Question 1

When does the DPDP Act take effect and who does it apply to?

Accepted Answer

The DPDP Act was signed into law on August 11, 2023. The government will notify different provisions on different dates through official gazette notifications. The Act applies to any Data Fiduciary (organization that determines the purpose and means of processing) that processes digital personal data of Data Principals (individuals) in India. Importantly, it has extraterritorial application: organizations outside India that process personal data in connection with offering goods or services to individuals in India are also covered.

Question 2

What are the penalties for non-compliance?

Accepted Answer

The DPDP Act prescribes significant financial penalties. For failure to take reasonable security safeguards, the penalty can be up to INR 250 crore (approximately USD 30 million). For failure to notify the Board and affected individuals of a data breach, the penalty can be up to INR 200 crore. For non-compliance with obligations regarding children's data, the penalty can be up to INR 200 crore. The Data Protection Board of India determines penalties based on the nature, gravity, and duration of the breach, the type and number of Data Principals affected, and the actions taken by the organization to mitigate the impact.

Question 3

How does the DPDP Act compare to GDPR?

Accepted Answer

The DPDP Act shares several concepts with GDPR, including consent-based processing, purpose limitation, data minimization, and individual rights. Key differences include: the DPDP Act currently applies only to digital personal data (not paper records), it uses the terminology Data Fiduciary and Data Principal instead of Controller and Data Subject, it does not include a concept equivalent to GDPR's legitimate interest basis for processing, and it has a different approach to cross-border data transfers (government may restrict transfers to specific countries via notification rather than using adequacy decisions). Organizations already compliant with GDPR will find significant overlap but should not assume full compliance with the DPDP Act.

Question 4

Do we need a Data Protection Officer under the DPDP Act?

Accepted Answer

The DPDP Act requires Significant Data Fiduciaries (a category to be defined by the government based on volume and sensitivity of data processed) to appoint a Data Protection Officer based in India. Even if your organization does not fall into the Significant Data Fiduciary category, appointing a privacy lead is a best practice for managing compliance. We help organizations assess whether they are likely to be classified as Significant Data Fiduciaries and design the DPO function accordingly.

India DPDP Act

Who This Is For

What You Get

Frequently Asked Questions

Strengthen Your India DPDP Act Compliance with Penetration Testing

Ready to Get Started?