Digital Personal Data Protection Act

About Digital Personal Data Protection (DPDP) Act

The Indian Digital Personal Data Protection Act, 2023 is focused on safeguarding individual privacy rights and promoting responsible data management practices. The DPDP Act provides for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
Read FAQ

The Act includes but not limited to:

  • Notice Requirements
  • Functions of the consent manager
  • Procedure for data breach notifications 
  • Parental consent for children’s data 
  • Grievances
  • Exemptions for processing of personal data
  • Redressal procedures

Applicability of the Act

Processing of digital personal data within the territory of India

  • Data is collected online – Digital form
  • Data is collected offline and digitized.

Processing of digital personal data outside the territory of India:
Any activity related to the offering of goods or services to data principals within the territory of India


Key Terms of DPDP

DATA PRINCIPAL: Individual whose data is processed

DATA PROCESSOR: Who processes the Data

DATA PROCESSING: Personal Data and Sensitive Personal Data

DATA FIDUCIARY: Decides the purpose of the data processing

CRITICAL PERSONAL DATA: Categories of data that require most protection as defined by the DPDP Act

Other Important Pointers from the Law

Key Responsibilities of Data Fiduciary:

  • Having a Data Protection Officer and Consent Manager (SPOC for Fiduciary)
  • Compliance of all Data Processors
  • Relevant Policies and Procedures covering 
  • Grievance and Data Principal’s request handling process



Data Principal Rights:

  • Always share Legitimate Data to Data Fiduciary
  • Right to Access
  • Right of Correction/Update
  • Right to Erasure
  • Right to Nominate
  • Grievance and Redressal

Other Key Pointers:
Establishment of Data Protection Board of India – By Govt.

  • Penalty of up to 250 Crores for not adhering to the Law
  • Grievance and Complaints by Data Principals/Data Fiduciary
  • Dispute resolution and Appeals by Principal and Fiduciary


The rights of the data principal and obligations of data fiduciaries will not apply in specified cases such as:

  • Prevention and investigation of offenses
  • Enforcement of legal rights or claims
  • The Central government may exempt certain activities
  • In the interest of the security of the state and public order Research, archiving, or statistical purposes


Data Protection Board of India

It will be established by the Central Government of India. Key functions of the Board include:

  • Monitoring compliance and imposing penalties
  • Directing data fiduciaries to take necessary measures in the event of a data breach
  • Grievance redressal




  • Rs 200 crore: Reason- Non fulfillment of obligations for children
  • Rs 250 crore: Reason-Failure to take security measures to prevent data breaches.

Implementation at Every Stage of Data Lifecycle


  • Consent from the Data Principal – with purpose and use of personal data
  • Notice to Data Principals (existing) on the purpose and use of the personal data already collected/processed/stored/shared
  • Guardian/Parental Consent as applicable


  • For legitimate use only, Grounds to Process personal data
  • Rights of Data Principal taken care by Data Fiduciary (access, correction/update, nominate)
  • If shared, maintaining Data Processor list and adherence to the Law by Data Processor (responsibility of Fiduciary)


  • Data Security requirements to be considered and implemented – Encryption, Pseudonymization, Anonymization
  • Data Retention requirements considered (with other legal and regulatory requirements as well)


  • Right to Erasure / Forgotten of Data Principal being taken care by Data Fiduciary
  • Process to delete personal data (anonymize if required) by Data Fiduciary and also with any shared Data Processor

Action Items for Data Fiduciary

Frequently Asked Questions

You can find answers to some of the most frequently asked questions here, so feel free to send us a message if you do not find what you are looking for.
We are storing the user's personal data for logs and debugging-related tasks for our client. Then what is the process in this DPDP act? How we can comply with this act?
Personal data stored in logs or in debugging-related tasks also qualify as PII of the data principal and hence has to be protected.
As Software supplier under SaaS model the Data is stored outside India and used by our clients who collect personal data. Since we are Service providers what is our responsibility under DPDP act?
You become the data processor and the data fiduciary for the provider. It becomes your responsibility to protect the personal data. The security controls and other process controls must be implemented in agreement with the data fiduciary.
Is there any guideline provided when building application/system that would process PI data like privacy by design
Since the government has not specified any guideline, the industry best practices to protect the PII data can be taken into consideration.
Can a DPO also take on the additional role of consent manager or it has to be a separate position altogether?
The DPO can take on the additional role of consent manager as of now since there is no law that prohibits it. The consent manager works between the data fiduciary and the data principal in upholding their rights.
Difference between a Data Fiduciary and Data Processor
Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data while Data Processor means any person who processes personal data on behalf of a Data Fiduciary.
Difference between a Data Fiduciary and Data Processor
Data Fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data while Data Processor means any person who processes personal data on behalf of a Data Fiduciary.
If the consent is not directly taken from data principal and if the data is not voluntarily provided then the right to access and right to correction is not applicable to data principals?
A data fiduciary or data processor cannot process any personal data without the consent of the data principal. Purpose of data collection and processing of the same has to be explicitly called out.
Will the scope of data audit be prescribed by Data Protection Board of India Or the data fiduciaries will have the liberty to decide the scope of data audit?
The data protection board will decide the scope of data audit.
Please shed some light on the subject of data fiduciaries. Who all are included and what are the consequences/charges.
Data fiduciaries are the ultimate protectors of the PII of the data principal. They have to implement reasonable controls to protect the PII of the data principal and also provide all their rights in spirit of the law provided.
The data taken for employment purposes, is it covered under the DPDP Act?
Yes it is covered under the DPDPA. 
Can a data fiduciary be the same as data processor?
A data fiduciary can also process PII data.
What to do if i am unable to comply with some parts of the DPDP act. Any process for exceptions?
There is no space for non-compliance unless there is a valid reason. The law has detailed the list of exemptions to the Act.
As a tech partner for my client, does it matter that we are directly collecting the data from the principal? Does it make us Data Fiduciary or Data Processor?
As a tech partner to a data fiduciary, you will be a data processor.
Transform your business and manage risk with your trusted cyber security partner
CYRAAC Services Private Limited
3rd floor, 22, Gopalan Innovation Mall, Bannerghatta Main Road, JP Nagar Phase 3, Bengaluru, Bengaluru Urban, Karnataka-560076
Company CIN: U74999KA2017PTC104449
In Case Of Any Grievances Or Queries Please Contact -
Murari Shanker (MS) Co-Founder and CTO
Email ID: [email protected]
Contact number: +918553004777
crossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram