Book Consultation
India has finally come on board with the worldwide data privacy movement. The Digital Personal Data Protection (DPDP) Act, 2023 the nation's first data privacy law to be comprehensive, detailed, and separate has become a law.
With the DPDP Rules likely to be notified and phased enforcement to begin in 202526, every business that accesses personal data of Indian citizens needs to figure out what this law requires of them and how they can get compliant with it.
This guide is for all of you startup founders who operate customer databases, SME owners who manage digital operations, Chartered Accountants who offer compliance advisory services to clients, and in, house legal teams of big corporations who develop enterprise, grade privacy frameworks.
If you are hearing about the DPDP Act for the first time or if you want to go a step further in understanding it, consider this your ultimate guide.
We explain it all: the provisions of the Act, its coverage, its specific obligations, the individual rights that it establishes, the monetary penalties for breach up to 250 crores, its comparison with international frameworks like the GDPR, industry, specific issues, and finally, a solid 10, step compliance checklist to help you start the ball rolling.
⚡Quick Stat: Under the DPDP Act, a company can be fined up to 250 crores for a data breach caused by poor security measures. To give you an idea, this is one of the biggest regulatory fines in Indian law at present.
The Digital Personal Data Protection Act, 2023 (DPDP Act or DPDPA), is India's first comprehensive, standalone legislation that details the entire lifecycle of handling personal data of individuals in digital form, i.e. collection, storage, use, sharing, and deletion. After the DPDP Act was passed by Parliament, it was given Presidential assent on August 11, 2023 and the same day it was notified in the Official Gazette.
Before the enactment of the DPDP Act, data protection in India was a rather disjointed matter with India mainly relying on Section 43A of the Information Technology Act, 2000 and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Both of which were considered insufficient to handle the scale and complexity of India's contemporary digital economy.
The DPDP Act fills the void. It is grounded on four attribute principles:
The Act also creates the Data Protection Board of India as the regulatory authority which among other things will be responsible for complaint adjudication and penalty imposition.
📌 Note: At present, the DPDP Act is applicable only to 'digital personal data' data that is digitally collected or data which has been digitised after collection. An amendment in the future can broaden it to include offline data also.
India's path to a comprehensive data protection law was length, filled with disagreements, and finally, influenced by some key legal and technological moments in the country.
2017 The Puttaswamy Judgment:
The Supreme Court of India, in a historic nine judge bench, unanimously held that the Right to Privacy is a fundamental right under Article 21 of the Constitution. It was this very decision that made the need for a dedicated data protection law a matter of constitutional necessity.
2018 The Srikrishna Committee Report:
The Justice B.N. Srikrishna Committee presented its report titled 'A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, ' along with a draft Personal Data Protection Bill. This document became the primary source of inspiration for all subsequent versions of India's data privacy law.
2019 Personal Data Protection Bill Introduced:
The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha and then sent to a Joint Parliamentary Committee (JPC) for further examination. The bill included stringent data localization clauses and broad government exemptions, which were criticized heavily by both industry and civil society.
2021- 22 JPC Report and Revisions:
In December 2021, the JPC handed over its report with 81 amendments to the original Bill and 12 new recommendations that extended the scope of the Bill. Nevertheless, the Bill was withdrawn in August 2022 due to its complexity and the intention to bring more balanced legislation.
August 2023 DPDP Act Enacted:
The Digital Personal Data Protection Bill, 2023 was passed by both Houses of Parliament with a record, breaking speed and the President gave his assent on August 11, 2023. Compared to its predecessors, it was a much more concise law with lots of the content left to be determined by subordinate rules.
2024- 25 Draft DPDP Rules:
MeitY (The Ministry of Electronics and Information Technology) made the draft DPDP Rules available for public consultation. It is anticipated that the Rules will be completed and officially published in 2025, following which businesses will receive formal compliance deadlines.
💡 The DPDP Act is a principle, based law it dictates very general obligations and delegates to Rules and Regulations the defining of procedural specifics. In other words, companies have to get ready for the framework right now even though the smallest details are yet to be finalized.
The DPDP Act indeed has a wide range of applicability. Knowing whether and how the law applies to your organisation is basically the first step to building a compliance programme.
Territorial Scope
The Act applies to:
This extraterritorial clause is quite significant it means a company headquartered in Singapore, the US, or the UK which has Indian users must comply with the DPDP Act, just like GDPR does with European Union residents.
