India Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act, No. 22 of 2023), received Presidential assent on August 11, 2023 and is the first comprehensive personal data protection law in India, replacing the IT (Amendment) Act 2008's Section 43A framework. The DPDP Act applies to the processing of digital personal data within India, and to processing of personal data outside India if for the purpose of offering goods or services to individuals in India (Section 3). The Act designates data principals (data subjects), data fiduciaries (controllers), and consent managers (accredited intermediaries). The Act establishes a Data Protection Board of India (DPB) as the adjudicatory body, with powers to investigate, impose penalties, and order compliance. Maximum penalties (Schedule to the Act) range from INR 50 crore (≈$6 million USD) for failure to take reasonable security safeguards, to INR 250 crore (≈$30 million USD) for non-fulfillment of obligations regarding children's data, to INR 200 crore for breach notification failures.

The consent framework under the DPDP Act (Section 6–8) requires explicit, informed, specific, and revocable consent for processing personal data — except where "legitimate uses" apply (Section 7), which include processing for employment, legal proceedings, medical emergencies, and state functions. Consent must be sought through a clear, plain language notice (Section 5) that specifies: the personal data to be collected, the purpose of processing, and the manner of exercising rights. A consent manager (Section 2(g)) is a registered entity that enables data principals to give, manage, review, and withdraw consent through a single interface — a novel concept that may require engineering integration via an API with the Consent Manager Registry. Data fiduciaries must ensure data accuracy and completeness (Section 8(4)), implement reasonable security safeguards (Section 8(5) — the Act does not specify technical standards but Rules are expected to reference CERT-In frameworks), and notify the DPB and affected data principals of data breaches (Section 8(6)).

Significant operational and engineering uncertainties exist because implementing Rules had not been published as of early 2024 (the Ministry of Electronics and Information Technology released draft Rules in January 2024 for public consultation, with final Rules expected in 2024–2025). The Rules will determine: the specific format and content of consent notices; the operational requirements for consent managers; technical standards for reasonable security safeguards; the process and timelines for data breach notification; categories of Significant Data Fiduciaries (SDFs, analogous to GDPR Article 22 controllers) with heightened obligations including periodic audits, Data Protection Impact Assessments, and appointment of a Data Protection Officer; and data localization requirements for specific categories. The Act itself does not mandate broad data localization (unlike the previous Personal Data Protection Bill 2019 drafts), but Rules may impose localization on critical personal data or certain SDF categories, which would have significant infrastructure architecture implications.

We track DPDP Act implementing Rules as they are finalized and map requirements to client technology architectures in India. We implement consent collection and management workflows aligned to the Act's requirements, build data breach detection and notification pipelines calibrated to DPDB reporting obligations, and architect data residency controls in India cloud regions (AWS ap-south-1, Azure India Central/South, GCP asia-south1) to prepare for potential localization requirements under forthcoming Rules.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.