfill the purposes for which you collected it, or

• To comply with the law.

Right of Grievance Redressal

A Data Principal has the right to a “readily available means of grievance redressal” provided by a Data Fiduciary or Consent Manager (a complaints process).

You must set up this complaints process, and Data Principals must exhaust it before complaining to the Data Protection Board.

Right to Nominate

A Data Principal has the right to nominate another individual to act on their behalf if they die or are incapacitated.

6. Review Your Service Provider Contracts

The DPDPA provides four basic rules using Data Processors:

• Data Fiduciaries are responsible for their Data Processors’ DPDPA compliance, including the implementation of reasonable security safeguards.
• When offering goods and services to individuals, a Data Fiduciary may only engage a Data Processor under a “valid contract”.
• If a Data Principal withdraws consent, the Data Fiduciary must notify any relevant Data Processors.
• On receiving a valid request under the “right to information”, a Data Fiduciary must disclose the identities of all relevant Data Processors to the Data Principal.

As noted above, data flow mapping can help you understand how you share personal data and which of your service providers are Data Processors. 

Consider reviewing your contracts with service providers. If any service providers are Data Processors, your contracts should require them to protect personal data to DPDPA standards.

7. Understand the Seriousness of DPDPA Enforcement

The DPDPA takes a graded approach to enforcement, with some violations attracting more severe penalties than others. But some serious DPDPA breaches come with very steep potential penalties.

Along with corrective measures, the Data Protection Board will have the power to impose a fine of up to INR 250 crore (approximately USD 30 million) for the most serious offense—failing to implement reasonable security measures to prevent a personal data breach.

Preparing for India’s DPDPA

These seven steps will help you lay the groundwork for DPDPA compliance:

• Understand your role under the DPDPA.
• Gain data visibility using methods such as data mapping.
• Implement technical and organizational privacy and security measures, such as access controls, encryption, and privacy code scanning.
• Get consent for data processing unless you can rely on one of the DPDPA’s “legitimate uses”.
• Prepare to facilitate Data Principal rights requests.
• Reviewing your contracts with Data Processors.
• Understand how the DPDPA will be enforced.

Legal obligations aside, these foundational privacy governance steps can reduce risk, build customer trust, and encourage sustainable growth.