A Data Fiduciary is any person, company, firm, state or a body of persons whether incorporated or not that alone or together with others, decide the purpose and means of personal data processing.
In layman's terms: if your company makes decisions about why and how personal data is collected, then you are a Data Fiduciary, and hence the full force of the Act's obligations will be imposed on you.
The Central Government, after considering the amount and nature of data processed, the potential risk to the rights of the Data Principals, the issues related to national security, and some other factors, may declare certain Data Fiduciaries as Major Data Fiduciaries (SDFs). SDFs are required to comply with stricter rules such as:
Even though the Government has not revealed any official list of SDFs yet, large platforms, social networks, processors of healthcare data, and financial services companies are the most probable ones to be given such designation.
The Act does allow for a few exceptions to its provisions. These are the scenarios:
📌Important: The Government has a wide range of powers to exempt certain government agencies from provisions of the Act on national security, sovereignty, or public order grounds. This part of the law has been criticised by privacy advocates.
Getting the terminology right is critical for building an accurate compliance programme. Here are the most important definitions under the DPDP Act:
Personal Data: Any data about an individual who can be identified from or in connection with such data. It is a very broad category basically, it covers any kind of information such as names, phone numbers, email addresses, location data, financial records, health information, and so on.
Data Fiduciary: The person who decides the purpose and the means of the processing of personal data (basically the data controller in GDPR jargon).
Data Processor: A Data Processor is a person who processes personal data on the instruction of a Data Fiduciary. Examples of such persons can be clouding storage companies, payroll processing firms, or CRM software providers.
Data Principal: The individual whose personal data is being processed (the data subject in GDPR terminology).
Consent Manager: A registered entity that enables Data Principals to give, manage, review, and withdraw consent through a user, friendly, interoperable platform.
Processing: It means any action taken on personal data, either manually or through automated means collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
Data Protection Board of India: The adjudicatory body set up under the Act to decide complaints, conduct inquiries into breaches, and impose penalties.
At the core of the DPDP Act are the obligations imposed on Data Fiduciaries. These are not mere suggestions they constitute legal requirements, and non, compliance may lead to heavy fines.
Data Fiduciaries should obtain free, specific, informed, unambiguous, and unconditional consent from the Data Principal before they process any of their personal data. The consent request should:
Most importantly, the responsibility for demonstrating that valid consent was obtained rests with the Data Fiduciary. If the matter comes before the Data Protection Board, you'll have to prove that you went after consent in a proper way and got it.
In addition to consent, the DPDP Act allows certain 'legitimate uses' of personal data without the need for explicit consent. These uses are:
The two principles are interdependent. Data Fiduciaries may only acquire personal data that is essential for the declared, clearly defined purpose and such data can only be used for that purpose. When the purpose is achieved, the data should be deleted unless the law requires keeping it.
On the ground, organisations are required to review their current data collection operations. Using the tactic of 'collecting data that might be useful in the future' like email addresses, phone numbers, or demographics without any clear present use is against the DPDP Act.
Data Fiduciaries are expected to take reasonable steps to verify that the personal data they handle are accurate and complete, particularly when such data are used to make decisions about the Data Principal or are shared with other entities. If incorrect or outdated data causes harm, that business could be in receipt of a grievance complaint.
All Data Fiduciaries are required to carry out technical and organisational safeguards that are fit to the purpose of protecting the personal data of a person from breach, loss, unauthorised access, or misuse. The Act does not specify the security standards that must be followed it only refers to 'reasonable security safeguards' however, the requirement is that the security safeguards must match the amount and nature of the data held.
Examples of security and practical measures that can be used to demonstrate compliance with the security requirements are:
Employees to be given regular training on data privacy and security
In case of a personal data breach Data Fiduciary is required to notify the Data Protection Board of India and the Data Principals concerned without undue delay once he becomes aware of the breach. The period within which the notification is to be done is a matter that will be set out in the DPDP Rules. Also, the format of the written notification is to be in accordance with that which has been prescribed.
However, the most important thing is that the notification shall be done even if the Data Fiduciary thinks that the breach does not have a damaging effect. The current version of the Act has no materiality threshold.
