India enters the global privacy landscape
India's Digital Personal Data Protection Act, 2023 (DPDP Act) represents a landmark shift for the world's most populous country and one of its largest digital economies. With over 800 million internet users and a rapidly growing digital commerce sector, India's entry into the global data protection regulatory landscape has significant implications for any business that serves Indian customers, processes data of Indian residents, or operates in the Indian market.
The DPDP Act establishes India's first comprehensive data protection framework, introducing concepts familiar to anyone who has dealt with the GDPR — lawful processing, consent requirements, data subject rights, and cross-border transfer rules — while incorporating elements that are distinctly Indian in their approach.
Who the Act applies to
The DPDP Act applies to the processing of digital personal data within India, and to the processing of digital personal data outside India if the processing is in connection with offering goods or services to individuals within India. This extraterritorial scope mirrors the GDPR's approach and means that international businesses with Indian customers are in scope regardless of where the business is physically located.
If your e-commerce store ships to India, if your SaaS product has Indian users, if your mobile app is available in the Indian market, or if you provide services to Indian businesses — you need to understand your obligations under the DPDP Act.
Key concepts and definitions
Data Principal. The individual whose data is being processed — equivalent to the GDPR's "data subject."
Data Fiduciary. The entity that determines the purpose and means of processing — equivalent to the GDPR's "data controller." If you collect data from Indian users, you are a Data Fiduciary.
Data Processor. An entity that processes data on behalf of a Data Fiduciary — equivalent to the GDPR's "data processor."
Significant Data Fiduciary. A Data Fiduciary designated by the government based on volume, sensitivity of data processed, and risk to data principals. Significant Data Fiduciaries face additional obligations.
Consent Manager. A novel concept — a registered entity that enables Data Principals to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.
Core obligations
Consent. The DPDP Act is consent-centric. Processing of personal data requires the free, specific, informed, unconditional, and unambiguous consent of the Data Principal. Consent must be preceded by a notice that clearly describes the data to be collected, the purpose of processing, and how the Data Principal can exercise their rights.
Importantly, the Act requires that consent requests be presented in clear and plain language, and provides for consent to be made available in any of the 22 languages specified in the Eighth Schedule of the Indian Constitution — a multilingual requirement that goes beyond what most global privacy frameworks demand.
Notice requirements. Before or at the time of collecting personal data, the Data Fiduciary must provide a notice in clear and plain language describing: the personal data to be collected, the purpose of processing, how to exercise rights, and how to file a complaint with the Data Protection Board.
Data Principal rights. The Act grants individuals several rights: the right to access information about their data, the right to correction and erasure, the right to grievance redressal, and the right to nominate another individual to exercise rights on their behalf (including after death — a provision particularly relevant in the Indian context).
Obligations of Data Fiduciaries. Data Fiduciaries must implement appropriate technical and organizational measures to protect personal data, ensure data accuracy, delete data when the purpose has been fulfilled and retention is no longer necessary, and report data breaches to both the Data Protection Board and affected Data Principals.
Cross-border transfers. The DPDP Act permits cross-border transfers of personal data to any country or territory not restricted by the central government. This is a departure from the GDPR's approach of requiring adequacy decisions or specific safeguards — the Indian approach is essentially "permitted unless specifically blocked." The government will publish a negative list of countries to which transfers are restricted.
Penalties and enforcement
The DPDP Act establishes the Data Protection Board of India as the enforcement authority. Penalties are significant: up to ₹250 crore (approximately $30 million) for failure to take reasonable security measures to prevent a data breach, and up to ₹200 crore (approximately $24 million) for failure to notify the Board and affected individuals of a breach.
Other penalties include up to ₹150 crore for non-compliance with obligations regarding children's data, and up to ₹50 crore for failure to comply with other provisions of the Act.
What this means for your business
If you serve Indian customers, there are practical steps you need to take.
Update your privacy notice. Your notice must meet the DPDP Act's requirements: clear, plain language, available in appropriate languages, and describing the specific personal data collected, purposes, and rights.
Review your consent mechanisms. The Act's consent requirements are strict — consent must be free, specific, informed, unconditional, and unambiguous. If you currently rely on pre-ticked checkboxes, bundled consents, or implied consent for Indian users, these will not satisfy the DPDP Act.
Implement data subject rights processes. You need mechanisms for Indian users to access, correct, and delete their data, and to process these requests within the timelines specified by the Act.
Assess your data processor relationships. Ensure your contracts with data processors include the required terms under the DPDP Act, and that processors are only processing data for the purposes you have specified.
Prepare for breach notification. Have an incident response plan that includes notification to the Data Protection Board and affected Data Principals, within the timeframes the Act specifies.
Managing multi-jurisdictional compliance
For businesses already dealing with GDPR, CCPA, and other privacy frameworks, adding DPDP Act compliance might feel like yet another regulatory burden. The practical approach is to build on your existing compliance program rather than creating a separate Indian compliance track.
Dxtra covers the DPDP Act as part of its 500+ obligations across 140+ countries. When you indicate that you serve Indian customers, the AI generates documentation that satisfies DPDP Act requirements alongside your existing GDPR, CCPA, and other obligations. Your privacy notice addresses the DPDP Act's disclosure requirements, your consent mechanisms adapt to include the Act's specific requirements, and your data subject rights workflows account for the Indian framework alongside others.
The era of being able to ignore India's data protection landscape is over. The DPDP Act is real, it has extraterritorial reach, and the penalties are substantial. But for businesses that already take privacy seriously, adding India to the compliance matrix is a structured, manageable exercise — particularly with the right tools.