India's Digital Personal Data Protection Act: What Every Business Needs to Know

A New Era for Data Privacy in India

The Digital Personal Data Protection Act, 2023 (DPDPA) is not a distant policy paper. It is the law of the land, and its enforcement provisions are now in effect. For Indian businesses, from bootstrapped startups to publicly listed enterprises, the DPDPA represents the most significant shift in how personal data is collected, processed, stored, and deleted since the Information Technology Act of 2000.

Yet a 2025 survey by NASSCOM found that 62% of Indian SMEs have not completed even a basic data audit to assess their compliance readiness. Many business owners assume the Act only applies to large technology companies. That assumption is dangerously wrong.

The DPDPA applies to every entity that processes digital personal data within India, regardless of size, revenue, or industry. If your business collects a customer's name, phone number, email address, or payment details, you are a Data Fiduciary under the Act, and you have obligations.

Key Definitions Every Business Must Understand

Before diving into compliance requirements, clarity on terminology is essential:

• Data Principal: The individual whose personal data is being processed. This is your customer, employee, vendor contact, or website visitor.
• Data Fiduciary: The entity that determines the purpose and means of processing personal data. This is your business.
• Data Processor: Any entity that processes data on behalf of the Data Fiduciary. This includes your CRM vendor, cloud hosting provider, email marketing platform, and AI tool providers.
• Significant Data Fiduciary: Entities designated by the government based on data volume, sensitivity, or risk to national security. These face additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.
• Consent Manager: A registered entity that manages consent on behalf of Data Principals, acting as a single point of contact for individuals to grant, review, and withdraw consent.

The Seven Pillars of DPDPA Compliance

1. Lawful Purpose and Consent

Personal data can only be processed for a lawful purpose, and in most cases, only after obtaining the Data Principal's free, specific, informed, and unambiguous consent. The consent request must be presented in clear, plain language, specifying exactly what data is being collected and why.

Generic consent clauses buried in 40-page terms of service documents will not satisfy the Act. The consent notice must be standalone, easily understandable, and available in English or any language specified in the Eighth Schedule of the Constitution.

2. Purpose Limitation

Data collected for one purpose cannot be repurposed without fresh consent. If a customer provides their phone number for delivery updates, you cannot add it to your marketing SMS list without separate, explicit consent. This principle fundamentally changes how many Indian businesses have traditionally operated.

3. Data Minimisation

Collect only the data you genuinely need. A food delivery app does not need a customer's Aadhaar number. A clothing retailer does not need a date of birth unless offering a birthday discount. Every data field you collect must be justified by a specific, stated purpose.

4. Accuracy and Completeness

Data Fiduciaries must make reasonable efforts to ensure that personal data is accurate and up to date, particularly when such data is used for decisions affecting the Data Principal or is shared with other entities.

5. Storage Limitation

Personal data must not be retained longer than necessary for the purpose for which it was collected. Once the purpose is fulfilled, the data must be erased. This means businesses need clear retention schedules for every category of personal data they hold.

6. Security Safeguards

The Act requires Data Fiduciaries to implement reasonable security safeguards to prevent data breaches. While the Act does not prescribe specific technologies, industry best practices include encryption at rest and in transit, access controls, regular security audits, and incident response plans.

7. Accountability

Data Fiduciaries must be able to demonstrate compliance. This is not a passive obligation. It requires documentation, processes, training, and ongoing governance.

Penalties That Demand Attention

The DPDPA introduces a penalty framework that should concern businesses of every size:

These are maximum penalties. The Data Protection Board will consider factors such as the nature and gravity of the breach, whether it was a first offence, and the mitigating steps taken by the business. However, even a fraction of these amounts would be existential for most Indian SMEs.

Children's Data: Special Protections

The DPDPA imposes heightened obligations for processing data of individuals under 18:

• Verifiable parental consent is required before processing a child's data
• Tracking, behavioural monitoring, and targeted advertising directed at children are prohibited
• No data processing that causes harm to a child's well-being is permitted

For businesses operating edtech platforms, gaming apps, or any service with a significant user base under 18, these provisions require immediate architectural changes.

Cross-Border Data Transfers

The DPDPA allows transfer of personal data outside India, except to countries specifically restricted by the Central Government through notification. This is a more permissive approach than earlier drafts that mandated strict data localisation. However, businesses must still ensure that adequate protections exist in the receiving country, and the Data Fiduciary remains accountable for the data regardless of where it is processed.

Practical Compliance Roadmap for Indian Businesses

Phase 1: Discovery (Weeks 1-4)

• Conduct a comprehensive data inventory: what personal data do you collect, where is it stored, who has access, and how long is it retained?
• Map all data flows, including those to third-party processors such as cloud providers, analytics platforms, and marketing tools
• Identify any processing of children's data or sensitive personal data

Phase 2: Gap Assessment (Weeks 5-8)

• Compare current practices against DPDPA requirements
• Evaluate existing consent mechanisms for compliance
• Review contracts with Data Processors to ensure they include required data protection clauses
• Assess security safeguards against industry benchmarks

Phase 3: Remediation (Weeks 9-16)

• Redesign consent flows to be clear, specific, and easily revocable
• Implement or upgrade encryption, access controls, and audit logging
• Establish data retention schedules and automated deletion workflows
• Draft and publish an updated privacy policy that meets DPDPA requirements
• Create a breach notification process that enables reporting to the Data Protection Board within the required timeframe

Phase 4: Governance (Ongoing)

• Train all employees who handle personal data on DPDPA obligations
• Conduct periodic audits to ensure ongoing compliance
• Monitor regulatory updates as the Data Protection Board issues rules and guidelines
• Establish a mechanism for Data Principals to exercise their rights, including access, correction, and erasure

How AI and Automation Intersect with DPDPA

If your business uses AI tools for marketing, customer service, or analytics, the DPDPA adds layers of complexity. AI systems that process personal data must comply with the same consent, purpose limitation, and data minimisation principles as any other processing activity. The automated nature of AI does not exempt it from human-centric privacy protections.

For businesses using AI marketing tools, chatbots, or voice agents, this means ensuring that every AI interaction where personal data is collected or processed has a clear legal basis, and that the data principal is informed about the AI's involvement.

The Competitive Advantage of Compliance

Compliance is not merely a cost centre. In an era where data breaches make headlines and consumer trust is fragile, businesses that demonstrably protect personal data gain a competitive edge. A 2025 Deloitte India study found that 73% of Indian consumers are more likely to do business with companies that clearly communicate their data protection practices.

The DPDPA is not a burden. It is an opportunity to build trust, strengthen customer relationships, and differentiate your business in an increasingly privacy-conscious market.

At AnantaSutra, we build AI-powered tools with DPDPA compliance at their core, from consent management in our voice agents to data minimisation in our marketing automation. If you are navigating the complexities of data privacy compliance while adopting AI, we can help you move forward with confidence.