India’s Digital Personal Data Protection (DPDP) Act is considered equivalent to the EU’s General Data Protection Act (GDPR). Following in the footsteps of GDPR, the DPDP Act redefines how businesses handle personal data in India.
However, understanding the specifics of the DPDP Act is complex especially when terms like “personal data” and “the processing of personal data” have broad definitions. As a business owner, it will be tricky for you to make sense of these terminologies and understand the DPDP Act’s applicability to your business.
This blog post will make your understanding a bit less tricky as it clearly explains the applicability of the DPDP Act and if it applies to your business.
What does DPDP Apply to?
The DPDP Act 2023 applies to digital personal data. But what is personal data? It is any personal information like name, address, or contact details in digital form or converted into digital form. It also includes your IP addresses, location data, browsing history, and social media posts.
Here’s a simple example of digital personal data. Imagine filling out a digital form on a local e-commerce website to purchase a handcrafted item. In the form, the e-commerce website collects your name, email address, shipping address, and payment information. All the data you shared with the e-commerce company is in digital format and because it can identify you, it qualifies as digital personal data.
Does the DPDP Act Apply to you?
The DPDP Act applies to two key players: Data Principals and Data Fiduciaries. Let’s break down to understand how the DPDP Act applies to each:
- Data Principal: A data principal is any individual whose personal data is collected and processed. If you provide your information to a company, you’re the data principal. In the case of children and persons with disability, their parents or lawful guardians are treated as data principals.
- Data Fiduciary: A data fiduciary is an organization or an entity that decides how and why your personal data is collected and used. A small business, a large corporation, a government agency, or even a non-profit organization can be a data fiduciary.
Here’s an example to illustrate the role of a data principal and data fiduciary:
When you sign up for a newsletter on a website,
- You are the Data Principal because you share your personal data like an email address with the website
- The website that collects your personal data is the Data Fiduciary. They also decide how they want to use your personal information. In this example, the website might use your email address to send newsletters, product updates or targeted advertising.
Does DPDP apply to only Indian businesses?
The DPDP Act applies to Indian and international companies alike. Two key principles decide if it applies to a business or not:
- If the company processes personal data within India: The DPDP Act applies if your organization has offices or infrastructure in India and processes personal data in India.
- If the company processes personal data outside India, but it pertains to business activity with individuals in India: If your company is based outside India, but you’re offering goods or services to individuals in India and collecting personal data for that purpose, then the DPDP rules apply.
Let’s look at a few examples:
- Example 1: An Indian insurance company that uses the personal financial information of customers residing in India for policy evaluation. In this case, the DPDP Act applies because the processing occurs within India.
- Example 2: A multinational company collects contact information to send promotional messages to customers in India. Even though the data is processed outside India, the DPDP Act applies because the data is related to a business targeting individuals within India.
- Example 3: Another multinational company that collects user data of UK residents and processes in the USA for designing marketing campaigns. The DPDP Act would not apply in this case because the data processing is not done in India and the business activities are not related to individuals living in India.
If we summarize this section, the DPDP Act applies to those companies that interact with individuals in India and process their personal data no matter where the business is located.
When will DPDP be enforced?
The Digital Personal Data Protection (DPDP) Act was enacted on August 11, 2023. However, the DPDP Act is not yet fully in force. The Indian government plans to implement the regulation in a phased manner.
Here’s a breakdown of the expected timeline based on the latest information:
Enactment: August 11, 2023
DPDP 2025 Draft Release: The Union Ministry of Electronics and Information Technology (MeitY) released the draft Digital Personal Data Protection Rules, or DPDP Rules, 2025, on January 3, 2025
Public Feedback: The latest draft is open for public review to hear their comments and suggestions till March 5, 2025.
Implementation Timeline: The government intends to implement the DPDP Act rules in phases in a two-year transition period
Data Protection Board (DPB): The Data Protection Board (DPB) is another crucial step expected to be established before the DPDP Act becomes effective
What does this timeline mean for companies?
Businesses must closely monitor the latest announcements from MeitY regarding the finalization of the DPDP Act. After the act is implemented, companies will be given two years to comply with the provisions of the DPDP Act. This is the golden period for organizations to build stronger data privacy and protection machinery. This includes investing in a consent management platform, strengthening data security measures, and ensuring transparent communication about users’ data rights and usage.
As an example, let’s assume the DPDP Act becomes effective by the end of 2025. In that case, businesses might have until the end of 2027 to fully comply with all aspects of the DPDP Act and its associated rules.