The DPDP Act considers anyone under 18 as a special category whose data needs extra protection. A data fiduciary must not process the data of a child or a minor without first:
The government may, through rules, exempt certain categories of data fiduciaries from these requirements, for example, healthcare providers who are processing children's health data during an emergency, but generally, these obligations apply broadly.
Personal data collected in India may only be sent to other countries or territories that have been notified by the Central Government as permissible transfer destinations. The government has not yet released its list, but it is expected to follow a risk, based assessment similar to GDPR's adequacy decisions.
Companies that at the moment are routing data through servers, cloud providers, or analytics platforms located in foreign jurisdictions must thoroughly analyse these data flows and be ready to limit them if the country of destination is not included in the approved list.
In cases where a Data Fiduciary hires a third, party Data Processor to deal with personal data on its behalf, a Data Fiduciary remains accountable for the Processor's compliance with the DPDP Act. Agreements with Data Processors should include suitable data protection clauses, and Processors should only process data following the instructions given by the Fiduciary.
Among the most important features of the DPDP Act is the array of rights it bestows upon individuals concerning their personal data. As a Data Fiduciary, it is your legal obligation to develop processes, systems, and reaction mechanisms that facilitate the fulfilment of each of these rights.
All Data Principals possess the right that a Data Fiduciary shall provide them with a brief of what personal data is being processed and the processing activities that are being undertaken. Such information must be given on request and in a manner that is easy to understand.
Data Principals have the right to ask for correction or updating of personal data if they find it inaccurate, incomplete, or outdated. Data Fiduciaries should comply with such requests without delay and also ensure that downstream processors or recipients are informed of the corrections.
It is the right that people can ask for their personal data to be deleted when it is no longer necessary for the purpose it was collected, or when they withdraw their consent. This is also called the "Right to be Forgotten."
The right is not absolute, retention required by law takes precedence, but companies must have a clear process to evaluate and implement erasure requests.
Every Data Principal has the right to have their grievances addressed by the Data Fiduciary. The Data Fiduciary must publish clear contact information and establish an accessible, timely process for handling data, related complaints. Unsolved grievances can be taken up with the Data Protection Board.
This is a uniquely Indian innovation that is introduced through the DPDP Act. Data Principals may nominate another person to exercise their data rights on their behalf if they die or become incapable. The same would have the rights to access the healthcare data, financial records and digital assets of the Data Principal.
The DPDP Act recognizes the right for a person to give, refuse, or withdraw his/her consent. Consent given under the DPDP Act can be withdrawn at any time, as easily as it was given. Upon the withdrawal of the consent, the processing of the data for purposes related to that consent must be stopped by the Data Fiduciary. Also, the Data Fiduciary can stop providing services if the services are dependent on the processing of data. However, processing that occurred prior to the withdrawal of the consent remains lawful.
Essentially, Data Principals have a right to be informed if the breaches occur which expose their personal data even if this has not been explicitly identified as a separate right in some interpretations. Since Data Fiduciaries become aware of the obligation to have breach detection, assessment, and notification capabilities, a notification of the Data Principal must be inevitably issued accordingly.
The Data Protection Board of India is the final forum where Data Principals can approach with their complaints if not resolved satisfactorily by the Data Fiduciary. Moreover, the Board is empowered to investigate, direct, and impose penalties against the Data Fiduciary.
📌Business Implication: The exercise of one Data Principal right translates into an operational obligation for your business. Thus, your business should have documented processes, appointed staff, established response time frames, and maintain audit trails for each category of rights request
The Data Protection Board of India possesses extensive adjudicatory powers. It can initiate inquiries Suo, motu or on a complaint made by a Data Principal, thereby issuing directions and levying financial penalties. The fines under the DPDP Act rank among the highest in Indian regulatory law.
Some of the key things about penalties:
Per Contravention: Penalties are meted out for the violation, not a business. A company that experiences multiple breaches or contravenes a number of provisions could be subject to multiple penalties for each occurrence.
Factors Considered: The Board, while determining the fine, looks into the nature, seriousness, and period of the breach; the kind and sensitivity of data involved; the number of people affected; whether the violation was repetitive; and the measures taken to lessen the damage.
No Criminal Liability: Unlike some earlier proposals, the DPDP Act does not impose criminal liability (imprisonment) for violations. Penalties are civil/financial in nature. Perspective
💡 Perspective: A 250 crore fine may just be a small figurative error for a global tech giant but may mean the demise of an Indian SME or mid-size company. The DPDP Act's penalties are thus intended to be proportionate but 'proportionate' still means serious.
