India’s New Data Protection Act

What Global Companies Must Know?

India’s rapidly evolving digital economy has prompted a significant overhaul of its data protection framework. The introduction of the Digital Personal Data Protection Act (DPDP Act) 2023 marks a pivotal moment in the country’s approach to privacy and data governance. As one of the largest and fastest-growing digital markets globally, India’s new data protection law has far-reaching implications—not just for domestic companies, but for global businesses that operate in or handle the personal data of Indian citizens.

For multinational organizations, understanding and complying with the DPDP Act is no longer optional. The law introduces new compliance obligations, cross-border data transfer regulations and hefty penalties for non-compliance.

Understanding the DPDP Ac

The DPDP Act is India’s first standalone data protection law, designed to protect the personal data of individuals (referred to as “Data Principals”) and regulate the processing activities of organizations (referred to as “Data Fiduciaries”).
Key objectives of the DPDP Act include:

Ensuring data protection and privacy for individuals.
Establishing clear guidelines for data collection, storage and processing.
Providing a legal framework for consent-based data sharing.
Enabling accountability through a dedicated Data Protection Board.

Why This Matters for Global Companies?

With over a billion digital users, India represents a massive market. Any company-regardless of where it is based-that processes personal data of individuals located in India falls within the scope of the data protection laws in India. This includes global tech firms, e-commerce platforms, SaaS providers and any cross-border service provider with access to Indian users’ data.

Key reasons global companies must pay attention to the DPDP Act:

Extraterritorial applicability: The law applies to data processed outside India if it involves offering goods or services to individuals in India.
Cross-border data transfers: The Act introduces new rules on the transfer of personal data outside India, subject to government-approved lists of countries.
Consent and transparency: Organizations must obtain explicit consent from individuals before collecting or using their data and must clearly communicate the purpose of data usage.

Digital Personal Data Protection (DPDP) Compliance Checklist

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s comprehensive privacy law designed to safeguard individuals’ digital personal data while enabling organizations to process it responsibly. Businesses operating in India—or handling the personal data of Indian residents—must comply with its provisions.
Below is a compliance checklist to help organizations prepare and align with the DPDP Act:

Global businesses must understand their key provisions, compliance demands and operational impacts to navigate a shifting regulatory environment.

Data Principals enjoy the following:

Right of access, correction and erasure
Right to withdraw consent at any time
Grievance redressal mechanisms
Right to nominate a representative to act on their behalf in cases of incapacity or death

Data Fiduciary vs. Significant Data Fiduciary

The Act introduces a tiered framework:

Data Fiduciaries (general organizations processing Indian personal data) bear obligations around consent management, recordkeeping, breach notifications, security measures and grievance redressal.
Significant Data Fiduciaries—designated based on factors like data volume, sensitivity and risk—face enhanced responsibilities. These include:
- Appointing an India-based Data Protection Officer (DPO)
- Engaging an Independent Data Auditor
- Conducting Data Protection Impact Assessments
- Reporting to the governance structure and ensuring rigorous compliance

Cross-Border Data Transfers and Data Localization

The DPDP Act largely permits cross-border transfers unless restricted by government notification.

Children’s Data: Tight Provisions
Processing personal data of individuals under 18 requires verifiable parental or guardian consent. The Act strictly prohibits tracking, behavioral monitoring and targeted advertising toward minors.
Enforcement, Penalties and Dispute Redressal
The Data Protection Board of India (DPBI) will act as the adjudicatory body—empowered to oversee compliance, investigate breaches, impose penalties and manage grievances. It has powers akin to a civil court: summoning, inquiry, interim orders and mediation.
Penalties are steep:
Rs.50 crore to Rs.250 crore depending on violation severity (e.g., failure to secure children’s data, security lapses).

What Global Companies Should Do Now

A. Get Ahead with Readiness

Map data flows involving Indian personal data.
Build or upgrade systems for granular consent management.
Prepare multi-language user notices and privacy documentation.
Draft or update breach response protocols.

B. Plan for Governance

Identify whether your organization qualifies as a Significant Data Fiduciary.
If so, begin shaping frameworks for DPO appointment, independent audits and impact assessments.
Assign ownership for DPBI communications and grievance processes.

Align with Sectoral Laws

India’s sector-specific regulations (RBI for finance, TRAI for telecom, healthcare rules) remain in force and dovetail with the DPDP Act.

Final Thoughts

The Digital Personal Data Protection Act, 2023, marks a significant development in India’s approach to privacy and data regulation. For global businesses engaging with Indian markets or handling the data of Indian residents, the Act introduces clear responsibilities and heightened expectations around data governance.

Rather than viewing compliance as a one-time obligation, organizations should approach the DPDP Act as part of a broader shift toward more transparent and accountable data practices. Early preparation through legal assessments, operational updates and internal governance can help businesses align with the law and adapt to its evolving requirements.

As India continues to refine its digital regulatory landscape, maintaining compliance with the DPDP Act will be essential for sustainable operations and long-term stakeholder trust.