India's Digital Personal Data Protection Act: What It Means for You

India's Digital Personal Data Protection (DPDP) Act was passed in August 2023, marking India's first comprehensive data privacy legislation. It changes the obligations for every business that processes personal data — and gives Indian citizens new rights over their information.

Key Definitions

• Data Principal: The individual whose data is being processed (you)
• Data Fiduciary: The entity that collects and processes data (companies)
• Personal Data: Any data that can identify an individual, directly or indirectly
• Consent: Must be free, specific, informed, and unambiguous

Your Rights as a Data Principal

• Right to information: Know what data is collected and how it's used
• Right to correction: Request correction of inaccurate personal data
• Right to erasure: Request deletion of your data (subject to legitimate retention obligations)
• Right to grievance redressal: Mechanism to complain if rights are violated
• Right to nominate: Nominate another person to exercise rights after death/incapacity

What Businesses Must Do

• Obtain clear consent before collecting personal data
• Collect only data necessary for the stated purpose
• Retain data only as long as needed
• Implement reasonable security measures
• Report data breaches to the Data Protection Board
• Appoint a Data Protection Officer (for Significant Data Fiduciaries)

Penalties

The DPDP Act provides for significant financial penalties for violations — up to ₹250 crore per instance for certain breaches. The Data Protection Board of India adjudicates complaints and imposes penalties.