The DPDP Act - An Overview:

At its core, the DPDP Act is India's first comprehensive legal framework that governs how companies and governments can collect, store, use, and share personal data.

India's new data protection law, the Digital Personal Data Protection Act (DPDP Act), marks a turning point in the digital age. At its core, the DPDP Act is India's first comprehensive legal framework that governs how companies and governments can collect, store, use, and share personal data.

In today's hyper-connected digital world — one that grows more complex with each passing day — this regulation was celebrated as a long-awaited milestone in safeguarding individual privacy. For individuals, it marks a significant shift, empowering them with greater control over their digital footprint. But for organisations that collect or process personal data, it introduces a new era of accountability.

The law, which received presidential assent in August 2023, is set to come into force in October 2024, unless the government notifies otherwise. Any entity that collects or processes personal data in digital form would need to comply with the provisions of the DPDP Act. This includes companies of all sizes, government agencies, and non-profit organizations. There are no sector-specific exemptions. If you're handling personal data digitally—you're a Data Fiduciary, and this law applies.

The DPDP Act is a process shift. Privacy must become part of company culture, product design, and stakeholder trust.

The implications of non-compliance are severe, with penalties extending up to ₹250 crores!

To help organizations navigate this critical stage, we've assembled a guide focusing on five immediate tasks data fiduciaries can begin working on.

1. Appoint a Data Protection Officer and Build Internal Teams

While appointing a full-time Data Protection Officer may not be immediately necessary, it is critical to assign clear responsibility for privacy compliance within your organisation. This individual should be accountable for:

• Monitoring legal updates and best practices in data protection

• Guiding the organization in implementing and maintaining compliant data handling procedures

• Modifying the enterprise's data protection policies

• Interacting with the Adjudicating Officer for any breaches or disputes

Ideally, the assigned role should report directly to the top management, highlighting the high priority placed on data protection.

2. Create a Data Inventory and Map Data Flows

Effective data protection begins with understanding what personal data is being collected and processed. Simply put, you can't protect what you don't know. This is why, as a first step, it is strongly suggested to undertake a structured data inventory and mapping exercise to identify:

• The types of personal data being collected (e.g., names, email addresses, location data, biometric data)

• The sources of personal data collection (e.g., website forms, mobile apps, third-party integrations)

This process, commonly referred to as Data Flow Mapping, forms the backbone of any privacy compliance framework. It enables the implementation of appropriate consent mechanisms, ensures data minimisation, assesses risks, and responds effectively to data principal rights under the DPDPA.

3. Update Consent Practices and Modalities

Under the DPDPA, consent must be

• free,

• specific,

•;informed,

• unconditional, and

• revocable.

This significantly raises the bar for how user consent is sought, recorded, and managed. Key requirements include:

• Obtaining separate consent for different purposes: E.g., separate consent for marketing emails and processing contact details

• Detecting and preventing consent fatigue: E.g., providing a 'manage preferences' section in user accounts for modifying consent settings

• Ensuring the refusal of consent does not affect user experience: E.g., allowing access to website content even if consent for targeted advertising is refused

Modernising your consent framework also builds user trust and transparency, in addition to being just a compliance requirement.

4. Familiarize Yourself With Data Subject Rights

Under the DPDP Act, Data Principals are granted a set of enforceable rights, including the ability to:

• Access their personal data

• Request rectification of inaccurate data

• Request erasure of their personal data in specific cases

• Object to the processing of their personal data

These rights are fundamental to ensuring an individual's control over their digital footprint. Data fiduciaries need to integrate procedures and processes for handling such requests efficiently and effectively.

5. Inform and Engage External Partners

Many organisations rely on external partners for technology, analytics, cloud storage, customer support, and more. If any personal data is being shared or processed by these partners, the law holds your organisation responsible for ensuring that data remains protected. Key contractual safeguards could include:

• Express obligations on the partner to comply with the DPDP Act

• Granting your organization the right to audit the partner's privacy practices

• Requiring the partner to notify you immediately of any data breaches or changes in the partnership that may affect personal data protection

The DPDP Act is a new chapter in the digital age