Navigating the DPDP, Digital Personal Data Protection Act, 2023

Navigating the DPDP, 
Digital Personal Data Protection Act, 2023
India's landmark legislation reshaping how organisations collect, process, and protect personal data. Understand your obligations, protect your users, and build lasting digital trust.
Connect : +91 913611 3566
Legislative Journey
From Constitutional Right to Digital Law
A Rights-Based Foundation
In 2017, the Supreme Court of India declared privacy a fundamental right under Article 21 — setting the stage for comprehensive data protection legislation. Six years later, the vision became law.
2017
Supreme Court identifies privacy as a fundamental right under Article 21
August 2023
President Droupadi Murmu grants assent to the DPDP Act
Today
Balancing individual data protection with lawful business processing
Scope & Applicability
Who Must Comply?
The DPDP Act casts a wide net — covering organisations of every size and geography that touch Indian personal data.
🇮🇳 Domestic Organisations
Any entity processing digital personal data within India — from government bodies to private enterprises.
🌐 Foreign Entities
Organisations outside India offering goods or services to Indian citizens are equally bound by the Act.
🏢 All Sectors
Public and private sectors alike — startups, SMEs, and multinationals — must align their data practices.
Key Definitions
The Core Stakeholders
The DPDP Act establishes three distinct roles, each carrying specific rights and responsibilities in the data ecosystem.
Data Principal
The individual whose personal data is being processed. They hold the right to consent, access, correction, and grievance redressal.
Data Fiduciary
The entity determining the purpose and means of data processing. They bear primary accountability for compliance.
Data Processor
Entities processing data on behalf of a Fiduciary, bound by contractual obligations and oversight requirements.
Section 6
The Foundation of Consent
Consent under the DPDP Act is not a checkbox — it is a legally significant, informed decision by the Data Principal. Section 6 sets a high bar for how organisations must seek and manage approval.
Clear & Affirmative
Approval must be specific, informed, and unambiguous — no pre-ticked boxes or vague language.
Detailed Notices
Organisations must explain what data is collected, why, and how it will be used.
Right to Withdraw
Individuals retain the legal right to withdraw consent at any time, with minimal friction.
For CISOs & Security Leaders
Operational Pillars for CISOs
Compliance is not just a legal exercise — it demands concrete operational changes led by security and privacy teams.
🗺️ Data & Vendor Mapping
Map and classify all personal data flows across your organisation and third-party vendor landscape. Know what you hold, where it lives, and who accesses it.
🔒 Audit Trails & Breach Protocols
Implement rigorous audit trails and establish clear breach notification protocols aligned with DPDP timelines and regulatory expectations.
⚖️ Third-Party Governance
Define risk-appropriate governance frameworks for data processors and vendors handling personal data on your behalf.
Action Plan
The 90-Day Compliance Roadmap
A structured sprint to move from awareness to action — building a privacy programme that stands up to scrutiny.
Days 1–30: Institutionalise
Move beyond paper policies. Embed privacy into processes, contracts, and technology stacks.
Days 31–60: Measure
Prioritise actionable metrics to reduce organisational risk and demonstrate progress to leadership.
Days 61–90: Strategise
Build foundations for a cross-border data strategy aligned with DPDP requirements and business goals.
Strategic Opportunity
Leveraging DEPA for Empowerment
Data Empowerment and Protection Architecture
NITI Aayog's DEPA framework goes beyond compliance — it reimagines data as a tool for citizen empowerment and economic growth through secure, consent-based sharing ecosystems.
Consent-First
Individuals control who accesses their data and for what purpose.
Competitive Edge
Organisations that embrace DEPA turn compliance into a market differentiator.
Strategic Vision
Beyond Compliance: Building Digital Trust
The organisations that thrive will be those that treat privacy not as a burden, but as a core business value.
Proactive Governance
Shift from reactive, defensive compliance to forward-looking data governance that anticipates risk.
Investor Confidence
Demonstrate measurable privacy maturity to strengthen stakeholder and investor trust.
Privacy-First Culture
Foster an organisational culture where privacy enhances brand reputation and market value.
Get Started
Your Path Forward
Compliance is a journey — and ManageEngine is with you at every step. From CXO-level guidance to automated enforcement, we help you build a transparent, trusted enterprise.
📚 CXO Resources
Access our comprehensive eBook featuring executive checklists, risk frameworks, and actionable DPDP compliance roadmaps designed for leadership teams.
Download the eBook
🛠️ ManageEngine Solutions
Automate consent management, audit trails, breach detection, and policy enforcement — turning DPDP obligations into streamlined, technology-driven workflows.
Explore Solutions
Start your transformation into a transparent, trusted enterprise today. The DPDP Act is not just a regulation — it is an opportunity to lead with integrity.
Section 7
Deemed Consent: Legitimate Data Uses
Beyond explicit consent, the DPDP Act outlines specific scenarios where consent is 'deemed' to be given. This provision supports critical data processing activities that are necessary for public interest, legal compliance, or essential services, striking a balance between privacy and functionality.
