What is the Digital Personal Data Protection Act? Highlights of the DPDP Act, 2023

The Digital Personal Data Protection Act 2023 is commonly known as the DPDP Act of 2023. The DPDP rules were operationalised in 2025. This act matches with the global standards of the data protection of people. In this blog ASC Group provides the complete guidance for the better understanding of the DPDP act and it aligns with the international regulations of the General Data Protection Regulation (GDPR), and how it impacts on its various stakeholders.

What is the Digital Personal Data Protection Act, 2023?

The DPDP Act, 2023 is a direct legislation prepared by the government of India to protect the personal data of an individual in this digital age. This act was enacted by the Indian Parliament and received presidential assent on August 11, 2023. The Act aims to balance individuals' rights to data privacy with the necessity for lawful data processing by organisations and government entities. The DPDP rules were operationalised in public domain in 2025.

Why did the Government Introduce the DPDP Act?

This era belongs to the digital age and it connects global masses on a single click. In this digital age government introduced DPDP ACT to:

1. Protect Individual Privacy - Recognize and uphold the fundamental right to privacy concerning personal data.

2. Regulate Data Processing - Establish clear guidelines for entities on the lawful processing of personal data.

3. Ensure Accountability - Hold data fiduciaries accountable for data protection, ensuring transparency and responsibility.

4. Align with Global Standards - Bring India's data protection laws in line with international norms, facilitating cross-border data flows and collaborations.

What are The Important Aspects of the DPDP Act?

1. Applicability of DPDP

• Territorial Scope - Applies to the processing of digital personal data within India and to entities outside India if they offer goods or services to individuals in India.

• Data Coverage - Encompasses both online data and offline data that is digitized subsequently.

2. Purpose Limitation of DPDP

• Data fiduciaries are required to process personal data only for specific, clear, and lawful purposes for which consent has been obtained.

• Processing without explicit consent is permissible under certain conditions, such as compliance with legal obligations, public interest, or emergencies.

3. Rights of Data Principals

1. Right to Access Information - Individuals can access their personal data and know how it is being processed.

2. Right to Correction and Erasure - Individuals can request correction or deletion of inaccurate or outdated personal data.

3. Right to Grievance Redressal - Mechanisms are in place for individuals to address grievances related to data processing.

4. Right to Nominate - Individuals can nominate representatives to exercise their data rights in case of incapacity or death.

5. Right to Withdraw Consent - Consent for data processing can be withdrawn at any time, subject to contractual or legal restrictions.

6. Right to Be Informed - Individuals must be informed about the collection and processing of their personal data.

7. Right to Data Portability - Individuals can request the transfer of their data from one fiduciary to another.

4. Key Stakeholders

• Data Principal - The individual whose personal data is being processed.

• Data Fiduciary - The entity (individual, company, or government) that determines the purpose and means of processing personal data.

• Data Processor - An entity that processes data on behalf of the data fiduciary.

• Significant Data Fiduciary (SDF) - Entities classified by the government based on factors like data volume and sensitivity, subject to additional obligations.

5. Data Protection Board of India

• The Act mandates the establishment of the Data Protection Board of India, an adjudicatory body responsible for enforcing the provisions of the DPDPA, addressing grievances, and ensuring compliance.

How does it Align With the General Data Protection Regulation (GDPR)?

While the DPDPA draws inspiration from the GDPR, there are notable differences:

1. Scope - The DPDPA focuses on digital personal data, whereas the GDPR applies to all personal data, digital or otherwise.

2. Data Localisation - The DPDPA emphasizes data localization, requiring certain data to be stored within India, a provision not mandated by the GDPR.

3. Age of Consent - The DPDPA sets the age of consent at 18 years, higher than the GDPRs threshold of 16 years.

4. Regulatory Authority - The DPDPA establishes the Data Protection Board of India, while the GDPR is overseen by Data Protection Authorities in each EU member state.

5. Penalties - The DPDPA imposes fines up to INR 250 crore for non-compliance, whereas the GDPR can levy fines up to euro 20 million or 4 percent of global turnover, whichever is higher.

Advantages of the DPDPA over the GDPR

• Simplified Framework - The DPDPA offers a more straightforward compliance structure, potentially easing the burden on businesses.

• Focus on Localisation - By emphasizing data localization, the DPDPA aims to enhance data security and sovereignty

• Protection of Minors - With a higher age threshold, the DPDPA provides stricter protections for children's data.

• Scalability - The Act is designed to be adaptable, catering to the needs of a developing digital economy.

What are the Implementation Requirements of the DPDP Act?

The Digital Personal Data Protection Act, 2023 is poised to reshape India's data privacy landscape. To operationalize its provisions, the Ministry of Electronics and Information Technology (MeitY) has released the Draft Digital Personal Data Protection Rules, 2025, inviting public feedback until February 18, 2025.

Key Implementation Steps:

1. Formation of the Data Protection Board of India (DPBI) - The DPBI will serve as the adjudicatory body ensuring compliance with the DPDPA, addressing grievances, and enforcing penalties for non-compliance.

2. Regulatory Rules for Data Fiduciaries and Processors - The draft rules outline obligations for entities handling personal data, emphasizing lawful processing, data minimization, and security safeguards.

3. Management of Consent - Emphasis is placed on obtaining clear and informed consent from data principals, with provisions for easy withdrawal of consent.

4. Notifications for Data Breach - Entities are required to promptly report data breaches to the DPBI and affected individuals, detailing the nature of the breach and remedial actions taken.

5. Cross-border Data Transfers - The rules specify conditions under which personal data can be transferred outside India, ensuring protection equivalent to domestic standards.

6. Penalties for Non-compliance - The Act stipulates fines up to INR 250 crore for violations, underscoring the importance of adherence to data protection norms.

Recommendations for Stakeholder 

Business Stakeholders

• Conduct Data Audits - Assess current data collection and processing practices to identify gaps and ensure compliance with the DPDPA.

• Implement Data Protection Measures - Establish robust security protocols, including encryption and access controls, to safeguard personal data.

• Employee Training - Educate staff about data protection principles and their roles in maintaining compliance.

• Appoint Data Protection Officers (DPOs) - Designate individuals responsible for overseeing data protection strategies and liaising with regulatory authorities.

Government Stakeholders

• Provide Clear Guidelines - Issue detailed notifications and guidelines to assist organizations in understanding and implementing the Act's provisions.

• Engage in Public Consultation - Involve stakeholders in discussions to refine the rules and address concerns, ensuring the framework is practical and effective.

Consumers Stakeholder

• Stay Informed - Understand your rights under the DPDPA, including accessing, correcting, and erasing your personal data.

• Exercise Rights Responsibly - Utilize the provisions of the Act to manage your personal data, ensuring its accuracy and lawful use.

Conclusion

The Digital Personal Data Protection Act, 2023, represents a significant advancement in India's commitment to data privacy. Its successful implementation hinges on collaborative efforts among regulators, businesses, and citizens. By adhering to the outlined guidelines and embracing a culture of data protection, India can achieve the Act's objectives of privacy, accountability, and innovation in its digital ecosystem.