Understanding India's New Digital Personal Data Protection Act
When you browse global websites, you are often prompted to accept or reject cookies. This simple choice allows companies to collect and use your personal data, or to respect your privacy by limiting data collection. The European Union's General Data Protection Regulation (GDPR) has long been considered the gold standard for rules governing the collection, processing, and storage of personal information. In 2023, India took a significant step forward by passing its own comprehensive legislation – the Digital Personal Data Protection Act (DPDPA). Detailed rules were published last year, and every entity handling personal data must achieve full compliance by May 2027.
The Core Principles of India's DPDPA
The foundation of the DPDPA is informed consent. Unlike the GDPR, which covers both digital and physical data, India's law specifically focuses on digital personal data. Sreedharan K S, Director of Compliance at Zoho Corporation, emphasized that the Act mandates consent as the primary basis for data processing. However, the government has outlined specific exceptions where data can be processed without explicit consent, such as during natural disasters, public health emergencies, or for legal and security purposes.
Shreyashi Sengupta, Partner for Digital Trust Technology Risk Automation at KPMG, highlighted that the Act fundamentally empowers users. "Individuals are granted the right to exercise their consent, must be clearly informed about how their information will be used, and possess the authority to withdraw consent and request the erasure of their data," she explained. Furthermore, the law imposes a strict requirement for immediate notification to affected parties in the event of a data breach.
Implementation Challenges and Compliance Strategies
The DPDPA introduces rigorous, mandatory compliance requirements, particularly concerning the continued processing and storage of historical data. Organizations with long operational histories will face the daunting task of managing vast amounts of legacy data. Sreedharan noted that the compliance journey must begin with comprehensive asset management. "The first step is to discover where all the data resides within the organization. Subsequently, you must map which data qualifies as personal, assess its importance, and determine whether its retention is necessary," he stated. This initial discovery and mapping phase is expected to be particularly challenging and resource-intensive.
Shreyashi pointed out the complexity of modern IT landscapes, where data is often scattered across multiple systems and applications. "Tracking data content is not limited to a single application. Organizations must understand the downstream and upstream effects of data flows across their entire ecosystem," she added. Given the extensive scope of this exercise, she recommends that companies prioritize customer-facing applications and robust user consent preference management systems initially.
"Once these foundational elements are operational, organizations can then focus on implementing processes for breach notification and other compliance aspects. Data discovery is a continuous, lifelong exercise that should run in parallel with other compliance activities," Shreyashi advised.
Tools and Technologies for Compliance
To manage consent effectively, companies have two primary options: they can develop their own in-house consent management platforms or integrate with independent consent managers. These emerging third-party services offer centralized dashboards, allowing users to grant, manage, and withdraw consent seamlessly across multiple platforms and websites.
A critical requirement for ensuring truly informed consent is the provision of multi-language capabilities on websites and digital platforms. Sreedharan suggested that organizations could leverage government initiatives like Bhashini APIs as a starting point. Bhashini is an AI-powered multilingual platform developed by the Indian government to bridge language barriers, making privacy policies and consent forms accessible to a wider, linguistically diverse population.
The transition to full DPDPA compliance represents a substantial undertaking for Indian businesses and data fiduciaries. The government's timeline, extending to 2027, acknowledges the significant effort required to overhaul data handling practices, map legacy systems, and build user-centric privacy frameworks. This legislative move marks a pivotal shift towards greater digital privacy and user control in India's rapidly evolving digital economy.
