By Harsh Singh Dahiya, Advocate, Supreme Court of India | Partner, Sterling & Partners

India’s Digital Personal Data Protection Act, 2023 (DPDPA) represents the country’s first comprehensive legal framework dedicated to the protection of digital personal data. Passed by Parliament in August 2023, the Act introduces a regime that is broadly comparable to international data protection frameworks such as the European Union’s General Data Protection Regulation (GDPR), while reflecting India’s specific regulatory context and policy priorities.

As of the date of this article, the DPDPA has received Presidential assent and been notified in the Official Gazette. The Digital Personal Data Protection Rules, 2025 have been notified in January 2025, providing the detailed operational framework for many of the Act’s provisions. The Data Protection Board of India, the Act’s principal enforcement authority, is in the process of being constituted. For businesses, this period — while the rules are partially operational — is not a period of inactivity. It is a compliance window that must be used purposefully.

This article sets out the key definitions and legal framework under the DPDPA, the obligations that arise for businesses, the specific enhanced obligations that apply to Significant Data Fiduciaries, the rights that Indian citizens can enforce, and the penalty exposure for non-compliance.

The Key Architecture of the DPDPA — Definitions and Framework

The DPDPA’s operational framework rests on a set of carefully defined terms. Understanding these definitions is the starting point for any compliance programme.

“Personal data” under the Act means any data about an identifiable individual. Unlike some international frameworks, the DPDPA does not separately categorise “sensitive” personal data (though heightened protections for children’s data and specific categories may emerge through rules under Significant Data Fiduciary designations). The data protection framework applies to all digital personal data — data that is online or that has been digitised after collection.

The “Data Principal” is the individual to whom the personal data relates. All rights under the Act — the right to access, to correction, to erasure, to grievance redressal — vest in the Data Principal. Indian citizens are Data Principals in relation to their own data. In the case of a child or a person with disability, the Data Principal’s rights are exercised by the parent or lawful guardian.

The “Data Fiduciary” is the entity — a person, company, organisation, or state body — that alone or in conjunction with others determines the purpose and means of processing personal data. This concept corresponds broadly to the “data controller” in GDPR terminology. The Data Fiduciary bears the primary compliance obligations under the Act.

The “Data Processor” is an entity that processes personal data on behalf of a Data Fiduciary, pursuant to a contract. The Data Processor does not bear direct liability to Data Principals under the Act — the fiduciary remains accountable — but the contract between fiduciary and processor must require the processor to comply with applicable DPDPA provisions.

The Consent Manager — India’s Unique Innovation

Perhaps the most novel concept in the DPDPA is the “Consent Manager.” The Act envisages a registered intermediary that enables Data Principals to give, manage, review, and withdraw consent across multiple Data Fiduciaries through a single platform. Consent Managers are required to register with the Data Protection Board and must operate in an interoperable manner.

The Consent Manager model has no direct analogue in the GDPR. It responds to the practical challenge of managing consent in a country with hundreds of millions of digital users operating across thousands of platforms. A Data Fiduciary can rely on consent obtained or managed through a Consent Manager, but the ultimate accountability for ensuring that valid consent was in fact obtained remains with the fiduciary.

Lawful Bases for Processing Personal Data

Under the DPDPA, personal data may be processed only on one of two lawful bases: consent of the Data Principal, or a legitimate use recognised by the statute.

Consent Requirements Under the Act

Consent under the DPDPA must be free, specific, informed, unconditional, and unambiguous. It must be signified by a clear affirmative action. Bundled consent — where a person is asked to consent to multiple unrelated purposes at once — is not valid. Consent obtained through deception, coercion, or as a precondition to a basic service where such processing is not necessary is equally invalid.

Data Fiduciaries are required to provide a notice to the Data Principal before obtaining consent. This notice must set out in clear, plain language the personal data to be collected, the purpose of processing, how the Data Principal can exercise their rights, and the grievance redressal process. Critically, the notice must inform the Data Principal of the process for withdrawing consent and the consequences of withdrawal.

The right to withdraw consent at any time — with effect from the point of withdrawal — is a fundamental right under the Act. Where consent is withdrawn, the Data Fiduciary must cease processing and cause its processors to erase the personal data, unless retention is mandated by applicable law.

Legitimate Uses — Processing Without Consent

The Act recognises several categories of “legitimate use” where personal data may be processed without individual consent. These include: performance of a function by the State or its instrumentalities for the benefit of Data Principals; compliance with a judgment or order of a court; response to a medical emergency; provision of services in a disaster or public order situation; and certain employment-related processing. The legitimate use provisions are intended to be narrowly construed; they cannot be invoked as a blanket justification for processing that would otherwise require consent.

