DPDP Compliance in India

What DPDP changes for Indian companies

The Digital Personal Data Protection Act, 2023 replaces a two-decade-old patchwork — Section 43A of the IT Act 2000, the SPDI Rules 2011, sectoral RBI and IRDAI directions, and the constitutional right recognised in Justice K. S. Puttaswamy v Union of India — with a single statute that has actual teeth. The IT Act 43A regime levied ₹50,000 maximum penalties. DPDP levies up to ₹250 crore per breach. The order of magnitude shifts what compliance has to look like.

For in-house counsel, the practical effect is that every contract, every consent flow, every data-handling vendor relationship needs to be reviewed under the new regime. The teams that papered the GDPR sweep in 2018-19 will recognise the workflow, but DPDP diverges from GDPR in important ways:

• No "legitimate interest" basis: DPDP requires consent or one of the narrow Section 7 legitimate uses for all processing.
• Consent standard closer to GDPR explicit consent: the five Section 6 tests are strict.
• Broader territorial scope: DPDP applies to any processing of personal data of data principals in India, regardless of where the fiduciary is located.
• Consent Manager framework: Section 6(7) introduces a structural innovation borrowed from the Account Aggregator framework, with formal Consent Managers registered with the Data Protection Board.
• Children's data: Section 9 imposes verifiable parental consent and prohibits tracking, behavioural monitoring, and targeted advertising at children regardless of consent.

This guide walks through the operational framework, the 90-day implementation roadmap, and the contract drafting implications for in-house counsel. For the comprehensive operational guide, see our DPDP compliance guide.

Section 5 — notice in plain language

Section 5(1) requires every data fiduciary to give the data principal a notice — at or before requesting consent — containing the personal data being processed, the purpose, the manner of exercising rights under Sections 11-14, and the manner of complaining to the Board. The draft Rules attach a notice template (Schedule A, Form 1) that most counsel adopt verbatim with minor adaptation.

Two operational traps:

Pre-existing data. Section 5(2) requires fiduciaries holding data collected before the Act to notify principals "as soon as it is reasonably practicable." For most SaaS companies that means a one-time email campaign within 90 days of enforcement, including a refresh of continuing consents.

Layered notice. The Act permits a layered approach — short summary at point of collection, full notice one click away. The summary must be substantive ("we use your data" is not enough), the link must work, and the layered approach must be genuine rather than a dark pattern hiding the full notice.

Section 6 — the consent standard

Section 6(1) sets the consent standard:

"The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action..."

Each adjective is a separate compliance test. A consent flow must pass all five — failing any one invalidates the consent and the underlying processing.

Free: refusal must be genuinely costless. Bundling consent with terms of service for processing not necessary for the contract fails this test. Conditioning loyalty rewards on marketing consent fails this test.

Specific: each processing purpose must have its own granular consent. A single "yes" cannot cover six unrelated purposes. This is the largest gap in existing Indian consent flows — the typical pattern bundles everything under "I agree to the Privacy Policy."

Informed: the consent must follow a Section 5 notice in plain language. Layered notice is permitted; substantive layer is required.

Unconditional: consent cannot be contingent on accepting any other terms.

Unambiguous, with clear affirmative action: pre-ticked checkboxes don't count; continued use doesn't count; deliberate click on a distinguishable consent control is required.

See our DPDP consent requirements deep-dive for the operational framework. The consent obligation is also the hardest to retrofit — pre-existing consent flows almost always fail at least one of the five tests.

Section 8 — security and processor obligations

Section 8 imposes two distinct duties on data fiduciaries:

Section 8(4) — implement reasonable security safeguards. The draft Rules will likely prescribe a baseline (ISO 27001 + Annex A controls is the expected standard) plus sectoral overlays for BFSI, healthcare, and telecom.

Section 8(5) — enter into a valid contract with every data processor obligating the processor to:

1. Process personal data only on the fiduciary's documented instructions.
2. Implement reasonable security safeguards.
3. Confidentiality obligations on personnel.
4. Notify personal data breaches without undue delay.
5. Cooperate with data principal rights requests.
6. Sub-processor approval and notification.
7. Cross-border transfer compliance (under Section 16).
8. Return or delete personal data on termination.

These eight obligations are the checklist for every vendor contract that handles personal data. Most existing SaaS DPAs drafted for GDPR substantially comply but have gaps on sub-processor approval and breach notification windows. See our vendor agreement template for the standard market drafting.

