The DPDP Act: what Indian enterprises must do now
India's Digital Personal Data Protection Act, 2023 is one of the most significant shifts in the country's data landscape in a generation. If your organisation handles personal data โ and almost every one does โ it applies to you.
The core idea
The Act gives individuals real rights over their personal data and places clear obligations on the organisations that collect it. Consent must be informed and specific. Data must be used only for the purpose it was collected. And individuals can ask what you hold, and ask you to correct or erase it.
Where to start
- Know what you hold. You cannot protect or account for data you have not mapped. Discovery comes first.
- Fix consent. Vague, bundled consent no longer passes. Make it specific, granular and withdrawable.
- Enable individual rights. Build the ability to respond to access, correction and erasure requests before they arrive.
- Watch access to personal data. Know who inside your organisation is touching it, and be able to prove it.
- Set retention limits. Data you no longer need is pure liability. Delete it on a schedule.
Good news: the controls the DPDP Act rewards โ data discovery, access monitoring, retention โ are the same ones that reduce breach risk and satisfy GDPR. Do it once, satisfy both.
Treat the Act not as a compliance chore but as a forcing function to finally get your data house in order. The organisations that do will find trust becomes a competitive advantage.