Obligations of Data Fiduciaries

Every entity that qualifies as a Data Fiduciary — which, in practice, means every business that collects and processes any digital personal data relating to Indian residents — is subject to a set of baseline obligations under Section 8 of the DPDPA.

These obligations include:

Accuracy and completeness: Personal data used to make a decision that affects a Data Principal, or that is shared with another Data Fiduciary, must be accurate and complete before it is used.

Security safeguards: Data Fiduciaries must implement reasonable technical and organisational measures to prevent personal data breaches. The standard of “reasonable security” will be calibrated by the rules and by the Board’s future guidance, but businesses should treat current industry standards — encryption, access control, audit logging — as a baseline.

Breach notification: Any personal data breach must be notified to the Data Protection Board and to affected Data Principals, regardless of the severity of the breach. The Act, unlike the GDPR, does not prescribe a specific notification window such as 72 hours, leaving the timeline to be specified by rules. The Digital Personal Data Protection Rules, 2025, include breach notification requirements that businesses must incorporate into their incident response planning.

Data retention and erasure: Personal data must not be retained beyond the period necessary for the stated purpose. Where consent is withdrawn, data must be erased unless law requires otherwise. Automated deletion procedures are strongly advisable.

Grievance redressal: Every Data Fiduciary must publish contact information for a designated person who can respond to Data Principal grievances. Before a complaint can be made to the Data Protection Board, the Data Principal must first seek grievance redressal from the Data Fiduciary or its Consent Manager. This makes internal grievance mechanisms both a legal obligation and a first line of defence against Board proceedings.

Significant Data Fiduciaries — Enhanced Obligations

The Central Government has the power under Section 10 of the DPDPA to designate any Data Fiduciary or class of Data Fiduciaries as a “Significant Data Fiduciary” (SDF), based on factors including the volume and sensitivity of personal data processed, the risk of harm to Data Principals, and implications for national security, sovereignty, and electoral democracy.

No SDFs have yet been formally designated as of the time of writing, but large technology platforms, major financial institutions, healthcare providers, and entities processing biometric data at scale are widely expected to be among the first categories of designation.

SDFs are subject to elevated obligations beyond the baseline, which include:

Appointment of a Data Protection Officer (DPO): The DPO must be based in India and must be a member of or accountable to the board of directors or comparable governing body of the SDF. The DPO serves as the primary point of contact for the Data Protection Board and for Data Principal grievances.

Appointment of an independent data auditor: SDFs must appoint an independent auditor to conduct periodic Data Protection Impact Assessments (DPIAs) and audits, the findings of which must be reported to the Board.

Algorithmic due diligence: Rule 13 of the Digital Personal Data Protection Rules, 2025 requires SDFs to verify that algorithmic and technical measures used for processing personal data — including AI and machine learning systems — do not pose a risk to Data Principal rights.

Data localisation: Rule 13(4) provides that SDFs must ensure that personal data and traffic data of categories specified by the Central Government is not transferred outside India. The Central Government will determine the specific categories through a committee process. Until designation orders are issued, the precise scope of localisation obligations for any given SDF remains subject to government notification.

Annual DPIA and audit reports: These must be provided to the Data Protection Board, giving the regulator visibility into each SDF’s data processing practices on an ongoing basis.

Rights of Data Principals

The DPDPA creates a set of enforceable rights for every Indian citizen whose personal data is processed:

The right to information: A Data Principal is entitled to information about the personal data being processed and the purposes for which it is processed.

The right to correction and erasure: A Data Principal can require a Data Fiduciary to correct inaccurate or misleading personal data and to erase data that is no longer necessary for the stated purpose.

The right to grievance redressal: Every Data Principal has the right to a response to any grievance relating to the processing of their personal data.

The right to nominate: A Data Principal can nominate another individual to exercise their rights in the event of their death or incapacity — an innovative provision that addresses the digital estate of deceased persons.

These rights are exercisable directly against Data Fiduciaries. If the fiduciary fails to respond adequately, the Data Principal may escalate to the Data Protection Board.

The Data Protection Board and Penalties for Non-Compliance

The Data Protection Board of India, once constituted, will function as the primary adjudicatory body under the DPDPA. The Board is equipped with powers analogous to a civil court — it can summon parties, examine evidence on oath, and issue directions. Its proceedings are to be conducted digitally and expeditiously.

