Leave an application
COREDO > Blog > Data protection in India the DPDP Act

Data protection in India the DPDP Act

Avatar photo
Updated: 01.03.2026
Content

I founded COREDO in 2016, when data protection transformed from a niche legal topic into a systemic management task. Since then the COREDO team has carried out dozens of cross-border projects for company registration, obtaining financial licenses, and implementing compliance programs in the EU, the UK, Singapore, the UAE and India. Today I want to analyze India’s Digital Personal Data Protection Act 2023 (DPDP Act 2023) as a tool for risk management and growth, not as “just another regulatory barrier.” My approach is highly practical: I explain where the risks are, where the savings are, and which steps produce quick results.

Why DPDP matters now

Illustration for the section «Why DPDP matters now» in the article «Data Protection in India – the DPDP Law»

Indian personal data regulation is undergoing a qualitative shift. The DPDP law is not just a «local GDPR», but an independent model oriented towards processing transparency and data protection amid active digitalization.

At the center of the law: the rights of the data subject in India (data principal), the company’s duties as a data fiduciary, and the operational role of the data processor, who acts only on the fiduciary’s instructions and bears liability under contract and under law.

Enforcement is overseen by the Data Protection Board of India (Data Protection Board). This body is empowered to consider complaints, investigate incidents, issue orders and impose fines. Unlike the European model with multiple state regulators, India is building a single decision-making point, which simplifies communication and increases predictability of practice.

Similarities with the GDPR are significant: rights of access, rectification, erasure, security requirements, and breach notification. Differences are also notable: a simplified system of legal bases (emphasis on consent and ‘lawful use’), a flexible approach to cross-border transfers, and specific rules for children.
Our experience at COREDO has shown: companies that reuse their GDPR controls reach DPDP compliance faster if they adapt them to local realities.

Rights, duties and responsibility

Illustration for the section «Rights, duties and responsibility» in the article «Data Protection in India – the DPDP law»
DPDP enshrines the rights of the data principal: access to data and processing metadata, correction and deletion, withdrawal of consent, filing a complaint and appointing a trusted person in case of death or loss of capacity. These rights require businesses to have a clear DSAR (data subject access request) procedure and a comprehensible privacy policy that meets DPDP requirements for content and language.

The obligations of a data fiduciary include lawfulness of processing, minimisation, accuracy, purpose limitation, security and accountability through documentation and processes. The data processor must implement technical and organisational security measures under the DPDP, maintain logs, process data strictly according to instructions and ensure subprocessors are bound by the same obligations.

The role of the DPO (Data Protection Officer) arises for “significant” fiduciaries (Significant Data Fiduciary), which the government will determine based on risk and scale criteria. The DPO must be located in India, be the point of contact for the Board and report to the board of directors.

COREDO’s practice confirms: even if SDF status has not been assigned to you, appointing a privacy lead and implementing privacy by design and privacy by default reduces incident costs and increases partners’ trust.

Privacy Policy and DPDP requirements are not a formality. The document must reflect actual data flows, retention periods, information about cross-border transfers and the grievance redressal mechanism.

We set up for clients not only texts but also processes: request routing, response SLAs and integration of consent records with CRM and marketing platforms.

Notifications, incidents and fines

Illustration for the section 'Notifications, incidents and fines' in the article 'Data Protection in India – the DPDP law'

A data breach notification in India is sent to the Data Protection Board and to affected data subjects “in the manner prescribed by law”. While the subordinate regulations are being clarified, the COREDO team recommends an internal SLA of no more than 72 hours for the initial notification to the regulator and 5–7 days for affected individuals, with staged communication and a post-release support plan.

Fines and liability under the DPDP are substantial: up to hundreds of millions of Indian rupees for each violation, with an upper cap of up to 250 crore (2.5 billion INR) depending on the nature of the non-compliance. Separate sanction blocks are linked to security requirements, children’s rights and timely breach notification. Criminal liability is not a subject of the DPDP itself, but it may arise under related laws in cases of fraud, unauthorized access or sabotage of information security controls. The solution developed by COREDO: to combine the legal liability model with cyber insurance and contractual indemnity clauses.

Transfer of personal data to India

Illustration for the section 'Transfer of personal data to India' in the article 'Data protection in India – the DPDP law'

India permits cross-border transfers of personal data based on a list of “friendly” jurisdictions approved by the government. Until that list is published and updated, rely on contractual mechanisms and risk assessments. In COREDO’s practice we use:

– Standard contractual clauses (SCC) and their adaptation to Indian law. The law does not directly introduce SCCs, but the approach with custom DPDP clauses covering the rights and remedies of the data principal works well.
– Binding corporate rules (BCR) for India – an internal corporate policy for corporate groups, supplemented by local DPDP obligations and a grievance mechanism.
– Transfer Impact Assessment (Transfer Impact Assessment) taking into account the recipient jurisdiction, law enforcement access practices, and technical measures that reduce re-identification risks.