Section 11 — data principal rights

Section 11 grants data principals four rights:

1. Right to information — confirm whether their data is being processed and obtain a summary.
2. Right to correction and erasure — correct inaccurate data, erase data no longer needed.
3. Right to grievance redressal — file a complaint with the Board.
4. Right of nomination — nominate another person to exercise rights in case of death or incapacity.

The fiduciary must respond within the period prescribed in the Rules — 90 days under the current draft.

Operationalising rights requests requires a workflow: intake → triage (within 7 days) → discovery (locating data across 30+ systems is where most companies fail) → action → response. Build the workflow now; it's the kind of compliance investment that takes 6+ months to mature.

Section 16 — cross-border transfers

Section 16 permits cross-border transfers subject to government notification of restricted countries. As of May 2026, the restricted-country list has not been notified, so transfers remain unrestricted other than sectoral RBI directions for financial data (Storage of Payment System Data circular) and IRDAI directions for insurance data.

For most B2B SaaS engagements, the practical position is: transfers to the US, EU, and major Asian jurisdictions are permitted. Build in contractual flexibility for when restrictions are notified.

Section 33 — penalty exposure

The penalty schedule:

These are maxima — the Data Protection Board exercises discretion based on the breach circumstances, the fiduciary's compliance posture, and remediation efforts. The first wave of Board enforcement actions will set the precedent for how aggressively maxima are applied.

For Indian companies, the cost-benefit calculus favours treating DPDP compliance as a board-level risk. Spending ₹50 lakh on a compliance program is rational insurance against ₹250 crore penalty exposure.

The 90-day compliance roadmap

Most Indian counsel structure DPDP compliance as a phased 90-day program:

Days 1-15: Notice + audit

• Audit existing consent flows against the five Section 6 tests.
• Update the privacy notice to the Section 5 standard using the draft Rules template.
• Catalogue every vendor and processor relationship that handles personal data.
• Stand up the consent audit log infrastructure (notice version + timestamp + IP + user agent).

Days 15-30: Notice deployment

• Deploy the updated privacy notice across all collection points.
• Run the pre-existing customer notification campaign per Section 5(2).
• Implement the in-app consent withdrawal mechanism (must be as easy as giving consent).

Days 30-60: Vendor + processor contracts

• Draft a Section 8(5)-compliant DPA template.
• Re-paper or addend all vendor contracts that handle personal data.
• Implement sub-processor approval workflow with 30-day notice.
• Document cross-border data flows.

Days 60-90: Rights + breach response

• Build the data principal rights workflow with 90-day SLA.
• Establish the 72-hour breach notification pipeline.
• Test the breach response runbook end-to-end.
• Train customer-facing teams on rights requests.

Days 90+: Monitoring + governance

• Monitor consent take-up rate, withdrawal rate, time-to-effect.
• Schedule quarterly DPDP audits.
• Plan for SDF criteria notification (likely 2027).

Contract drafting implications

DPDP affects six categories of commercial contracts in distinct ways:

The most-litigated DPDP clause will be the indemnification provision. Standard market practice in India is for the processor to indemnify the fiduciary, uncapped, for losses arising from the processor's Section 8(5) breach. See our indemnification deep-dive and limitation of liability deep-dive for the drafting framework.

Significant Data Fiduciaries

Section 10 introduces SDF status — a category of fiduciaries subject to additional obligations:

• Appoint a Data Protection Officer based in India, reporting to the Board.
• Engage an independent Data Auditor for annual compliance audits.
• Conduct Data Protection Impact Assessments (DPIAs) before high-risk processing.

The Central Government will notify SDF criteria based on volume, sensitivity, and impact. Likely SDF candidates: large BFSI entities, healthcare providers, telecom operators, social media platforms, large e-commerce platforms.

If you are likely to be an SDF, prepare now. DPO recruitment alone is a 6-9 month process for qualified candidates in India.

How Clauseium accelerates DPDP compliance

DPDP compliance reviews mean reading every vendor contract and every customer DPA against a fixed list of obligations. Clauseium runs that scan in minutes per contract: it extracts the processing role (fiduciary, processor, joint), checks for the eight Section 8(5) obligations, flags cross-border transfer language, and verifies breach notification windows. Every finding cites the exact DPDP section.

For a 50-vendor compliance audit that would take 6 weeks of clause-by-clause manual review, Clauseium compresses to under a week with a structured exception list. See our DPDP compliance feature.

Try Clauseium free →

Where to go next

Continue with the spoke deep-dives below. The pillar above is the strategic framework; the spokes are the implementation specifics. Most counsel start with the DPDP compliance guide and the consent requirements deep-dive, then move to the contract templates and clause guides as they encounter specific drafting questions in active deals.