A Practical Guide For Compliance With India's Digital Personal Data Protection Act & Rules

The DPDP Act - An Overview:

At its core, the DPDP Act is India's first comprehensive legal framework that governs how companies and governments can collect, store, use, and share personal data. Here, personal data means any data about an individual (called a Data Principal) who is identifiable by or in relation to such data;

The law is based on four broad pillars:

1. Consent: Being entitled to know
   what data is being collected, why it is being collected, and how it will be used. More importantly, there is a strict requirement to provide clear and informed consent before such data is processed.
2. Notice & Breach reporting: An itemized description in clear, plain, understandable language of any personal data breach to be given both to the Data Principal (i.e. the one whose data is collected) and a complaint made to the Data Protection Board, as soon as possible, but certainly within 72 hours of the breach.
3. Limitation of Purpose: Collected data must be used only for the purpose stated—and nothing beyond.
4. Accountability: The ones collecting/ processing or in essence, handling the personal data are called Data Fiduciaries, and are responsible for its protection. Any misuse or loss of the data becomes the liability of the Data Fiduciaries.

In today's hyper-connected digital world — one that grows more complex with each passing day — this regulation was celebrated as a long-awaited milestone in safeguarding individual privacy. For individuals, it marks a significant shift, empowering them with greater control over their digital footprint. But for organisations that collect or process personal data, it introduces a new era of accountability. Compliance is not merely important — it is imperative. The consequences of non-compliance are severe, with penalties extending up to ₹250 crores!

Does the DPDP Act apply to you?

Any entity that collects or processes personal data in digital form would need to comply with the provisions of the DPDP Act.

This includes:

• Start-ups collecting emails and phone numbers via landing pages
• Banks and FinTech processing sensitive financial data
• Hospitals and health-tech platforms managing patient records
• E-commerce platforms storing browsing and purchase history
• Schools and Edtech apps with information on students and parents
• HR teams storing employee data
• Even housing societies using digital systems for visitor or resident management
• Foreign companies offering goods/services to Indians (e.g., global e-commerce platforms)
• Government bodies, except for national security exemptions.

There are no sector-specific exemptions. If you're handling personal data digitally—you're a Data Fiduciary, and this law applies.

DPDP Compliance Roadmap: Where to Begin

It is established that compliance with the DPDP law is urgent and imperative. The natural question that would follow is - What should we do? With this in mind, here are five immediate and practical steps every data fiduciary could start working on:

1. Designate a Data Protection Lead (Even Informally):


While appointing a full-time Data Protection Officer may not be immediately necessary, it is critical to assign clear responsibility for privacy compliance within your organisation. This individual should be accountable for:

• Mapping and monitoring personal data flows within the organisation
• Coordinating the implementation of privacy notices and consent mechanisms
• Staying abreast of evolving regulatory requirements and industry standards
• In smaller organisations, this responsibility may be integrated into the role of the legal, compliance, or IT head. As the organisation scales, however, establishing a dedicated privacy function may become essential.
• Designating a formal Data Protection Lead (or a dedicated Consent Manager, as the draft DPDP Rules have indicated) becomes especially important for those entities that collect and process large volumes of personal data (which may be notified as 'Significant Data Fiduciaries' by the regulator). A registered consent manager would act as a single point of contact for data principals to give, manage, review and withdraw consent. This would increase both transparency and strengthen the organization's overall compliance network with the DPDP Act and Rules.

2. Map the Data Collected

Effective data protection begins with understanding what personal data is being collected and processed. Simply put, you can't protect what you don't know. This is why, as a first step, it is strongly suggested to undertake a structured data inventory and mapping exercise to identify:

• The types of personal data being collected
• The modes and sources of collection (e.g., online forms, mobile applications, offline processes, integrations)
• The storage locations and infrastructure (such as cloud services, internal servers, or third-party platforms)
• The entities or individuals—internal teams or external service providers—who have access to this data

This process, commonly referred to as Data Flow Mapping, forms the backbone of any privacy compliance framework. It enables the implementation of appropriate consent mechanisms, ensures data minimisation, assesses risks, and responds effectively to data principal rights under the DPDPA.

3. Review and Strengthen Consent Mechanisms


Under the DPDPA, consent must be free, specific, informed, unconditional, and revocable. This significantly raises the bar for how user consent is sought, recorded, and managed. Key requirements include:

• No pre-selected or default consent options
• No ambiguous catch-all statements like “By continuing to use this site, you agree…”
• Clear disclosures about the purpose of data collection
• The ability for the individual to withdraw consent at any time, easily and without adverse consequences
• Update your privacy policies and consent notices to be written in clear, accessible language, and translated into relevant local languages when necessary; If your organization collects data from those <18 years, implement a verifiable parental consent network;

Modernising your consent framework also builds user trust and transparency, in addition to being just a compliance requirement.