The issue of data localization is a subject of debate in India. There is currently no general requirement to store personal data only in the country, but sectoral regulators (finance, healthcare, telecom) may set specific rules.

The COREDO team builds a “data residency map” by business verticals to mitigate risks in pre-sales with enterprise clients.

DPIA, measures and re-identification risk

Illustration for the section «DPIA, measures and re-identification risk» in the article «Data protection in India – the DPDP law»
Data Protection Impact Assessment (DPIA) under the DPDP, mandatory for Significant Data Fiduciaries and good practice for everyone else. We apply a methodology that includes:

  • mapping of data flows and systems;
  • assessment of the lawfulness of purposes and minimization;
  • a threat model that takes into account India-specific risks;
  • calculation of residual risk taking into account technical and organizational measures.
Pseudonymization and anonymization under the DPDP are two different risk-reduction tools. Anonymization prevents re-identification, pseudonymization preserves the possibility of linkage if a key exists.

We separately assess the re-identification risk considering the combination of datasets, rare attributes and behavioral traces, and we also apply technical measures, encryption at rest and in transit, access control and privileged access management (PAM), access logs and DLP policies.

Incident management and breach notification policies are tested through regular drills. We include: MTTR for leak containment, a procedure for isolating compromised accounts, forensics, template notification texts, and a plan for interaction with the Data Protection Board. COREDO’s practice confirms: companies that have implemented continuous monitoring resolve incidents 30–50% faster and lose fewer customers.

Special scenarios for HR, marketing, SaaS and children’s data

DPDP requirements for processing employees’ HR and payroll data in India are based on “lawful use” and the employer’s obligations. Critical here:

  • transparency toward candidates and employees;
  • minimization of personal data, supporting documents and background checks;
  • separate retention periods and deletion of data upon refusal/termination.

How does DPDP affect marketing, targeting and cookie storage? For online marketing a managed consent is required: explicit consent for tracking, an easily accessible withdrawal mechanism, logging of consent and preferences, cookie compliance, especially for behavioral advertising. The COREDO team implements a Consent management platform with consent logging and auditing of SDKs/pixels to eliminate “dark patterns” and ensure real transparency.

The impact of DPDP on SaaS providers and cloud services is reflected in supplier chain management, localization of grievance redressal and DSAR functions, and strict control of subprocessors. For children’s data (under 18) — parental consent, prohibition of profiling and behavioral targeting, age verification. For sensitive and “critical” personal data the law does not single out separate categories, but industry standards (finance, healthcare) impose heightened requirements, which we account for in the DPIA.

Supply chain management and contracts

What to include in a contract with an Indian data processor under DPDP requirements:

  • purposes and legal bases of processing, list of operations and categories of data;
  • security requirements, encryption, logging, PAM and DLP;
  • procedure for DSARs, incident notifications, timeframes and the format of interaction with the Data Protection Board;
  • prohibition on subprocessing without consent, audit obligations and reporting;
  • security SLA, metrics and the right to terminate for material breaches.
Third-party management (vendor risk) is built on Vendor Due Diligence: compliance assessment, SOC 2/ISO 27001, pentest reports, legal confirmations, a register of subprocessors, and continuous monitoring. Control of cloud service providers (AWS, Azure, GCP) includes validation of storage zones, KMS mechanisms, access logs and disaster recovery.

Re-archiving and maintaining the register of processing activities (RoPA): the backbone of the whole model: without an up-to-date register, risk manageability is lost.

compliance audit, internal and external, is conducted according to DPDP checklists and related security standards: ISO/IEC 27001, NIST, SOC 2. The solution developed by COREDO combines a technical scan (application vulnerabilities, access) and a legal audit (policies, contracts, TIAs), which provides a holistic picture and a clear roadmap.

Roadmap for implementing DPDP

Practical roadmap for implementing DPDP in a startup:

  1. Appoint a privacy owner and compile a systems map.
  2. Create a RoPA and a basic privacy policy.
  3. Launch a CMP, configure consent logging and cookie opt-out.
  4. Conduct DPIA for key features and marketing, implement encryption and PAM.
  5. Approve the DSAR procedure and grievance redressal, assign SLA.
  6. Set up incident management and a notification plan.
  7. Update contracts with processors, introduce DPDP requirements and auditing.
  8. Configure cross-border transfers: contractual clauses, TIA, BCR if necessary.
  9. Train employees, include privacy controls in CI/CD and code review (privacy engineering).
  10. Launch performance metrics and regular reports to the C‑suite.