Exceptions to the applicability of the DPDP Act
While the DPDP Act has a broad scope, it does not apply to specific entities and in certain situations. Being aware of these exceptions helps you determine whether you must comply with the DPDP Act in specific circumstances
Governmental and National Security Purposes
The DPDP Act allows the Central Government to exempt government agencies from certain provisions like national security, public order, and prevention of offences. This means that in certain situations, government bodies may be able to process personal data without adhering to all the requirements of the Act.
Personal or Household Use
The DPDP Act does not apply to the processing of personal data by an individual for personal or domestic purposes. For example, if you ask for your friend’s phone number to meet them for dinner, the DPDP Act does not apply to this use of their data.
Journalistic, Literary, or Artistic Purposes
The DPDP Act also includes an exemption for the processing of personal data for journalistic, literary, or artistic purposes to protect freedom of expression and the press. Imposing the provisions of the DPDP Act will be an unduly restriction on these activities.
Overlap with Other Laws (Sector-Specific Legislation)
In cases where the DPDP Act overlaps with other sector-specific legislation that already regulates data processing, the applicability of its rules will depend on how well it merges with the existing laws. For example, The Telecom Regulatory Authority of India (TRAI) regulates the telecommunication industry in India. The DPDP Act makes it mandatory for telecom service providers to obtain explicit consent before processing digital personal data. In the event of a data breach, the TRAI and the Data Protection Board under the DPDP Act have to work in cohesion to avoid jurisdictional conflicts.
Incidental Data Collection
The DPDP Act does not apply if personal data is made publicly available by the data principals themselves or by someone else under a legal obligation. For example, if you share a picture of yourself on social media, a business can use that picture without fulfilling all the requirements under the DPDP Act.
What to do next?
If the DPDP Act applies to your business, these are the steps you must take next:
Obtain and Manage User Consent
Obtain explicit consent from users before you collect and process their personal data, with clear and understandable language. Investing in a consent management platform (CMP) will streamline this process, as you can record, manage, and renew consent in one place.
Ensure Data Subject Rights Compliance
Honour data principals’ rights, including the right to access, correct, and erase their personal data. To help with that start implementing processes to respond to user requests and maintain accurate data records.
Implement Robust Data Security Measures
Protect personal data from unauthorized access, use, disclosure, or loss through appropriate technical and organizational safeguards. Implement encryption, access controls, and regular security audits to minimize data breach risks.
Appoint a Data Protection Officer (DPO) or Compliance Lead
Appoint an individual or team to oversee DPDP compliance efforts within your organization. This role will be the point of contact for data protection and privacy matters. They will be responsible for implementing policies and training employees in accordance with the DPDP Act 2023.
Ensure Third-Party Compliance
If you share personal data with third-party vendors or partners, ensure they also comply with the DPDP Act. Conduct due diligence to verify their data protection practices and incorporate appropriate contractual clauses.
Maintain Data Retention & Deletion Policies
Establish clear policies for how long you retain personal data and when it should be securely deleted. Retain data only as long as necessary for the specified purpose.
Keep Up with Regulatory Updates
Keep an eye on the latest announcements by following the MeitY website. This will help you stay at the top of amendments and clarifications related to the DPDP Act regulations. Keep reviewing your compliance program to align with the latest legal requirements.
Summary
The Digital Personal Data Protection (DPDP) Act will bring a seismic shift in India’s data privacy landscape. Understanding whether the DPDP Act applies to your business is the first step toward compliance. The Act applies to data principals (individuals) and data fiduciaries (entities processing data), regardless of whether they are based in India. If their activities involve processing personal data related to individuals within India the DPDP applies to them.
While there are certain exceptions, such as for governmental purposes, personal use, and journalistic activities, most businesses will need to take proactive steps to comply with the DPDP rules. As next steps, start collecting user consent, ensuring data subject rights, implementing robust security measures, appointing a DPO, and maintaining data retention policies.
Need help navigating the complexities of the DPDP Act? Visit hypertrust.one and find out how we can assist your organization with data privacy compliance
FAQs
1. Who exactly does the DPDP Act apply to?
The DPDP Act applies to both Data Principals (individuals whose data is processed) and Data Fiduciaries (entities that determine the purpose and means of processing personal data).
2. How does the extraterritorial applicability of the DPDP Act work?
The DPDP Act is applicable to foreign entities offering goods and services to Data Principals (individuals) located within India if they process personal data in connection with those activities.
3. What are the key compliance requirements under the DPDP Act?
Obtaining consent for data processing, ensuring data accuracy and security, and deleting data when its purpose has been met are the three key compliance requirements of the DPDP Act.
4. What are the exceptions to the applicability of the DPDP Act?
The DPDP Act does not apply to personal data processed by an individual for personal or domestic purposes. It also doesn’t apply to data made publicly available by the Data Principal or by someone legally obligated to disclose it.
