Data Strategy Briefing — August 11, 2023

Executive briefing: President Droupadi Murmu gave assent to India’s Digital Personal Data Protection Act, 2023 on 11 August 2023, transforming the bill into Act No. 22 of 2023 and triggering timelines for rulemaking on consent, breach reporting, and cross-border data transfers.

Key data governance checkpoints

• Significant fiduciary scoping. Determine whether processing volumes, children’s data, or sensitive profiling thresholds will qualify the organisation as a “significant data fiduciary” subject to enhanced obligations.
• Consent lifecycle. Map consent notices, revocation paths, and grievance redressal that must align with Sections 6–7 once rules specify form and manner.
• Cross-border planning. Inventory data flows that may be curtailed by forthcoming whitelists or blacklists issued under Section 16.

Operational priorities

• Rulemaking watch. Track MeitY consultations for implementing rules on notice formats, data retention, and significant fiduciary criteria to front-load compliance investments.
• Board reporting. Prepare governance updates covering penalty exposure of up to INR 250 crore per contravention and required appointments such as data protection officers in India.
• Vendor clauses. Refresh processor contracts to embed DPDP Act audit, breach notification, and purpose limitation requirements ahead of enforcement.

Enablement moves

• Launch training that explains how the DPDP Act’s consent model differs from GDPR and sectoral Indian rules to align marketing, product, and HR practices.
• Design playbooks for the forthcoming Data Protection Board of India covering incident submissions, voluntary undertakings, and appellate reviews.

Sources

• The Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023)
• Press Information Bureau note on the President’s assent to the DPDP Act

Zeph Tech guides India and APAC teams through DPDP Act readiness, combining consent design, vendor governance, and cross-border data mapping.