The Digital Personal Data Protection Act 2023 (DPDP Act) — signed into law on 11 August 2023 and progressively brought into force — is India's most significant data governance legislation since the IT Act 2000. It replaces the fragmented privacy landscape with a comprehensive framework governing how personal data of Indian residents may be collected, processed, stored, and deleted. For Indian organisations, compliance is not optional: penalties of up to ₹250 crore per breach category, combined with the reputational consequences of a high-profile enforcement action, make DPDP Act compliance a board-level priority.
DPDP Act 2023: Key Definitions and Scope
The Act applies to the processing of "digital personal data" — personal data collected in digital form or subsequently digitised. It covers:
- Data Fiduciary: Any person or entity that determines the purpose and means of processing personal data. In corporate terms, this is the organisation that collects and uses customer, employee, or supplier personal data. Similar to GDPR's "data controller."
- Data Principal: The individual to whom the personal data relates. Similar to GDPR's "data subject."
- Consent Manager: A new category — a third-party entity registered with the Data Protection Board that acts as a single point of interface for Data Principals to manage their consents across multiple Data Fiduciaries.
- Significant Data Fiduciary (SDF): Designated by the Central Government based on volume of data processed, sensitivity, national security implications, or risk of harm. SDFs have additional obligations — Data Protection Officer, Data Protection Impact Assessments, and periodic audits.
Who Is a "Significant Data Fiduciary"?
The Central Government has signalled that SDFs will likely include large social media operators, telecom companies, healthcare aggregators, and financial institutions processing data at scale. However, any organisation with a large customer database (millions of records) or processing sensitive personal data categories should prepare for potential SDF designation and fulfil the additional requirements proactively.
Consent: The Foundation of DPDP Act Compliance
Unlike GDPR's six lawful bases, the DPDP Act primarily relies on two bases for processing: Consent and Legitimate Uses (analogous to GDPR's legal obligation basis). Consent under the DPDP Act must be:
- Free: Not obtained through coercion, deception, or conditional access to a service that does not require the particular data.
- Specific: For a defined purpose that is described in clear and plain language the Data Principal can understand.
- Informed: The Data Principal must be given a notice describing what data will be processed, for what purpose, and how they can withdraw consent.
- Unconditional: Not bundled into general Terms & Conditions or privacy policies that are take-it-or-leave-it.
- Unambiguous: An affirmative action — tick box, digital signature, or Aadhaar OTP — not silence or pre-ticked boxes.
The Eight Legitimate Uses Under the Act
Schedule I of the DPDP Act defines eight scenarios where processing is permitted without explicit consent (similar to GDPR's legal obligation and legitimate interests bases):
- Processing required under law (regulatory, judicial, or statutory obligations)
- Processing for the State for services, benefits, or functions under law (e.g., government schemes)
- Fulfilment of a contract with the Data Principal (HR payroll, vendor payment)
- Medical emergencies involving risk to life of Data Principal or others
- Health and epidemic-related processing ordered by the State
- Employee function and safety purposes
- Prevention and detection of unlawful activity
- Processing of publicly available data
Data Principal Rights Under DPDP Act 2023
| Right | What It Means | DMS Requirement |
|---|---|---|
| Right to Access Information | Summary of personal data held and processing activities | Data inventory search and export capability |
| Right to Correction | Correct inaccurate or outdated personal data | Controlled editing workflow with audit trail |
| Right to Erasure | Delete personal data when purpose is fulfilled (subject to retention law) | Verified secure deletion with disposition certificate |
| Right to Grievance Redressal | Raise complaint with Data Fiduciary within prescribed timeline | Grievance tracking and response workflow |
| Right of Nomination | Nominate another person to exercise rights on Data Principal's death or incapacity | Nominee registration and verification capability |
Penalties Under the DPDP Act 2023
The Data Protection Board of India — an adjudicatory body — is empowered to impose penalties for breach of the Act's obligations. The penalty schedule (Schedule II) includes:
- Breach of child data protection obligations (Section 9): up to ₹200 crore
- Failure of mandatory data breach notification: up to ₹200 crore
- Failure to implement reasonable security safeguards: up to ₹250 crore
- Breach of additional SDF obligations: up to ₹150 crore
- Any other breach of the Act: up to ₹50 crore
Breach Notification Timeline
On discovering a personal data breach, Data Fiduciaries must notify the Data Protection Board and affected Data Principals within timelines prescribed by the Rules (expected to be 72 hours for significant breaches, mirroring GDPR). The notification must include the nature of data affected, estimated number of individuals impacted, and remedial measures taken.
How a DMS Enables DPDP Act Compliance
A Document Management System is the operational hub for DPDP Act compliance. Here is how Sarthi DMS maps to the key obligations:
- Consent audit trails: Every consent obtained — for document collection, processing, or sharing — is recorded with timestamp, channel, purpose, and version of the consent notice. Withdrawals are equally recorded and automatically trigger retention review.
- Data mapping: AI-powered data discovery maps personal data across all stored documents, populating a data inventory that forms the basis of the processing record required by the Act.
- Retention enforcement: Automated retention schedules ensure personal data is not retained longer than the purpose requires (or the statutory minimum, whichever is longer). End-of-retention triggers a Data Principal notification and secure deletion workflow.
- Right of access fulfilment: When a Data Principal requests a summary of their personal data, Sarthi DMS searches across all repositories and compiles the response — in days, not weeks.
- Erasure management: Verified erasure with disposition certificate, respecting litigation holds and conflicting statutory retention obligations.
- Breach response workflow: Pre-built incident response workflow with notification drafts, impact assessment templates, and escalation to DPO/legal counsel on breach detection.