Data Protection has become a critical priority for businesses and individuals alike. With the recent developments and updates in how personal digital data can be collected, stored and safeguarded, we have answered the most common questions to help you navigate data protection.

For Businesses (also known as Data Fiduciary under the Act) – What Changes to Expect?

  1. Which types of information does the Digital Personal Data Protection Act (DPDP Act) apply to? The DPDP Act, 2023 applies to processing of digital personal data, i.e., any information that identifies a person, whether collected online or digitised. It does not cover anonymous or non-personal data.
  1. Does the DPDP Act apply to foreign companies collecting data of Indian users (including through apps/websites)? Yes. If you collect digital personal data for the purpose of offering goods or services to people in India, even if your business is not based in India, the DPDP Act & relevant Rules still applies. Thus, apps/websites targeting Indian users must comply, regardless of where the company is incorporated.
  1. Does the DPDP Act apply to offline data collected and later digitised? Yes. The moment offline personal data is digitised, the Act and Rules apply.
  1. As a startup/MSME/large enterprise, what are our key new obligations?
    • Collect only necessary personal data
    • To request and obtain clear, specific, informed, unconditional & express consent from the individuals/entities from which you collect data. Any request for consent must be accompanied or preceded by a notice,
      1. informing the customer regarding the personal data and purpose for which the same is intended to be processed
      2. the manner in which the customer may exercise their rights to edit, delete, withdraw consent under the Act and
      3. also, the manner in which they may make a complaint to the Data Protection Board if required
    • Implement reasonable measures and security safeguards to protect collected data
    • Delete personal data and cause the Data Processors (if any) to delete the data, once the customer withdraws consent or the purpose of collection has been completed, whichever is earlier
    • Respond and address consumer grievances within timeline
    • To publish details of Data Protection Officer (if applicable) or grievance officer, who can answer questions raised by the customers
    • Maintain proper records of giving due notice and obtaining clear specific consent from customers
  1. Can we continue collecting the same data as before? Are there restrictions now? As long as the data you were collecting before was necessary to provide the goods or services offered, you can continue collecting the same after providing a notification to the customers. Avoid excessive data collection.
  1. Is our existing click-wrap Privacy Policy and Terms of Use sufficient? What specific notice must be given before collecting data? No, a generic privacy policy is not enough. You must give a specific notice that is clear, itemised, specific, easy to read and separate from your privacy policy & terms of conditions. The notice must clearly state
    • What personal data will be collected
    • the exact purpose
    • how users may exercise their rights (access/correct/delete/withdraw)
    • complaint & redressal details
    • DPO/Grievance Officer contact

Consent must be collected after or along with this notice. 

  1. Do we need to take additional measures when processing data of children and persons with disabilities? Yes. For children, you need to obtain verifiable parental consent. For persons with disabilities, consent must be obtained from their legal guardian. Tracking, behavioural monitoring of children or targeted advertising directed at children are not allowed. 
  1. Do we need to delete data once its purpose is fulfilled? How do we decide the retention period? Yes, the personal data collected must be deleted once the purpose is fulfilled or consent is withdrawn. In cases where there are legal obligations under any other Act to retain records for a particular period, such as banks, then data can be retained till then.
  1. Can we transfer personal data outside India to foreign servers/cloud providers? Under what conditions? Yes, cross border data transfer is allowed, unless any specific country is restricted by the Government.
  1. Do data processors (like cloud providers) have independent liability, or is liability only on us? The role of data processors is primarily to follow the instructions of the Data Fiduciary (you). If they act in violation of your instructions or engage in unauthorised processing or data breaches on their own, then they have independent liability to that extent.
  1. What clauses should we include in contracts with data processors or third-party vendors? Your contracts should require:
    • Processing only on your documented instructions
    • Strict security safeguards
    • Confidentiality obligations
    • Deletion/return of data on completion/instruction
    • Breach-notification obligations and timelines
    • Audit/inspection rights if you are an Significant Data Fiduciary
    • Compliance with DPDP Act & Rules
  1. When must a company appoint a Data Protection Officer (DPO)? Is it mandatory for everyone? A company is required to appoint a Data Protection Officer only if they are notified as a Significant Data Fiduciary by the Government. 
  1. What is a Consent Manager? Should every company register as one? A consent manager is a registered business platform that helps individuals/businesses manage consent across various platforms. They act as a single point of contact to enable the customers to give, manage, review and withdraw their consent through an accessible, transparent and interoperable platform. Only those companies which offer these services and fulfil the criteria for consent manager as per the DPDP Act is required to register themselves with the Data Protection Board. Regular businesses do not need to register. 
  1. How do we know if we are a ‘Significant Data Fiduciary’? It is the role of the Government to determine Significant Data Fiduciary based on the data volume, sensitivity of personal data, risks to the rights of consumer, risk to electrical democracy, extent of impact of breach and national security interest, public order and notify them as such. You cannot self-declare. The classification is done only by the Government.
  1. If classified as a Significant Data Fiduciary, what additional obligations apply?
    • Appoint a Data Protection Officer for the company
    • Appoint an independent data auditor to carry out data audit
    • Conduct periodic Data Protection Impact Assessments and audit
    • Maintain compliance reports 
  1. Are periodic data audits mandatory for all companies or only for Significant Data Fiduciaries? Periodic audits are mandatory only for Significant Data Fiduciaries.
  1. From when do we need to start complying with the DPDP Act?
    • Data Protection Board provisions – already in force
    • Consent Manager provisions – Effective November 13, 2026
    • Obligations for Data Fiduciaries – Effective May 13, 2026
  1. What happens to data collected before the Act came into force? Do we need fresh consent for it? As mentioned above, it is necessary to obtain clear, specific, informed, unconditional & express consent from the individuals/entities from which you collect data. If your company has satisfied these criteria for the data collected earlier or even otherwise, you need to give a fresh notice to the customers informing them of,
    1. the personal data which has been collected till now and the purpose for which the data has been processed
    2. the manner in which the customers may edit, delete or withdraw their consent
    3. the manner in which they may make a complaint to the Data Protection Board

