By accessing this website you acknowledge that you are seeking information of your own accord. The contents do not create an attorney-client relationship.
Compliance under the Digital Personal Data Protection Act, 2023. Cyber-incident response, breach notification, cross-border data transfer architecture, Data Fiduciary obligations and Information Technology Act advisory.
The Digital Personal Data Protection Act, 2023 establishes India's first comprehensive data-protection statute. The Act follows a Data Principal-Data Fiduciary architecture, introduces consent-based processing as the default lawful basis, and provides for the constitution of the Data Protection Board of India as the enforcement mechanism. Implementation is being phased in through subordinate rules.
The DPDP Act was passed in 2023. The compliance burden begins on the day the rules are notified. The architecture should already be in place.
Data Principal rights, Data Fiduciary obligations, consent architecture and Significant Data Fiduciary classification.
Personal data breach notification to the Board and to affected Data Principals.
Restriction-based framework with notified-country exceptions; sectoral overlays.
Section 79 safe harbour, the IT Rules 2021 and the IT Rules 2023 for online gaming and digital media.
DPDP compliance is built on four pillars: lawful basis (consent under Section 6 or legitimate-use under Section 7), notice (Section 5), Data Principal rights (Sections 11–13) and Data Fiduciary obligations (Sections 8–10). Significant Data Fiduciaries face additional obligations including Data Protection Officer appointment, data-protection-impact assessments and periodic audit.
Section 8(6) of the DPDP Act mandates breach notification to the Data Protection Board and to affected Data Principals. Cyber-incident response — including forensic investigation, evidence preservation, regulatory engagement and customer communication — is co-ordinated with technical advisors.
The DPDP Act adopts a restriction-based framework for cross-border data transfer under Section 16. Sectoral overlays — RBI directions on payment-systems data localisation, IRDAI directions on insurance data, sectoral health-data restrictions — apply alongside the DPDP framework.
The Information Technology Act, 2000 continues to operate alongside the DPDP Act. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — and the 2023 amendments covering online gaming and government-fact-check obligations — govern intermediary safe-harbour conditions under Section 79.