Digital Personal Data Protection Act (DPDPA) India

• August 11, 2023 – Law received presidential assent.
• Implementation Date – Yet to be announced by the government.

• All entities processing digital personal data within India.
• Foreign businesses offering goods/services to Indian users.
• Companies handling employee or customer data in India, regardless of industry.

• Personal/domestic data use.
• Publicly available data disclosed under law.
• Government agencies handling data for national security, public interest, or law enforcement purposes.

• Obtain clear and informed consent before collecting data.
• Limit data collection to what is necessary.
• Ensure data accuracy and implement security measures.
• Allow access, correction, and deletion of data upon request.
• Report data breaches to the Data Protection Board and affected individuals.

• Provide a clear privacy notice before collecting personal data.
• Offer users an easy way to withdraw consent.
• Implement security safeguards to prevent unauthorized access.
• Report data breaches promptly to authorities.

• Cross-border data transfers may be restricted by government notifications.
• Parental consent required for processing children’s data.
• Significant Data Fiduciaries (SDFs) must appoint a Data Protection Officer (DPO) and conduct compliance audits.

Individuals have the right to:

• Access and correct their personal data.
• Withdraw consent at any time.
• Request deletion of their data.
• File complaints with the Data Protection Board.

• Regulated by the Data Protection Board of India.
• Fines up to ₹250 crore (~$30M USD) for non-compliance, data breaches, and failure to secure data.