1. To which data does the DPDPA apply?

The DPDPA applies to 1) personal data that is collected and processed within India, or 2) personal data collected Data Principals and processed outside the country as it relates to goods or services offered to individuals within India (DPDPA Section(2)(i). “Data Principals,” as used in the DPDPA, is another term for data subjects as described in the GDPR, and is just one of the several differences between India’s law and the GDPR.

Another difference is that the DPDPA does not differentiate between personal data and sensitive personal data. Instead, the DPDPA applies broadly to “any data about an individual who is identifiable by or in relation to such data” (DPDPA Section(2)(t)).

2. To which companies does the DPDPA apply?

The DPDPA replaces the familiar “Controller” term with “Data Fiduciary,” which refers to “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.”

Unlike the GDPR, the DPDPA does not contain a small business exception. Instead, the DPDPA allows individual companies to petition local courts for exemptions.

3. What if I outsource operations to India?

The DPDPA includes an exemption for the processing of data of individuals not in India, where the processing of that data occurs in India pursuant to a contract between a person in India and a person outside the country (DPDPA Section(3)). As a result, many US companies that rely on outsourcing in India may be exempt from DPDPA compliance.

4. What is a “Significant Data Fiduciary”?

A Data Fiduciary may be classified as a “Significant Data Fiduciary by the Indian Central Government. Factors that may result in a Significant Data Fiduciary classification include “the volume and sensitivity of personal data processed” and “risk to the rights of Data Principal[s],” among others (DPDPA Section (10)(1)(a)). An entity’s classification as a Significant Data Fiduciary would impose additional compliance obligations such as the need to appoint a Data Protection Officer (DPO) and more restricted data processing rights (DPDPA Section(10)(2)(a)). As of now, India has not designated any particular companies or industries as significant data fiduciaries.” However, it is expected to do so at some point in 2026.

5. What are the legal grounds for processing personal data under the DPDPA?

The DPDPA provides only two scenarios in which a Data Fiduciary may process a Data Principal’s personal data: 1) with the Data Principal’s consent, or 2) for certain legitimate uses (DPDPA Section(4)). The DPPDA is structured such that consent is intended to be the primary method through which Data Fiduciaries are permitted to process personal data. Notably, verifiable consent must always be obtained before the processing of “any personal data of a child or a person with disability who has a lawful guardian” (DPDPA Section(9)).

Legitimate uses are limited to 1) “the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary” and where the Data Principal has not indicated non-consent (e.g., data processing to complete a transaction), and 2) government usage, including the provision of services, benefits, or permits (DPDPA Section (7)). Absent from the DPDPA is the GDPR’s broad “legitimate basis” for processing personal data.

The DPDPA does not apply, however, to the processing of personal data that is “made or caused to be made publicly available by” the Data Principal or pursuant to law (DPDPA Section(3)).

6. What are the consent requirements under the DPDPA?

In almost all cases, the DPDPA requires a Data Fiduciary to obtain a Data Principal’s consent before processing the Data Principal’s personal data. The consent given by the Data Principal must be specific and unambiguous, with “a clear affirmative action” (DPDPA Section(6)) The consent is further limited to the processing of the Data Principal’s personal data that is necessary for the specified purpose.

7. What is the notice component of the consent requirements?

For a Data Principal’s consent to be valid, the request for consent by a Data Fiduciary to a Data Principal must be accompanied or preceded by a notice to the Data Principal. The notice must contain:

• An itemized description of the personal data to be processed.
• The specific goods or services to be enabled by the processing.
• A link or description where the Data Principal may withdraw their consent, exercise their rights under the DPDPA, or make a complaint to the Data Protection Board of India (DPDPA Rules Section(3), (5)).

Significantly, if consent is not the basis for processing, then notices are not required under the DPDPA.

8. Do consent requirements apply retroactively?

If a Data Principal has consented to the processing of personal data prior to the implementation of the DPDPA, the Data Fiduciary must provide to the Data Principal, “as soon as it is reasonably practicable,” a privacy notice as described in the section above. However, the Data Fiduciary may continue to process the Data Principal’s personal data until and unless the Data Principal withdraws consent.

9. What is a Consent Manager?

Similar to the “authorized agent” concept in the GDPR, a “Consent Manager” under the DPDPA is a person or entity that may serve as an intermediary between a Data Principal and a Data Fiduciary, through which the Data Principal may consent to the Data Fiduciary’s processing of personal data. The Consent Managers must be registered with the Data Protection Board and adhere to certain requirements (DPDPA Rules Section(11) – (12)).

