Insights

What does DPDPA - India’s new Privacy Law mean for you?

Published on:

Monday, January 27, 2025

Hardik Katyarmal

Understanding Digital Privacy

In an increasingly digital world, the concept of privacy has evolved to encompass the protection of personal data in the online realm. Digital privacy refers to an individual’s right to control how their personal information is collected, used, shared, and stored. Recognizing the critical role of data privacy, countries worldwide have adopted various regulations to safeguard individuals’ rights. As shown on the map, a majority of nations now have comprehensive legislation or draft policies in place to address the growing challenges of data security and privacy. Most of these regulations, such as the EU’s GDPR, US's CCPA, India’s DPDPA, and others, have gained momentum in the last 10 years to establish frameworks for responsible data handling, ensuring transparency, accountability, and consent-driven practices.



Setting the Stage

Did you know Right to Privacy wasn’t always recognized as a fundamental right in India? The Right to Privacy wasn’t included in India’s original Constitution. Even early arguments in cases from 1954, 1962 against state surveillance, search & seizure failed to establish it as a fundamental right. Indian Courts dismissed these as non-violations of individual rights.


Key Milestones


  1. 1975: The Court acknowledged privacy as an implied right through Articles 19 and 21, linking it to life, liberty, and freedom of movement. However, it wasn’t absolute; exceptions were allowed for security.

  2. 2017: The Supreme Court unanimously upheld Privacy as a fundamental right in the Aadhar case, extending the Right's scope to body, mind, choices, and information for the first time.

  3. 2018: Srikrishna Committee proposed a robust framework for digital data protection, setting the stage for proactive legislative measures like the DPDPA

  4. 2019: First draft of the Personal Data Protection Bill was introduced in the Indian Parliament and passed on to Joint Parliamentary Committee for further deliberation

  5. 2023: Digital Personal Data Protection Act was passed establishing a framework for consent as well as responsibilities of data custodians, processors followed up by draft rules in 2025



Scope of the DPDPA


Digital Data

As the name suggests, the act applies specifically to Digital Personal Data - any data that can directly or indirectly identify a particular individual captured in a digital form or captured offline and digitized later. Unlike GDPR, the act does not apply to offline data.


Sensitive Data

DPDPA does away with the concept of Sensitive data/ Critical data that was defined under SPDI Rules (2011) and IT Act (2000). It suggests application of all data security measures equally across all personal data


Geography

All data collected, stored or processed in India is subject to DPDPA compliance. In addition, organizations outside India that process data related to Indian citizens also need to follow the same guidelines


Key Concepts


Actors


  1. Data principal: Individual whose data is being collected, processed or shared. Should be treated as the owner of the data that holds rights over data generated about them.

  2. Data fiduciary: Entity that collects and defines usage of data collected. Can be referred as the Data Custodian/ Guardian holding and protecting data on behalf of the principal.

  3. Data processor: Entity that undertakes responsibility of processing data on behalf of the fiduciary as an outsourcing partner. All vendors that touch customer data fall in this bucket

  4. Consent manager: User-facing intermediary employed by data fiduciaries to capture and manage consent from data principals regarding processing and/ or sharing of personal data while remaining blind on its contents. Eg: Account Aggregators



Significant Data Fiduciaries

Some organizations are further tagged by the government as Significant Data Fiduciaries (SDFs) basis volume, sensitivity of data and risk to data principals' rights, national security concerns. Large scale organizations such as Social Media companies, eCommerce marketplaces, Tech giants are likely to fall under this category.

Being tagged as an SFD by the government bring additional responsibilities like:

  • Appointing a Data Protection Officer that reports to the Data Protection Board

  • Annual Data Protection Impact Assessments to find vulnerabilities

  • Deploying Due diligence and Risk mitigation measures for on-premise solutions


Consent

Agreement between Data principals and Fiduciaries to capture, store, process and/or share personal data given it is:

  • Informed: Explicit consent received after data fiduciary presents all necessary information

  • Granular: Captured for a specific purpose and time period on enlisted data items

  • Revocable: Freedom to view, edit and revoke consent in the future as easily as it was given

  • Auditable: Verifiable logs to prove rightful data usage in accordance with consent capture


Reasonable Security Standards

Draft rules for DPDPA 2025 suggest certain best practices as reasonable security safeguards that Data Fiduciaries need to apply on their systems as well as enforce on data processors they may have employed to outsource certain parts of data processing:

  • Standard practices like Obfuscation, Masking of personal data and more advanced techniques like usage of Virtual tokens (eg: One way Hash) and encryption of personal data while at rest, in use or during transfers over the internet