Voluntary Provision
Processing data that the Data Principal voluntarily provides for a specific purpose, where such processing is necessary to fulfil that purpose.
Employment Necessity
Processing data for employment-related purposes, including recruitment, termination, or providing benefits to employees.
Public Interest
Data processing required for public good, such as national security, crime prevention, or responding to public emergencies.
Health & Emergencies
Processing necessary for medical treatment during emergencies or for public health initiatives, especially during epidemics.
Legal Obligations
Processing data to comply with any law in force or to adhere to a court order or judgment.
Section 8
Rights of the Data Principal
Section 8 of the Digital Personal Data Protection Act, 2023 gives Data Principals meaningful control over their personal data. These rights help individuals access, correct, delete, and manage their information, while also ensuring accountability through grievance redressal and nomination rights.
Right to Access
Access personal data held by the Data Fiduciary and understand how it is being used.
Right to Correction and Completion
Request correction, update, or completion of inaccurate or incomplete personal data.
Right to Erasure
Seek deletion of personal data when it is no longer necessary or when retention is no longer justified.
Right to Grievance Redressal
Raise complaints and receive timely resolution through the Data Fiduciary's grievance mechanism.
Right to Nominate
Nominate another person to exercise rights on the Data Principal's behalf after death or incapacity.
Rule 6
Reasonable Security Safeguards
Rule 6 mandates that Data Fiduciaries implement reasonable security safeguards to prevent personal data breaches. This is a foundational operational requirement covering:
1. Data Security Measures
Encryption, obfuscation, masking, or virtual tokens to protect personal data
2. Access Control
Appropriate measures to control access to computer resources used by Data Fiduciaries and Data Processors
3. Visibility & Monitoring
Audit logs, monitoring, and review to detect unauthorized access, investigate incidents, and prevent recurrence
4. Business Continuity
Reasonable measures for continued processing if data confidentiality, integrity, or availability is compromised (e.g., data backups)
5. Log Retention
Maintain logs and personal data for one year minimum (or as required by law) to enable detection, investigation, and remediation
6. Processor Contracts
Include appropriate security safeguard provisions in contracts with Data Processors
7. Technical & Organizational Measures
Implement effective technical and organizational measures to ensure security safeguards are observed
This rule applies to all personal data in possession or under control of the Data Fiduciary, including data processed by Data Processors on their behalf.
Rule 7
Intimation of Personal Data Breach
Rule 7 of the Digital Personal Data Protection Act, 2023 sets out mandatory breach notification requirements. A Data Fiduciary must act without delay to inform both affected Data Principals and the Data Protection Board of India, with strict timelines and specific information requirements.
Notification to Data Principals
Notify each affected person without delay through their registered account or communication channel.
Description of the breach: nature, extent, and timing
Consequences likely to arise from the breach
Measures implemented or being implemented to mitigate risk
Safety measures the Data Principal can take to protect their interests
Business contact information of a person who can respond to queries
Notification to Data Protection Board
Notify the Board without delay, then submit detailed information within 72 hours unless the Board allows a longer period.
Initial notice: nature, extent, timing, location, and likely impact
Detailed update: updated breach description and broad facts about events, circumstances, and reasons
Measures implemented or proposed to mitigate risk
Findings regarding who caused the breach
Remedial measures to prevent recurrence
Report on intimations given to affected Data Principals
Key timeline
Immediate action: notify the Data Principals and the Board without delay.
Follow-up deadline: detailed submission to the Board within 72 hours, unless extended.
Rule 8
Data Retention and Erasure
Key principle: Data Fiduciaries must erase personal data when the specified purpose is no longer being served, unless retention is required by law.
1. Automatic erasure based on purpose
For specified classes of Data Fiduciaries and purposes listed in the Third Schedule, personal data must be erased after a specified time period.
This applies only if the Data Principal has not approached the Data Fiduciary for the specified purpose and has not exercised any rights related to the processing.
Exception: retention is required if mandated by any law in force.
2. Pre-erasure notification
48-hour notice: At least 48 hours before the erasure period completes, the Data Fiduciary must inform the Data Principal.
The notice must state that personal data will be erased unless the Data Principal logs into their user account.
Or the Data Principal initiates contact with the Data Fiduciary for the specified purpose.
Or the Data Principal exercises their rights in relation to the processing.
3. Mandatory log retention
Data Fiduciaries must retain personal data, associated traffic data, and processing logs.
Minimum retention period: 1 year from the date of processing.
After 1 year, all data and logs must be erased unless further retention is required by law or government notification.
Practical takeaway
Rule 8 creates a default path to deletion: retain only as long as the purpose remains active, give the Data Principal a final 48-hour chance to act, and preserve logs for at least one year.
Next Step
Connect and Consult Today to Know and Implement
Start your DPDP compliance journey with clarity and confidence. Connect with us to understand what matters, implement the right controls, and move from awareness to action.
Get Started
+91 913611 3566
dpdp@zecurebusiness.com
Need help getting started? Reach out to our team for guidance, best practices, and implementation support.