The DPDP Act formally covers all sectors; however, the actual impact is very different from one sector to another. So, a sector, wise examination of the most challenging compliance issues is provided below:
A Detailed Look: Fintech and BFSI
Financial services companies, including banks, NBFCs, payment gateways, insurance companies, and wealth management platforms, have access to some of the most sensitive personal and financial data in the economy. For these organizations, compliance with DPDP is combined with adherence to, amongst others, RBI, SEBI, and IRDAI regulations. The main issues are KYC data handling, sharing credit bureau data, processing fraud detection data, and the flow of cross, border payment data.
A Detailed Look: Healthcare
Among them are hospitals, clinics, telemedicine platforms, health insurance companies, and wellness apps that deal with highly confidential health data. While the DPDP Act does not currently establish a separate category of 'sensitive personal data' as its predecessors did, health data is inherently treated as highly confidential because processing it in a harmful way could lead to serious harm to the individuals. Consent is required at a very high level, and data minimisation is essential.
A Detailed Look: EdTech and Schools
On the one hand, educational institutions and EdTech platforms are in a very complicated situation due to the DPDP Act. Student data is not only personal data but also often children's data thus, parental consent is necessary, tracking is prohibited, and targeted advertising is restricted. Those platforms that used to collect large amounts of student behavioural data for personalization will have to greatly change their data architecture.
A Side, by, Side Comparison the Indian DPDP Act has often been compared to the European Union's General Data Protection Regulation (GDPR) which became effective in 2018 and is considered the world standard for data privacy law. Here's a brief comparison of the two:
The DPDP Act carries the imprint of the GDPR especially on the fundamental principles consent, purpose limitation, data minimisation and individual rights. Nonetheless, there are some significant differences: it is much less detailed in the aspects of execution, it allows the Indian Government wider powers to grant exemptions and enforce data localisation, and the fines are smaller in absolute terms (however, they can be considered substantial in the Indian business context).
For multinationals that are already GDPR, compliant, DPDP compliance can be realized with a few changes mainly, appointing a Grievance Officer in India, making consent withdrawal mechanisms available for Indian users, and re, examining the restrictions on cross, border transfers.
The Data Protection Board of India (DPBI) is the principal authority that coordinates the implementation and enforcement of the DPDP Act. It is crucial to have a clear understanding of its operations not only to ensure compliance but also to know what to expect when things go awry.
Structure and Composition
The Board is comprised of a chairperson along with other persons that the Central Government may appoint. The appointed members should be experts in data governance, information technology, law, or related disciplines. The Government has not yet officially constituted the Board, which among other reasons explains the delay in enforcement.
The Board has the following main powers:
Inquiry Initiation: The Board may Suo motu initiate an inquiry if it has reason to believe that there has been a personal data breach or that a provision of the Act has been violated.
Complaint Adjudication: The Board receives and hears complaints from Data Principals whose rights have been violated.
Penalty Imposition: Following an inquiry, the Board may impose monetary penalties up to the maximum limits set out in the Act.
Directions: The Board may issue binding directions to Data Fiduciaries, including directions to stop processing, erase data, or take specific security measures.
Reference to Courts: Major cases may be referred to the appropriate High Court.
Decisions of the Data Protection Board may be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) and subsequently to the Supreme Court of India on questions of law. This creates a formal judicial review mechanism for businesses that disagree with the penalty imposed on them.
Many Indian business owners still believe that the DPDP Act is mainly a concern of large corporations and tech giants which is wrong and may be quite costly for them.
There is no size or turnover threshold under which the DPDP Act becomes inapplicable. If your business collects, stores, or processes the personal data of Indian individuals in digital form irrespective of your revenue, number of your employees, or your business stage you are a Data Fiduciary under the Act.
Reasons Why SMEs Are Particularly Vulnerable
Small and medium enterprises often run into greater risk of DPDP non, compliance for reasons such as:
Legacy Systems: A lot of SMEs still use spreadsheets, WhatsApp groups, and informal databases to handle customer data and no one of these tools is equipped with managing consent or security.
Vendor Reliance: SMEs tap into a great number of SaaS tools, CRMs, and marketing platforms. Naturally, each of these vendors becomes a Data Processor under the DPDP Act, which creates compliance obligations in vendor contracts.