The penalty regime under the DPDPA is substantial. The Act’s Schedule, read with Section 33, prescribes penalties by category of violation:

  • Failure to fulfil obligations under Sections 4 to 12 (core processing, consent, and Data Fiduciary obligations): up to ₹200 crore per violation.
  • Failure to take reasonable security safeguards under Section 8(5): up to ₹200 crore.
  • Failure to notify the Board and affected Data Principals of a personal data breach under Section 8(6): up to ₹200 crore.
  • Failure to appoint a DPO and publish contact information under Section 10: up to ₹10 crore.
  • Failure to conduct a DPIA or data protection audit under Section 10(1)(b) or (c): up to ₹50 crore.
  • Failure to comply with Board directions under Section 34: up to ₹250 crore.

Penalties for multiple violations accumulate — each violation is assessed separately, and the Board may impose a multiplier for repeat contraventions. The maximum theoretical penalty exposure for a single entity could significantly exceed ₹500 crore. For businesses operating at scale, the financial risk of non-compliance is not abstract.

What Businesses Must Do Now

Given that the Rules have been notified and the operational framework is substantially in place, the window for “wait and see” compliance has closed. Businesses should treat the current period as an active compliance phase. The following actions are prioritised:

Map your data: Identify all digital personal data that your business collects, processes, stores, or shares. Understand the purpose for which each category of data is processed, who has access to it, where it is stored, and how long it is retained.

Audit consent mechanisms: Review every touchpoint where personal data is collected — websites, mobile applications, physical-to-digital forms, third-party data acquisitions — and assess whether consent obtained at each touchpoint meets the DPDPA standard: free, specific, informed, unconditional, and unambiguous, with a clear withdrawal mechanism.

Update privacy notices: Ensure that every privacy notice and consent request complies with the DPDPA’s requirements for plain-language disclosure, purpose specification, and information about Data Principal rights.

Review data processor contracts: Every contract with a third-party processor must contain appropriate data protection obligations, including the duty to implement security safeguards, to assist with Data Principal rights requests, and to delete data upon termination.

Build a breach response capability: Establish an incident response plan that covers detection, containment, assessment, and notification of personal data breaches. Notification to the Board and to affected individuals must happen without delay.

Establish grievance redressal: Appoint a designated person or contact point for Data Principal grievances and publish their contact information on your website, applications, and in your privacy notices. Implement a process for logging and responding to grievances within defined timelines.

Prepare for SDF designation: If your business processes large volumes of personal data or data of a sensitive nature, begin preparing for possible SDF designation — including identifying potential DPO candidates based in India, designing a DPIA framework, and assessing data localisation implications for your infrastructure.

Engage legal counsel: The DPDPA’s obligations interact with a range of other Indian laws — the Information Technology Act, 2000, sector-specific regulations from RBI, SEBI, IRDAI, and TRAI, and employment law — in ways that require integrated legal advice rather than a purely technical compliance approach.

Key Takeaways

  • The DPDPA 2023 is India’s first comprehensive digital personal data protection law. The Rules have been notified in 2025; compliance obligations are now operational.
  • Personal data may be processed only with consent or under a legitimate use specified by the Act. Consent must be free, specific, informed, and withdrawable.
  • Data Fiduciaries bear primary accountability: for accuracy, security safeguards, breach notification, data erasure, and grievance redressal.
  • Significant Data Fiduciaries, when designated, must appoint an India-based DPO, conduct annual DPIAs and audits, exercise algorithmic due diligence, and comply with data localisation requirements for notified categories.
  • Data Principals have enforceable rights to information, correction, erasure, and grievance redressal — failures to honour these rights are penalisable.
  • Penalties range from ₹10 crore for administrative failures to ₹250 crore for non-compliance with Board directions — and multiple violations are penalised separately.
  • The Consent Manager is a unique Indian mechanism enabling centralised consent management; reliance on a Consent Manager does not relieve the Data Fiduciary of accountability.
  • Businesses should not await formal Board constitution before beginning compliance — notices, consent mechanisms, processor contracts, and breach response plans should be in place now.

About Sterling & Partners
Sterling & Partners is a full-service law firm with chambers at the Supreme Court of India and offices in Greater Kailash-2, New Delhi. The firm practises before the Supreme Court of India and all major courts and tribunals, with expertise in technology law, data protection compliance, cyber law, and regulatory advisory under the Information Technology Act and the DPDPA. For consultation on data protection strategy, compliance programmes, or DPDPA-related matters, contact the firm through sterlingpartners.law.