10. What are the retention obligations or limitations of a Data Fiduciary?

When the specified purpose of the processing of the Data Principal’s personal data is “deemed as no longer being served,” the Data Fiduciary is required to erase the data, unless there is a legal basis for retaining the data. Under the DPDPA, certain Data Fiduciaries are required to erase personal data within three years of the Data Principal approaching the Data Fiduciary for processing, or the implementation of the Rules, whichever is later. Such data fiduciaries include:

• E-commerce entities with 20 million or more registered users in India.
• Online gaming entities with 5 million or more registered users in India.
• Social media entities with 20 million or more registered users in India.

The Data Fiduciary must alert the Data Principal of such erasure at least 48 hours in advance of the end of the mandated erasure time period.

A Data Fiduciary must also implement logging, monitoring, and review to enable detection and prevent reoccurrence of unauthorized access to personal data. The Data Fiduciary must retain such logs for one year (DPDPA Rules Section(8)).

11. What is the definition of a “personal data breach” and what are the obligations of a Data Fiduciary in the event of a personal data breach?

As in the GDPR, the definition of “personal data breach” is “unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.” However, in contrast, the DPDPA and its Rules do not have any risk-of-harm analysis as a trigger for regulatory or user notification.

Upon becoming aware of a personal data breach, a Data Fiduciary must notify each impacted Data Principal without delay and provide information regarding the breach, including a description of the extent and timing of the breach, likely consequences of the breach, risk mitigation measures implemented by the Data Fiduciary, safety measures available to the Data Principal, and the business contact information of a representative of the Data Fiduciary.

Further, a Data Fiduciary must immediately report to the Data Protection Board the breach’s “nature, extent, timing and location of occurrence and the likely impact.” Within 72 hours, the business must give another update to the Board, which report must include mitigation measures, a copy of the notice given to individuals, and any findings regarding the person who caused the breach (DPDPA Rules Section (7)).

12. What are the rights of a Data Principal?

A Data Principal has 1) the right to access a summary of their personal data processed by a Data Fiduciary and the identities of all Data Fiduciaries and Data Processors with whom the data has been shared; 2) the right to correction, completion, and erasure of personal data; and 3) the right to a “readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager,” among other rights (DPDPA Section(11) – (14)).

Checklist

As detailed above, the DPDPA and its associated Rules have similarities to other data protection frameworks like the GDPR. However, the DPDPA has its own unique obligations. Below is a checklist that companies can use to gauge their business’s readiness ahead of the 2027 enforcement deadline.

Application: Does the DPDPA apply to your business?

• If  your business does any of the following, you may be subject to the DPDPA:
  • Processes personal data in India.
  • Offers any goods or services to individuals in India.

Exemptions: 

• If your business does any of the following, it may fall within an exemption to the DPDPA:
  • Processes personal data that is made or caused to be made public by the Data Principal themselves or at the direction of an Indian governmental entity.
  • Processes within India the data of individuals not in India, pursuant to a contract between a person in India and a person outside the country (i.e., outsources data processing to India).

Privacy obligations include: 

• Providing notice to Data Principals for processing activities prior to the 2027 implementation date.
• For all new processing activities after the 2027 implementation date, informing individuals about the collection, processing, and purposes of their personal data, including the rights available to them.
• Establishing procedures for individuals to access, correct, update, or delete their personal data, and to withdraw consent.
• Ensuring that transfers of personal data outside India meet future regulatory requirements such as avoiding blacklisted countries or using contractual safeguards.
• Conducting or modifying regular training and awareness programs to account for the DPDPA’s nuances, such as potentially receiving Data Principal rights requests from Consent Managers.

Security obligations such as:

• Establishing technical and organizational safeguards to protect personal data against unauthorized access, alteration, disclosure, or destruction. These should include:
  • Privileged access controls.
  • Encryption in transit and at rest.
  • Backup and recovery procedures in the event of a business interruption.
  • Vulnerability and patch management.
  • Third-party due diligence practices.
  • Monitoring and logging of hardware to detect potential data breaches.
• Establishing data-breach notification procedures that cover the drafting, approval, and distribution of notices to both the Data Protection Board and affected individuals.

Obligations on Significant Data Fiduciaries include:

• Conducting Data Protection Impact Assessments at least annually.
• Scheduling annual audits that will measure the Data Fiduciary’s compliance.
• Appointing a Data Protection Officer (DPO) based in India.