  • Logging, monitoring and review of access to personal data within your systems along with intrusion detection systems and processes to investigate and deal with such incidents to prevent future incidents of similar nature

  • Contractual clauses between Data fiduciaries and Data processors to include Security safeguards when employing a 3rd party for outsourcing of data operations

  • Access control mechanisms to minimize surface area of vulnerabilities and exposure of systems holding personal data to external threats


Rights of the Data Principal


  • Right to be Informed: DPDPA puts a lot of importance on making sure data principals are handing over their data to fiduciaries in the right context after considering facts about how data is going to be used, who is it going to be shared with and for what purpose. Data fiduciaries are mandated to present all information upfront, in plain and simple language and capture an explicit consent

  • Right to be Forgotten: Data principals can request erasure of their data and its a responsibility of a data fiduciary to cease all processing of personal data about the concerned individual within their own systems as well as data processors they may have outsources operations to while promising an SLA to the data principal for the same

  • Right to Rectification: In cases where a data principal's information may be inaccurate, incomplete - data principals can request fiduciaries to rectify the records within a reasonable time frame

  • Right to Revoke Consent: The concept of the consent manager focusses on making sure data principals have control over data processing after data is captured. It mandates the process of revoking consent to be as easy and accessible as giving consent and allow granular control on usage of their data for specific purposes


Implications for Businesses


  • Enforce Data Security Safeguards: Deploy reasonable security safeguards as defined above on internal systems as well as all data processors that may be involved in data operations under a valid contract with explicit terms enforcing the same security standards

  • Capture Consent the Right Way: Identify data principals (owners of the data) and capture consent in a clear, plain language along with an itemized list of data points captured, purpose of data processing and goods and services offered against them as well as a link to the consent management portal where data principal may exercise their rights

  • Handle Children's data with extra care: DPDPA mandates children's data to be processed only after a verifiable consent is received from their parent. Data fiduciaries are mandated to perform due diligence and capture identity and age of the individual claiming to be the parent

  • Monitor Cross-border Transfers: A common misconception among organizations is strict enforcement of data localization laws. However, DPDPA only mandates Significant Data Fiduciaries to maintain localization, thus allowing most other organizations to transfer data across borders with the exception of a list of countries as advised by the government

  • Erase Data for Dormant users: Certain data fiduciaries like eCommerce marketplaces (>20Mn users), Social media companies (>20Mn users) and Gaming companies (>5 Mn users) are mandated to erase data on users that have been dormant for 3 years along with a notification to the data principal at least 48 hours in advance.

  • Support Grievance Redressal: Data fiduciaries are mandated to have a clear and accessible grievance redressal mechanism to service requests from data principals on Rectification, Erasure and other data rights within a specified period. This acts as the first point of contact for any individual before they can reach out to the Data Protection Board of India.

  • Communicate on Data Breaches: Data fiduciaries must promptly (within 72h) inform the affected individuals as well as the data protection board in case of any breach. Details should include nature, extent, timing of the breach, potential consequences for individuals, actions to be taken on individuals' front as well as the fiduciary to prevent losses and recurrence


Conclusion

DPDPA is a pivotal step in India’s journey toward a digital ecosystem that values both empowerment and privacy. By defining clear responsibilities for businesses and empowering individuals with comprehensive rights, the Act sets a framework for trust in the digital age.

For individuals, it ensures greater control and transparency over personal data, creating an environment where data protection becomes a shared priority. For businesses, DPDPA challenges them to adopt a privacy-first approach, emphasizing compliance, security, and user-centric practices. As India positions itself as a global leader in data protection, the DPDPA reflects the nation’s commitment to balancing technological growth with individual privacy rights.

Here's a comprehensive comparison between DPDPA and GDPR from Latham & Watkins that throws some light on the global privacy revolution and how India is adopting the same keeping in mind the principles of Data Empowerment while protecting individuals' rights.

Stay Updated with the Latest Insights!

Get the best news, tips, and trends about data & insights delivered straight to your inbox.

Get in touch

Get in touch

Get in touch

Get in touch

main-logo

Privacy-first data collaboration for symbiotic businesses

Get in Touch

Synaptiq Innovations Private Limited

Privacy Policy

Terms of Use

main-logo

Privacy-first data collaboration for symbiotic businesses

Get in Touch

Synaptiq Innovations Private Limited

Privacy Policy

Terms of Use

main-logo

Privacy-first data collaboration for symbiotic businesses

Get in Touch

Synaptiq Innovations Private Limited

Privacy Policy

Terms of Use

main-logo

Privacy-first data collaboration for symbiotic businesses

Get in Touch

Synaptiq Innovations Private Limited

Privacy Policy

Terms of Use