The notice may be sent through email, in-app notification or other effective method and while there is no specific timeline for sending the fresh notice to the customers as per the DPDP Act, it is advisable to do so as soon as it is reasonably practicable. Once the notice has been issued, you can continue processing the earlier data (without waiting for consent) as long as the customer does not withdraw his/her consent. 

  1. Can personal data be processed without request for specific consent from our side? If yes, in which situations? Yes. Consent is not needed when processing is for:
    • Voluntary provision of data by the user for a specific purpose
    • Performance of a legal function by the State
    • Compliance with Indian law or court orders
    • Medical emergencies / disaster response
    • Public health emergencies
    • Employment purposes (e.g., preventing misconduct, protecting trade secrets)

Processing must still follow necessity and purpose limitation. 

  1. What all constitutes as a data breach? Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data would constitute as breach.
  1. What should a company do in case of a data breach? How quickly must it be reported? You must immediately notify:
    1. Each affected user
    2. The Data Protection Board

in a clear concise manner a description of the breach, its nature, extent and timing, the consequences relevant to them, the measures implemented & which are being implemented, the safeguard taken to protect their interests and details of the grievance officer/data protection officer for contact for queries. Further, within 72 hours, you should provide a detailed account of the details to the Data Protection Board. 

  1. What penalties apply if a business does not comply with the DPDP Act? Monetary penalty up to 250 crores may be imposed depending on various factors such as nature, gravity & duration of breach, the type and nature of personal data affected by the breach, the repetitive nature of breach, whether you have gained or avoided any loss through such breach, etc.

 

As a customer (also known as Data Principal under the DPDP Act), how does the new Act affect me?

  1. What rights do I have over my personal data? As a customer, you can
    • Access your data anytime (even those for which consent was given before the DPDP Act)
    • Obtain summary of personal data which is being processed and the purpose for which it is being processed
    • Correct, edit, update, complete or delete it
    • Withdraw your consent anytime
    • Request information as to what purpose the data is being used for
    • File complaint if any of your rights are violated

Any consent you give that tries to waive these rights is invalid.

  1. Can I refuse unnecessary access requests (like contacts)? Can a service be denied if I refuse? Yes. Companies cannot demand data that is not necessary for providing the service. They cannot deny a service simply because you refuse unnecessary permissions.
  1. Can I edit, correct, or delete my personal data after sharing it? Yes. You can request correction, updating or deletion at any time.
  1. Will companies automatically delete my data when it is no longer required? Can I ask for deletion anytime? Yes, the companies are required to automatically delete your data once the specific purpose is completed unless they are required to retain it for a period due to other statutory obligations. You can also request for deletion of your data at any time.
  1. Can companies share my data with third parties? How will I know? Yes, with proper notice and purpose. You can request a list of all entities with whom your data has been shared.
  1. Is my data protected if I use a foreign app or website operating in India? Yes, even if it is a foreign app or website, they are bound by the DPDP Act and relevant Rules as long as they provide goods/service to people in India.
  1. If I have a complaint about misuse of my data, who should I contact first? Every company is required to provide clear contact details of a grievance officer. Raise a complaint with them.
  1. How quickly must a company respond to my grievance? Typically, a complaint to the grievance officer must be resolved within 30 days.
  1. If the company does not respond, where can I escalate the complaint and when? You can escalate the matter to Data Protection Board, which will investigate the matter. Further appeal is also available to the Telecom Disputes Settlement and Appellate Tribunal.
  1. Do I have any obligations as a user under the Act? As a consumer, you have an obligation to provide accurate information and avoid false complaints.
  1. When do my rights under the Act not apply? If the personal data in question was made available to public by the customer itself, then the protections under the Act would be apply.

Written by Keerthana K