DPDP Act Compliance India — Digital Personal Data Protection Act 2023 Advisory

India’s Digital Personal Data Protection Act 2023 (DPDP Act) came into force and established a comprehensive framework for protecting the personal data of Indian residents. eShield Consulting provides end-to-end DPDP Act compliance advisory, gap assessment, and Data Fiduciary implementation services for organisations processing personal data in India.

What Is the DPDP Act?

The Digital Personal Data Protection Act 2023 is India’s primary data privacy legislation. It governs how Data Fiduciaries (organisations that collect and process personal data) must handle the personal data of Data Principals (Indian residents). Key obligations include obtaining consent, implementing appropriate security safeguards, appointing a Data Protection Officer (for Significant Data Fiduciaries), providing data principal rights, and meeting mandatory breach notification requirements.

Who Must Comply with the DPDP Act?

• Any Indian business that collects or processes personal data of Indian residents
• Non-Indian businesses that offer goods or services to Indian residents (extraterritorial reach)
• “Significant Data Fiduciaries” designated by the government (high-volume processors, sensitive data handlers)
• Businesses processing children’s data (subject to additional consent and age verification requirements)

Our DPDP Act Compliance Services

• DPDP Act Readiness Assessment — Gap analysis of current data processing practices against DPDP Act obligations. Deliverable: compliance heat map and prioritised remediation plan.
• Data Inventory & Mapping — Catalogue all personal data flows, processing activities, retention periods, and third-party sharing.
• Consent Management Framework — Design consent notices, withdrawal mechanisms, and consent management platform (CMP) requirements.
• Data Principal Rights Implementation — Build processes for data access, correction, erasure, and grievance redressal.
• Security Safeguards Advisory — Recommend technical and organisational measures (encryption, access control, VAPT) required under Section 8.
• Breach Notification Readiness — Design incident response workflows for 72-hour breach reporting to the Data Protection Board of India (DPBI).
• DPO Appointment Support — Guidance on Data Protection Officer role, responsibilities, and qualifications for Significant Data Fiduciaries.
• Ongoing Compliance Monitoring — Quarterly compliance reviews and updates as DPDP Rules are notified.

DPDP Act Penalties

The DPDP Act 2023 imposes financial penalties up to ₹250 crore for failure to implement adequate security safeguards causing a personal data breach. Fines up to ₹200 crore apply for failure to notify the DPBI of a breach. Proactive compliance is significantly less costly than enforcement action.

Schedule a DPDP Act Compliance Assessment →

Frequently Asked Questions — DPDP Act India

When does the DPDP Act become enforceable?

The DPDP Act 2023 has received Presidential assent. Specific provisions are being brought into force as DPDP Rules are finalised and notified. Organisations should begin compliance preparation immediately to be ready when enforcement commences. eShield monitors rule notifications and updates our advisory accordingly.

Is the DPDP Act similar to GDPR?

The DPDP Act shares conceptual similarities with GDPR (consent, data principal rights, breach notification, DPO requirement) but differs significantly in scope, exemptions, and penalties. Unlike GDPR, the DPDP Act applies only to digital personal data, has broader government exemptions, and does not include a “legitimate interests” lawful basis. Organisations with existing GDPR compliance will have a head-start but will need India-specific adaptations.

What security measures does the DPDP Act require?

Section 8(5) requires Data Fiduciaries to implement “reasonable security safeguards” to prevent personal data breaches. While the Act does not prescribe specific technical controls, Indian regulators have traditionally interpreted this in line with ISO 27001 controls and CERT-In security practices. eShield recommends a risk-based approach aligning VAPT, access control, encryption, and incident response with DPDP Act obligations.

Key Obligations Under DPDP Act 2023

The Digital Personal Data Protection Act 2023 introduces a consent-first framework for processing personal data of Indian residents. Key obligations include: obtaining free, specific, informed, and unambiguous consent before processing; providing a clear privacy notice in the data principal preferred language; implementing data minimisation and purpose limitation; responding to access and erasure requests within defined timelines; reporting personal data breaches to the Data Protection Board within the prescribed timeline (expected to be 72 hours under forthcoming rules); and appointing a Consent Manager for organisations processing data at scale.

Significant Data Fiduciaries — Additional Requirements

The Government of India will designate certain organisations as Significant Data Fiduciaries (SDFs) based on volume of data processed, sensitivity of data, risk to national security, or impact on democracy. SDFs face additional obligations: appointing a Data Protection Officer (DPO) who reports directly to the board, conducting periodic Data Protection Impact Assessments (DPIAs), and undergoing independent Data Audit by a registered Data Auditor. Financial penalties for SDFs can reach ₹250 crore per violation. eShield helps SDF candidates conduct readiness assessments and implement the required governance structure.

DPDP Compliance Implementation Approach

eShield Consulting DPDP compliance programme covers six workstreams: Data Discovery and Classification — automated scanning of databases, file servers, and cloud storage to identify personal data. Consent Management Framework — implementation of granular consent flows, preference centres, and Consent Manager integration. Privacy Notices and Policies — drafting DPDP-compliant privacy notices in English and regional languages. Technical Controls — encryption at rest and in transit, access controls, data masking for non-production environments, and audit logging. Breach Response Procedures — incident detection, containment, assessment, and notification workflows. Board and DPO Readiness — training for the Data Protection Officer and board-level privacy governance materials.