The Digital Personal Data Protection (DPDP) Act, 2023 is India’s central law for protecting people’s personal data. It defines how businesses should collect, store, use, and delete personal information.
The DPDP Act applies to:
All businesses operating in India
Any company collecting personal data (name, phone, Aadhaar, email, IP address)
Indian startups, SMEs, online stores, private limited companies, and professional service firms
Foreign companies offering services to Indian users
|
Term |
Meaning |
|
Personal Data |
Any information that can identify a person (e.g., name, mobile number) |
|
Data Fiduciary |
The business or individual deciding how and why to process data |
|
Consent |
Permission given by the individual to collect and use their data |
|
Significant Data Fiduciary |
Large companies handling sensitive data (subject to extra rules) |
1. Provide a Privacy Notice
Clearly tell users:
What data are you collecting?
Why you are collecting it
How long you will keep it
Who they can contact for concerns
Add this to your website footer or app settings.
2. Collect Valid Consent
Ask for clear, affirmative consent
Allow users to withdraw consent anytime
Use consent checkboxes or pop-ups
Avoid auto-opt-ins or unclear language.
3. Keep Data Safe and Minimal
Don’t collect more data than needed
Limit who can access it
Use secure cloud or server platforms
Delete old or unused data regularly
Review email, CRM, and file storage for cleanup.
4. Add a Grievance Contact
Users should be able to ask:
What data do you store
To correct or delete it
How to file a complaint
Example: Add privacy@yourcompany.in or info@yourcompany.com as the grievance email.
5. Prepare for Data Breaches
If you leak or lose data:
Inform the Data Protection Board of India
Inform the affected users promptly
Keep a basic internal plan for data breach handling.
These are larger organizations that:
Handle data of children or vulnerable persons
Use AI to make decisions (like loan approval, job shortlisting)
Process large amounts of sensitive personal data
If your company is notified as a Significant Data Fiduciary, you will also need:
A Data Protection Officer (DPO)
Impact assessments for risky data processing
More transparency in automated decisions
Most SMEs will not fall into this category.
|
Violation Type |
Maximum Penalty |
|
Data breach or misuse |
₹250 crore |
|
Failure to inform or obtain consent |
₹200 crore |
|
Improper use of children’s data |
₹100 crore |
Yes. All businesses that collect personal data must follow basic compliance steps—no matter their size.
Not unless your business is large or notified as a Significant Data Fiduciary. Small businesses can manage with internal processes and expert support.
Yes, if access is limited, data is encrypted, and you delete unnecessary data regularly.
Yes. Any communication using personal data (email, WhatsApp, phone) requires prior consent.
Yes, even individual service providers who collect personal data such as names, phone numbers, or emails must comply with the DPDP Act by following basic rules like consent and privacy notices.
Yes, if you collect or store any personal data, you must make your privacy policy accessible—either through a website link, in your bio, or via a pinned message.
A valid privacy notice should explain what data you are collecting, why you’re collecting it, how long it will be retained, and who users can contact for queries or complaints.
No, the DPDP Act requires clear, active consent. You must use opt-in methods like checkboxes that the user selects themselves, not pre-ticked boxes or passive approval.
It means you should only collect data that is necessary for your business purpose. Collecting extra, unrelated information is discouraged under DPDP compliance.
Yes, if the changes affect how user data is collected, used, or stored, you must notify users and get fresh consent if required.
You must verify the request and delete the personal data from your systems, including backups, within a reasonable time unless you have a legal reason to retain it.
A data breach refers to unauthorized access, exposure, or loss of personal data, whether through hacking, employee error, or system failure.
It is discouraged. The Act expects businesses to use secure storage methods with access control and encryption. Personal devices increase the risk of breaches.
EbizFiling provides end-to-end support, including drafting privacy policies, setting up consent forms, handling grievance systems, and training your team on compliance best practices.
We assist businesses with:
Privacy policy drafting
Consent form setup
Grievance redressal system
Compliance training for your team
Record-keeping templates
Book a free consultation at www.ebizfiling.com or write to info@ebizfiling.com
Tax Audit for Private Limited Companies in 2025: Compliance, Penalties, ICAI Limits & Best Practices Overview Tax audit compliance under…
Can an NRI or Foreigner Become a Director in an Indian Private Limited Company? (2025 Guide) Introduction Indian businesses are…
How to Legally Own Your Podcast or YouTube Brand Name in India: Trademark Guide for Creators If you're a content…
Overview: What is Statutory Audit for a Private Limited Company? Under the Companies Act, 2013, every private limited company in…
General Data Protection Regulation (GDPR) Compliance: A Complete Guide GDPR compliance is required if your company gathers, keeps, or uses…
Can You Legally Own an AI-Generated Brand Name in India? More and more Indian startups, influencers, and creators are turning…
Leave a Comment