For mature companies the following are added: a continuous monitoring program, integration of privacy by design into the product roadmap, automation of data subject request handling, controls for implementing privacy controls in the CI/CD process, and consolidation of privacy policies for multinational companies. corporate governance: the role of the board and the C‑suite — to approve risk appetite, metrics and investments, and to check readiness for Data Protection Board audits.

DPDP compliance KPIs for the board of directors:

  • MTTR for incidents and incident response time;
  • percentage of DSARs closed within SLA;
  • share of DPIA-covered risks and percentage of critical vulnerabilities remediated on time;
  • percentage of vendors with completed compliance assessment;
  • TCO of the compliance project and ROI from implementing privacy by design (fewer losses, higher conversion, faster enterprise deals);
  • SLA for notifying the Data Protection Board and actual adherence.

Can international standards (ISO 27001, SOC 2) be used as evidence of DPDP compliance? Yes, they are a strong foundation, but without adaptation to Indian data subject rights, grievance processes and local specifics such a package is not considered sufficient. The COREDO team conducts a “gap assessment” and configures the missing elements.

Legal nuances for global companies

How can a European company comply with DPDP when working with Indian customers? If you offer goods/services to persons in India or monitor their behaviour, you are a data fiduciary under DPDP. It is not necessary to have a registration in India, but the obligations apply. Is a local representative or registration in India required? The role of DPO is mandatory and there are additional obligations when designated as a Significant Data Fiduciary; the law does not introduce a register of controllers.

How does DPDP interact with GDPR and other regional laws? We build a “common denominator” based on the GDPR, then add Indian specifics: children’s data, a complaints mechanism, cross-border transfers via a “white list”, and DPO requirements. Impact on M&A: which documents should be reviewed during due diligence with respect to Indian DPDP jurisdiction? Request RoPA, DPIA: methodology and templates, consent logs, incident and notification logs, a register of vendors and subprocessors, TIAs, data flows involving children, a grievance register and correspondence with the regulator, as well as external audit reports.

State exemptions and processing by government agencies under DPDP exist: certain departments may receive exemptions in the interests of security and public order. Application specifics to quasi-governmental entities and public procurement require assessment of contracts and data access procedures; we incorporate this into the TIA and contractual clauses. Interaction with law enforcement and data requests are governed by procedural law; the policy should describe the scope of disclosure, logging and minimisation.

Regulatory practices and enforcement precedent in India are still developing, but the signposts are clear: priority: security, children’s data and good-faith communication with the Board. Sanctions are financially significant, and consumer compensation is possible through civil liability mechanisms and class actions. Cyber risk insurance and coverage of regulatory fines depend on local law and the policy; we recommend a policy covering the IR team, forensics, PR and legal defence.

COREDO Case Studies: sustainable compliance

Case 1: EU-based SaaS platform with customers in India. Challenge: DPDP compliance without slowing the product roadmap. We performed a gap assessment, implemented a CMP with granular consent, adapted SCC to Indian realities, conducted a TIA for transferring logs to a cloud in Singapore, and also implemented encryption and PAM. Result: signing three enterprise contracts in India within a quarter and a 42% reduction in incident MTTR.

Case 2: Fintech payment services provider in Singapore with a back office in Bangalore. Complexity: combining requirements of MAS, ISO 27001 and DPDP. The solution developed at COREDO combined RoPA, DPIA, subprocessors’ audits and a contractual model with strict security SLAs and the right to on-site audit. Additionally, we built a grievance mechanism and a DSAR flow for Indian users. Result: a successful client-bank audit and expansion into the Indian market.

Case 3: UK HR-tech company processing candidate applications in India. We reviewed recruitment practices, reduced the set of collected documents, implemented automatic deletion upon rejection and consent features for background checks. COREDO’s practice confirms: reducing excessive processing lowered risks while simultaneously improving employers’ conversion rates, as transparency became a competitive advantage.

Frequently Asked Questions

How much time and budget do companies need to achieve DPDP compliance? Startups with simple flows: 8–12 weeks, budget guideline USD 30–80k including CMP implementation and basic technical controls. A mid-sized company with a supplier chain: 3–6 months and USD 120–400k, including audit, contract updates and DSAR automation. Large enterprises operating across multiple regions — a phased plan over 6–12 months.

How to minimize operational risks when scaling for DPDP? Standardize contracts, automate consent and DSAR, integrate privacy controls into CI/CD, implement continuous monitoring and regular incident drills. For KPIs and effectiveness metrics of the compliance program consider MTTR, % of DSARs closed within SLA, DPIA coverage, share of assessed vendors, privacy defects per release and TCO.

What fines are actually imposed and how does that affect the financial model? Large fines are expected for children’s data, lack of security and ignoring notifications. We build a “privacy risk reserve” into our models and adjust LTV/CAC, taking into account reputational damage and downtime.

