The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Significant Data Fiduciary Obligations: A Practical Compliance Framework

The Concept of Significant Data Fiduciary

Section 10(1) of DPDPA 2023 empowers the Central Government to notify any Data Fiduciary or class of Data Fiduciaries as a "Significant Data Fiduciary" (SDF) based on an assessment of relevant factors. This designation triggers enhanced compliance obligations reflecting the heightened risk associated with large scale or sensitive data processing operations.

Notification Criteria (Section 10(1))

• Volume and sensitivity of personal data processed
• Risk to the rights of Data Principals
• Potential impact on sovereignty and integrity of India
• Risk to electoral democracy
• Security of the State
• Public order

Data Protection Officer Requirements

Section 10(2)(a) read with Rule 12 of the DPDP Rules 2025 mandates the appointment of a Data Protection Officer (DPO) by every Significant Data Fiduciary. The statutory requirements for DPO qualification are:

Residency: The DPO must be based in India, ensuring accessibility to regulatory authorities and Data Principals
Seniority: The individual must hold a senior management position within the organisation
Professional Competence: Demonstrated expertise in data protection law and practice is required
Independence: The DPO must be able to perform functions independently without conflict of interest

The DPO serves as the point of contact for the Data Protection Board and is responsible for overseeing compliance, responding to Data Principal grievances, and liaising with regulatory authorities.

Annual Audit Obligation

Section 10(2)(b) read with Rule 13 requires SDFs to cause an annual audit of their policies and conduct of processing by an independent Data Auditor. The audit must assess:

Compliance with the Act and Rules
Effectiveness of data protection policies and procedures
Technical and organisational security measures
Data Principal rights fulfilment mechanisms
Breach response preparedness

The Data Auditor must be registered with the Data Protection Board and maintain independence from the audited organisation. Audit reports must be submitted to the Board as prescribed.

Data Protection Impact Assessment

Section 10(2)(c) mandates that SDFs undertake a Data Protection Impact Assessment (DPIA) before commencing any processing that is likely to pose a significant risk to the rights of Data Principals. A DPIA is a systematic evaluation comprising:

Description of the proposed processing operation and its purposes
Assessment of necessity and proportionality
Identification of risks to Data Principal rights
Measures to address risks and demonstrate compliance
Consultation with stakeholders where appropriate

DPIA Triggers

Processing involving new technologies, profiling, large scale processing of children data, or systematic monitoring of public areas typically requires a DPIA.

Compliance Timeline for SDFs

Organisations notified as Significant Data Fiduciaries must achieve compliance with enhanced obligations by 13th May 2027. The recommended implementation sequence is:

Phase 1:DPO appointment and role establishment (immediate upon notification)
Phase 2:DPIA framework development and retrospective assessment of existing high risk processing
Phase 3:Data Auditor engagement and first audit cycle preparation
Phase 4:Annual reporting mechanism establishment

Conclusion

The Significant Data Fiduciary designation imposes materially enhanced compliance obligations that require dedicated resources and specialised expertise. Organisations likely to receive SDF notification should proactively establish compliance infrastructure rather than awaiting formal notification. The DPO role, in particular, requires careful consideration as this appointment will significantly influence the organisation data protection posture.