← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

Data Strategy Briefing — India Digital Personal Data Protection Act Assent

India's President gave assent to the Digital Personal Data Protection Act on 11 August 2023, establishing a national consent-led privacy regime, cross-border transfer controls, and penalty framework that organizations processing Indian data must now implement.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

India's Digital Personal Data Protection Act (DPDP Act) received presidential assent on 11 August 2023. The law introduces a consent-centric framework, defines obligations for data fiduciaries and significant data fiduciaries, and empowers the Data Protection Board to levy penalties for noncompliance. It also sets conditions for cross-border transfers, with government notifications defining approved jurisdictions.

What changed

  • Data fiduciaries must secure consent (or rely on limited legitimate uses) for processing and provide withdrawal, access, and correction rights to data principals.
  • Significant data fiduciaries face additional duties: DPIAs, independent audits, appointing a Data Protection Officer based in India, and grievance redressal mechanisms.
  • Cross-border transfers are allowed unless restricted by government notification; penalties can reach billions of rupees for violations.

Why it matters

  • Enterprises handling Indian personal data must implement consent management, notice updates, and withdrawal handling aligned with the DPDP Act.
  • Vendors and cloud providers need to evaluate whether they qualify as significant data fiduciaries and prepare for audits, DPIAs, and local representation.
  • Cross-border data strategies must track forthcoming whitelists/blacklists to determine whether data localization or regional processing is required.

Action checklist

  • Inventory Indian personal data flows, update privacy notices, and deploy consent/withdrawal workflows that log signals for auditability.
  • Assess whether you meet significant data fiduciary thresholds and prepare DPIA templates, board reporting, and DPO appointment plans.
  • Monitor government notifications on permitted destinations and refresh contracts and technical controls for transfers accordingly.
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • India
  • Privacy
  • Cross-border data
  • Compliance
  • Governance
Back to curated briefings