4. Operationalise Rights of Data Principals:

Under the DPDP Act, Data Principals are granted a set of enforceable rights, including the ability to:

• Access their personal data;
• Request correction or erasure of inaccurate or outdated data
• Withdraw consent for continued processing
• Be informed by the Data Fiduciary of any personal data breach as soon as possible but definitely within 72 hours from the breach.
• File complaints with the Data Protection Board in the event of non-compliance. Organisations will be required to acknowledge and act upon these requests—typically within a 7-day timeframe, as proposed in the draft rules.

5. Strengthen Contracts with Third-Party Service Providers

Many organisations rely on external partners for technology, analytics, cloud storage, customer support, and more. If any personal data is being shared or processed by these partners, the law holds your organisation responsible for ensuring that data remains protected. Key contractual safeguards could include:

• Executing Data Processing Agreements (DPAs) with all third parties handling personal data
• Verifying their compliance posture and incident response protocols
• Including clauses that require secure deletion or return of data once the service relationship ends

6. Understand Data Retention Periods and Incorporate Methods For Secured Data Storage And Erasure.

Rule 8, along with the Third Schedule of the draft DPDP Rules, categorize different types of Data Fiduciaries and lays down conditions for data retention. Where a Data Principal has not interacted with the Data Fiduciary within a specified timeframe, the personal data must be deleted—unless its continued retention is required to meet legal obligations.

The draft Rules also propose defined retention timelines for specific categories of Data Fiduciaries.

Industry-Specific Action Points: A Quick Snapshot

In addition to the above, here are some quick and immediate industry-specific action points that a relevant data fiduciary can undertake:

The DPDP Act is not just a regulatory tick box. It is a process shift. Privacy must become part of company culture, product design, and stakeholder trust. Admittedly, compliance will require substantial resources and organizational changes. However, the law also presents an opportunity to build trust with customers and differentiate your business in the market.

Drawbacks/ Criticisms of the DPDP Act and Draft Rules

While the DPDP Act and its Draft Rules mark a significant step toward regulating personal data in India, several concerns and limitations have been raised regarding their structure and operational feasibility.

• Vague and Overbroad Language
• Several provisions, such as the vague requirement to maintain "reasonable security safeguards", lack detailed technical standards, leading to inconsistent or inadequate protections.
• Key user rights, such as withdrawal of consent, also remain ambiguously worded. It is unclear whether withdrawing consent requires complete data deletion, and on practical ways in which users can verify compliance/deletion of their data.
• The criteria for designating "Significant Data Fiduciaries" are not clearly defined, creating compliance uncertainty, especially for smaller organisations that may struggle with the costs of audits and reporting.

• Insufficient Procedural Safeguards
• The Act provides broad exemptions to the state entities under national security provisions without prescribing sufficient procedural safeguards, which risks the enablement of unchecked surveillance.
• Processes for exercising rights such as data deletion (the “right to be forgotten”) are not robustly articulated, limiting the practical enforcement of user control over personal data.

• Overreliance on Consent Mechanisms
• While consent forms the bedrock of the Act's framework, the Rules do not address the realities of consent fatigue or the ability of individuals to provide truly informed consent.
• A heavy reliance on notices, without mandating simpler, more accessible, and understandable formats, could dilute the effectiveness of the intended protections.

• Lack of Regulation for Emerging Risks:

Emerging risks associated with profiling, automated decision-making, and AI-driven processing of personal data have not been addressed in the Act or the draft Rules, creating potential vulnerabilities for individuals and businesses alike.

• No Graded Obligations Based on Risk or Volume:
• Apart from the special designation of "Significant Data Fiduciaries," the Draft Rules impose largely uniform compliance obligations across all entities.
• A one-size-fits-all approach may not adequately account for differences in the nature, volume, and sensitivity of data processing across organisations.
• Start-ups and smaller businesses, in particular, face uncertainty due to the lack of clear thresholds for exemptions or scaled obligations.

• Inadequate Cybersecurity Benchmarks
• Although the Act mandates "reasonable security safeguards”, it does not reference any recognized cybersecurity standards (such as ISO 27001, NIST frameworks, etc.).
• This absence of clear benchmarks complicates compliance assessment and preparedness for inspections or breach response.

The DPDP Act and its Draft Rules mark a vital step in India's data protection journey, but gaps, such as those outlined above, do pose certain operational and enforcement challenges.

Regardless, the DPDP Act is not just a regulatory tick box. It is a process shift. Privacy must become part of company culture, product design, and stakeholder trust. Admittedly, compliance will require substantial resources and organizational changes. However, the law also presents an opportunity to build trust with customers and differentiate your business in the market.

Those who start preparation now, taking a systematic approach to implementation, will be well-positioned when enforcement begins.

Author: Aastha Abhya – Managing Partner, Atreus Law Firm. Views are personal.