Compliance Briefing — August 11, 2023

Executive briefing: On August 11, 2023, India’s President gave assent to the Digital Personal Data Protection Act, 2023 (DPDP Act). The law introduces consent-centric processing rules, significant penalties for non-compliance, and establishes the Data Protection Board of India to enforce obligations on data fiduciaries and processors.

Immediate compliance priorities

Legal basis review. Evaluate consent, deemed consent, and legitimate-use grounds for all personal data processing involving Indian residents.
Notice and rights management. Update privacy notices, multilingual disclosures, and rights response procedures covering access, correction, erasure, and grievance redressal timelines.
Breach preparedness. Align incident response plans to notify the Data Protection Board and affected data principals promptly, incorporating log retention and evidence collection.

Control alignment

Governance. Appoint accountable officers for DPDP compliance, especially for Significant Data Fiduciaries subject to impact assessments and independent audits.
Third-party oversight. Amend processor contracts to incorporate DPDP obligations, sub-processing approvals, and cross-border transfer restrictions.
Data lifecycle. Implement retention policies, purpose limitation checks, and secure disposal practices consistent with Section 8 duties.

Enablement moves

Stand up registers of data processing, consents, and child data safeguards to evidence compliance readiness.
Deploy consent management tooling that supports withdrawal, preference updates, and age verification where parental consent is required.
Track forthcoming rules on cross-border transfer whitelists and Data Protection Board procedures to refine compliance roadmaps.

Sources

Zeph Tech guides privacy, security, and legal teams through DPDP Act readiness, spanning consent design, governance playbooks, and audit evidence preparation.