Is a local representative required? Not required for everyone. For SDF a DPO in India is mandatory; others just need a functioning grievance mechanism and operational readiness. Can ISO 27001 and SOC 2 be used as evidence? Yes, but with a DPDP-specific local overlay: data subject rights, TIA, contractual clauses and notification processes.

What are DPDP specifics for children and ‘sensitive’ data? For children — parental consent, prohibition of targeting and profiling, age verification. DPDP does not separately designate “special categories”, but sectoral rules may apply; we address them via DPIA and contractual clauses.

How to prepare a contractual model for the supplier chain? Introduce DPDP clauses, a strict notification and audit regime, subprocessing restrictions, requirements for encryption, logging, PAM/DLP, SLAs and compensation. How does DPDP interact with GDPR? The logic is compatible, but legal bases for processing and cross-border mechanisms differ; we build the “core” on GDPR and add Indian elements.

What guarantees and insurance do you recommend? Cyber insurance covering the IR team, forensics, PR and legal defence; check coverage for regulatory investigations and exclusions for fines. For large deals we offer clients bank guarantees for security SLAs and an escrow for remediation additional costs.

Tools, documents, templates

Tools and services:

  • Consent management platform for DPDP compliance and CMP and consent logging tools;
  • System for recording processing activities (RoPA), integrated with CMDB;
  • Platforms for managing cross-border transfer requirements and TIA;
  • DPIA and independent audit services, continuous monitoring and DLP;
  • Technological solutions for pseudonymization/anonymization and key management.

Legal and corporate documents:

  • Sample data processing policies in accordance with DPDP and local privacy notices;
  • Templates of contracts between data fiduciary and data processor, clauses for subprocessors and security SLAs;
  • Procedures for handling data subject rights (DSAR), grievance redressal and incident log;
  • Retention and data deletion policies, Data Lifecycle Management, data breach recovery plans;
  • Guidance on audit and internal compliance control of DPDP and the Digital Personal Data Protection Act 2023 in Russian for the board and C‑suite.

Technical operationalization:

  • Access journaling and logging, privilege control, threat analysis and application vulnerability assessment;
  • Compliance control through continuous monitoring, incident testing and a schedule of regulated retention periods;
  • Third-party management and Vendor Due Diligence, control of cloud service providers and contracts with subcontractors.

TCO, ROI and Restructuring in Compliance

Metrics and reporting for the board are not just about risks. The ROI from investments in DPDP compliance for international business manifests in:

  • accelerating enterprise‑deals and reducing the cost of due diligence;
  • reducing the cost of incidents and legal defense;
  • increased conversion thanks to transparency and trusted mechanisms for consent withdrawal and control.

Total cost of ownership (TCO) includes tools, audits, lawyers, training, and IT updates. Our experience at COREDO has shown: data restructuring to minimize risks is a powerful lever for reducing TCO. You remove unnecessary fields, reduce retention, apply pseudonymization: you reduce the attack surface and the volume of DPIAs, and therefore save on maintenance and audits.

Regulatory horizons and recommendations

Requirements for data localization and the debates around it remain on the public agenda, but businesses should rely on existing regulations and prepare to adapt. Notification rules and deadlines may be clarified: build flexibility into processes.
Mechanisms for class actions and compensation in India are evolving, so transparency and quick dispute resolution are more advantageous than any legal defense.

For companies with heavy analytical workloads and Big Data under DPDP we propose «privacy sandbox»: datasets with quasi-identifiers, control tasks for data scientists, limits on joins and a reidentification assessment before production. Privacy engineering and Secure by Design practices are integrated into the backlog and Definition of Done so that compliance quality does not lag behind development speed.

A partner for growth in India

DPDP Act 2023: not a barrier, but a framework for sustainable growth in one of the world’s most dynamic markets. When the process is built correctly, you accelerate sales, reduce the cost of incidents and increase trust capital. The COREDO team supports businesses from entity registration and financial licensing to configuring AML‑procedures and operationalizing privacy requirements in the EU, Asia and the CIS, including India, Singapore and Dubai.

I believe in pragmatic compliance: clear steps, measurable metrics and transparent agreements. If you need a DPDP implementation plan that takes into account your industry, supply chain and product – COREDO’s practice confirms that such a trajectory is achievable within a reasonable timeframe and with a clear ROI. Let’s turn legal compliance into a competitive advantage and a foundation for long-term scaling.

LEAVE AN APPLICATION AND GET
A CONSULTATION

    By contacting us you agree to your details being used for the purposes of processing your application in accordance with our Privacy policy.

    +420 228 886 867

    K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    Sitemap    © 2026 Copyright © RES JUDICATA s.r.o. All rights reserved | llms.txt