India Passes Digital Personal Data Protection Bill

Following several recent attempts, the Digital Personal Data Protection Bill has been published in the Official Gazette.

Robb Hiscock
Senior Content Marketing Specialist,  CIPP/E CIPM
August 11, 2023

The Vidhana Soudha legislature building in Bengaluru, India

On August, 14, 2023, the Digital Personal Data Protection Bill (DPDP) received assent by the President and was published in the Official Gazette. The passing of a privacy bill in India has been long-awaited with several previous attempts failing to make it through Parliament, the last as recently as 2022.

The DPDP aims to provide rules for lawfully processing personal data that respects the rights of individuals and puts protections in place for their personal data. Among other things, the DPDP will introduce the concept of a Consent Manager, additional requirements for companies performing significant processing activities, and will create the Data Protection Board of India. Let’s take a closer look at the bill and its key requirements. 


Who does the DPDP apply to?

The DPDP will apply to the processing of digital personal data within India regardless of whether that personal data was originally collected in a digital format. The Bill will also apply to processing of personal data outside of India, if the processing is in connection with any activity related to the offering of goods or services to Data Principals in India.

The Bill does not apply to personal data processed for a personal or domestic purpose and personal data that has been made public by the Data Principal or by any individual can lawfully make personal data publicly available.


What are key definitions under the bill?

The DPDP contains a range of common concepts that can also be found under many other privacy and data protection laws. However, the language used by the DPDP differs with respect to several key definitions. 

For instance, a “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data – similar to the GDPR’s definition of a Data Controller. Additionally, the DPDP outlines a “Significant Data Fiduciary” as a Data Fiduciary that processes substantial volumes and sensitivities of data and will be held to additional requirements. 

Further definitions of note include the “Data Principal” that means the individual that personal data relates – similar to the GDPR’s definition of Data Subject – as well as the term “Consent Manager”. This means an organization registered with the Data Protection Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.


Key requirements

Privacy notices

Like most data protection laws, the DPDP requires organizations to present Data Principals with a privacy notice before every request for consent. Such privacy notices should outline:

  • The personal data being collected
  • The purposes of processing
  • Information relating to how the individual can exercise their rights
  • How individuals can make complaints to the Data Protection Board


Obtaining valid consent

Much like the GDPR, the DPDP outlines that valid consent must be freely given, specific, informed, unconditional and unambiguous. Data Principals must give consent with a clear affirmative action, and such consent shall only be valid for the specified purpose. 

Data Principals have the right to withdraw her consent at any time and withdrawing consent must be as easy as giving consent. Data Fiduciaries will also be required to communicate the withdrawal of consent downstream to vendors and other third parties. 


Consent Managers

Under the DPDP, individuals’ consent can be managed by a dedicated Consent Manager. The Consent Manager is accountable to the Data Principal and act on their behalf to give, manage, review or withdraw consent. 

Consent Managers must be registered with the Data Protection Board.


Rights of the Data Principal

Individual rights under the DPDP are more limited than seen in other comparable laws. Under the DPDP, Data Principals will have the rights outline below.

The right to access - The Data Principal will have the right to obtain the following from the Data Fiduciary:

  • A summary of personal data being processed 
  • The processing activities undertaken by the Data Fiduciary 
  • The identities of all third parties that the personal data has been shared 
  • A description of the personal data shared
  • Any other information related to processing the personal data of the Data Principal 

The right to correction and erasure - A Data Principal will have the right request to correction, completion, updating and erasure of their personal data.  In the case of requests for erasure, Data Fiduciary will be required to erase the Data Principal’s personal data unless retention of the data is necessary for compliance with another law.

The right of grievance redressal - A Data Principal will have the right to redress provided by a Data Fiduciary or Consent Manager.

The right to nominate - A Data Principal will have the right to nominate any other individual, who can exercise the rights of the Data Principal in the event of their death or incapacity. 


International data transfers

Unlike other privacy laws, the DPDP does not specifically restrict the transfer of personal data by a Data Fiduciary outside of India. Instead, transfers may be restricted at the discretion of the Central Government. 


Significant Data Fiduciaries

A Data Fiduciary may be classed as a Significant Data Fiduciary on the basis of an assessment of factors relating to its processing activities. 

Relevant factors in determining a Significant Data Fiduciary include:

  • The processing of children’s personal data 
  • The volume and sensitivity of personal data processed
  • The risk presented to the rights of the Data Principal
  • The potential impact on the sovereignty and integrity of India
  • The risk to electoral democracy
  • The security of the State and public order

Significant Data Fiduciaries must meet certain additional requirements including conducting periodic data protection impact assessments and audits as well as appointing a Data Protection Officer. 


When will the bill apply, who will enforce it, and what are the penalties?

The DPDP became law upon its publication in the Official Gazette.

The DPDP will be overseen by the Data Protection Board of India that shall exercise and perform several powers and functions including ordering remediation following data breaches and investigating complaints made by a Data Principal. 

Fines for breaches of the DPDP can range from INR10,000 (approx. $120) for violating the duties of a Data Fiduciary up to INR250 Crore (INR2.5billion) (approx. $30 million) for violations relating to data breaches. 

Request a demo and speak to an expert to see how the OneTrust Privacy & Data Governance Cloud can help you prepare for the DPDP and other global privacy laws. 

You may also like


GRC & Security Assurance

Empowering your cyber defense: Key insights into the latest NIST CSF update with PwC

Join this webinar with OneTrust and PwC and gain insights into the upcoming NIST CSF update and learn how to effectively deploy it across your organization.

November 09, 2023

Learn more


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more