DPDPA 2023: Complete Guide to Data Fiduciary Obligations in India

The Digital Personal Data Protection Act 2023 (DPDPA) is India's first comprehensive data protection legislation, and it fundamentally changes how every business that collects or processes personal data must operate. If your organisation collects customer names, email addresses, phone numbers, payment details, or any other personal information, you are classified as a Data Fiduciary under the DPDPA and must comply with specific legal obligations. With the DPDP Rules 2025 notified on November 14, 2025, and phased implementation deadlines approaching, understanding your obligations is no longer optional. Non-compliance carries penalties of up to Rs 250 crore, making this one of the most consequential regulatory changes for Indian businesses in recent years.

The DPDPA establishes several core obligations for all Data Fiduciaries. Under Section 6, you may process personal data only with the Data Principal's explicit, informed, and specific consent, or for certain specified legitimate uses. You must provide clear privacy notices explaining what data you collect, why you collect it, and how it will be used. Section 8 requires robust security safeguards including encryption, access controls, periodic audits, and retention of security logs for at least one year. In case of a data breach, you must notify the Data Protection Board within 72 hours and inform affected individuals promptly. You must erase personal data once the specified purpose is fulfilled or when consent is withdrawn. A grievance redressal mechanism must be established, and you must publish business contact information of a Data Protection Officer or designated contact person. For children's data, verifiable parental consent is mandatory before any processing. Entities classified as Significant Data Fiduciaries (SDFs) face additional requirements: appointing a Data Protection Officer, conducting annual Data Protection Impact Assessments (DPIA), independent audits, and restrictions on transferring certain categories of personal data outside India.

Every business operating in India should begin DPDPA compliance preparations immediately. Start by conducting a data mapping exercise to understand what personal data you collect, where it is stored, how it flows through your organisation, and who has access to it. Review and update your privacy policies to meet the DPDPA's transparency requirements. Implement a consent management system that allows individuals to grant, withdraw, and manage their consent easily. Establish internal data breach detection and response protocols to meet the 72-hour notification deadline. Appoint a designated contact person or DPO for grievance redressal. If you process children's data, implement age verification and parental consent mechanisms. Review all vendor and third-party data processing agreements to ensure they include DPDPA-compliant terms. The penalties for non-compliance are substantial: up to Rs 250 crore for SDF violations, up to Rs 50 crore for children's data violations, and up to Rs 10,000 for individuals providing false information.

The DPDPA's phased implementation timeline gives businesses some breathing room but should not invite complacency. Rules related to the Data Protection Board became effective in November 2025. Consent Manager registration rules apply by November 2026. All remaining provisions, including consent, privacy notice, and security requirements, become enforceable by May 2027. However, the compliance requirements under the DPDPA are substantially different from the GDPR or any US framework, so businesses should not assume existing international compliance programmes will suffice. The designation of Significant Data Fiduciaries is expected during 2026, which will trigger additional obligations for major data processors. The Sansa Kanoon Pranali Partners team has deep expertise in data protection law and has been advising businesses on DPDPA compliance since the Act's enactment. Contact us for a comprehensive compliance assessment, privacy policy review, or full implementation support tailored to your business operations.