Lack of Compliance Staff: Whereas large enterprises usually have a legal or privacy department, the majority of SMEs don't. Often the founders or owners are completely unaware of their obligations until they receive a complaint.
Marketing Practices: Traditional SME marketing methods such as cold calling, bulk SMS, and email marketing, should now be re, conceived in terms of obtaining valid consent or legitimate use.
One of the positives is that even baseline DPDP compliance, from the viewpoint of SMEs, is often not as complicated or costly as the majority initially imagine. The normal path for the small and medium, sized enterprises may only include five major steps: identifying data through audit, refreshing privacy notices, constructing consent mechanisms, educating staff, and checking vendor contracts. An expert's help can turn the process into a systematic and cheap one.
Here's a practical, prioritised schedule of tasks to kick off your DPDP compliance journey. Each element of the plan is meant to be executable no matter what the size of your organisation is.
The basis of DPDP compliance. Identify and document each type of personal data your organisation gathers, the reason for the collection, the place of storage, the people with access, the duration of retention, and confirm if you have got the proper consent for its collection and use.
Do away with your old legalese privacy policy and write it up in clear and simple language. The policy should disclose what data you collect, why, how long you keep it, with whom you share it, and how individuals can carry out their rights. Ordinary users will not be able to understand legal jargon, so get it removed.
Create a system that gives people the freedom to grant, view, manage, and revoke their consent anytime.
Having a portal, a settings page, or using a third, party Consent Manager are some of the options.
Identify a person (or team) who will be the contact point for customer and user complaints about data. This person's or team's contact details should be easily found on your website and app.
Identify internal processes that are well, documented and used to respond to requests for access, correction, and erasure within the timeframes specified in the DPDP Rules.
Examine the audit done of all the third, party vendors who handle personal data on your behalf. Add Data Processing Agreements (DPAs) with DPDP, compliant clauses to contracts with CRM providers, cloud platforms, marketing tools, payroll processors, and other data, touching vendors.
Make a security assessment. Put in place encryption, access controls, multi, factor authentication, and regular vulnerability scans. Keep a record of your security measures as proof of reasonable care.
Create a comprehensive data breach response plan that outlines: how breaches are identified, who is in charge of investigating, how the Board and the individuals affected will be informed, and within what time limit.
In case your site currently serves or potentially could serve children under 18, establish age verification and parental consent methods that can be verified. Stop tracking, profiling, and targeted advertising for children who are verified users.
Identify every international data transfer your business makes: cloud storage locations, analytics platforms, email service providers, and CRMs. Be ready to limit transfers to non, approved jurisdictions once the Government announces its list of approved countries.
Q1: Is the DPDP Act enforceable at present?
The DPDP Act is a law that has been passed but enforcement depends on the announcement of DPDP Rules and the creation of the Data Protection Board. Both are expected to happen in 2025. Nonetheless, companies should already start preparing for compliance, once the Rules are notified, it is unlikely that there will be a long period allowed for implementation.
Q2: Will DPDP Act be applicable to B2B businesses that only use business contact information?
The Act covers 'personal data' of individuals. Corporate email addresses and phone numbers, when used for professional purposes, could be considered a borderline case. However, any information that can identify a person, such as their name, work email, or professional role, is personal data. B2B businesses should not take it for granted that they are out of the scope of the law.
Q3: How does 'verifiable parental consent' for children's data work?
DPDP Act requires parents to provide verifiable consent for their child's data, but the details are left to the DPDP Rules. Probably, the ways will include OTP or digital signature confirmation linked to a parent's Aadhaar or PAN, but the Rules will bring clarity in this matter. Meanwhile, companies should think of ways to implement systems that allow age checking and obtaining parental consent.
Q4: We already comply with GDPR. Do we automatically comply with the DPDP Act?
By being GDPR, compliant, you are very much on track since the basic principles are almost the same. That said, you will still have to make some DPDP, specific changes such as designating a Grievance Officer in India, creating consent withdrawal mechanisms tailored to Indian users, checking cross, border transfer limitations as per Indian law, and making sure your privacy notices comply with DPDP disclosure requirements.
Q5: How long can we retain personal data under the DPDP Act?
The DPDP Act mandates that Data Fiduciaries should hold personal data only for as long as it is necessary for the purpose for which the data was obtained. After the purpose has been served, and there is no legal requirement for retention, the data must be deleted. Companies need to establish and record data retention policies for each type of personal data they possess.
Q6: Are there any penalties for accidental data breaches?
Indeed. The Act treats all breaches without a distinction between those that are malicious and those that are accidental. In a situation where a Data Fiduciary has not implemented reasonable security safeguards, the breach can lead to a penalty of up to 250 crores, intent notwithstanding. This is a clear reminder that security measures should not be left to chance.
Q4: We already comply with GDPR. Do we automatically comply with the DPDP Act?
By being GDPR, compliant, you are very much on track since the basic principles are almost the same. That said, you will still have to make some DPDP, specific changes such as designating a Grievance Officer in India, creating consent withdrawal mechanisms tailored to Indian users, checking cross, border transfer limitations as per Indian law, and making sure your privacy notices comply with DPDP disclosure requirements.
Q5: How long can we retain personal data under the DPDP Act?
The DPDP Act mandates that Data Fiduciaries should hold personal data only for as long as it is necessary for the purpose for which the data was obtained. After the purpose has been served, and there is no legal requirement for retention, the data must be deleted. Companies need to establish and record data retention policies for each type of personal data they possess.
Q6: Are there any penalties for accidental data breaches?
Indeed. The Act treats all breaches without a distinction between those that are malicious and those that are accidental. In a situation where a Data Fiduciary has not implemented reasonable security safeguards, the breach can lead to a penalty of up to 250 crores, intent notwithstanding. This is a clear reminder that security measures should not be left to chance.
Q7: What should be our course of action upon receiving a data access request of a customer?
You should comply with the individuals request by giving them a concise statement of their personal data that you have, and what you are doing with it. The reply must be issued within the period stipulated in the DPDP Rules (the notification is yet to be made, but the 30, day period of GDPR can to be used as a reasonable reference). Develop an internal workflow now so that you are ready when requests are made.
We at Book My Accountant, have years of experience in assisting Indian businesses to manoeuvre through the country's most complicated regulatory frameworks from GST, income tax compliance, ROC filings, FEMA, and corporate law.
DPDP Act compliance is the next big challenge for us, and we are geared up to take you along with us.
Our DPDP compliance services are not only practical and cost, effective but also customized to the size of your business and your industry:
Data Audit & Gap Analysis: We perform an in, depth review of your present procedures for collecting data, point out the discrepancies that exist against DPDP requirements, and give you a prioritized remediation roadmap.
Consent Management Consultation: We assist you in setting up and carrying out the right consent framework that fits your business model. A part of our service includes deciding whether to use a third, party Consent Manager or develop an in, house consent portal
Vendor Contract & DPA Preparation: We analyse your vendor contracts and prepare or modify Data Processing Agreements for a supply chain that complies with DPDP.
Security Advisory: We collaborate with your IT team to conduct a security check, up and suggest adequate technical and organizational measures that align with DPDP requirements.
Employee Training: We provide customized DPDP training to your team members at all levels from top management to ground staff so that everyone recognizes the importance of their compliance roles.
Compliance Maintenance Retainer: As the DPDP Rules are issued and the regulatory environment changes, we extend continuous advisory support to adapt your compliance programme.
Are you a startup that needs a privacy, framework from scratch or a big company that wants to update its policies for DPDP? Book My Accountant is a professional team that offers you the right expertise and tools to achieve compliance in a speedy and cost, effective way.
Compliance with the DPDP Act Is Not a Choice but It Is Very Much Within Your Reach Digital Personal Data Protection Act, 2023 is a defining moment for India's digital economy. It is the first time that Indian citizens have been given comprehensive and enforceable rights over their personal data. Secondly, it is the first time that Indian businesses regardless of their size and sector have well, defined legal obligations to respect those rights.
The legislation is passed. The Rules are coming. Enforcement will be inevitable. The companies that seize this opportunity to create strong, sincere DPDP compliance strategies will not only stay clear of penalties they will earn customer trust, enhance their data governance infrastructure, and be ahead of the game as data privacy becomes a criterion for Indian consumers.
Those companies that just stand by and watch will get cornered when they try to catch up, they will have to pay more, be under closer watch by regulators, and have their reputation harmed beyond repair.
"*" indicates required fields
