1. What the DPDP Act covers
The Act applies to the processing of digital personal data — data that can identify an individual — whether collected digitally or digitised later. It applies to organisations operating in India and, in defined cases, to processing outside India connected to offering goods or services to individuals in India.
2. Know the key roles
- Data Principal — the individual the personal data is about.
- Data Fiduciary — the organisation that decides why and how personal data is processed.
- Data Processor — a party that processes data on behalf of a fiduciary.
- Significant Data Fiduciary — a fiduciary designated by volume/sensitivity, with extra obligations.
3. Lawful processing and consent
Personal data must be processed for a lawful purpose, with a valid basis. Consent must be free, specific, informed, unconditional and unambiguous, and as easy to withdraw as to give. A clear notice must accompany requests for consent, and processing for certain "legitimate uses" is also recognised.
4. Data principal rights
- Right to access information about their processed data.
- Right to correction, completion and erasure.
- Right to grievance redressal.
- Right to nominate another person to exercise rights in specified cases.
5. Obligations of data fiduciaries
- Provide a clear notice and obtain a valid basis for processing.
- Maintain accuracy and implement reasonable security safeguards.
- Report personal-data breaches to the Board and affected principals.
- Limit retention — erase data when the purpose is served and retention is no longer required.
- Ensure processors are bound by valid contracts.
6. Extra duties for Significant Data Fiduciaries
Organisations designated as Significant Data Fiduciaries face additional requirements, which typically include appointing a Data Protection Officer based in India, appointing an independent data auditor, and conducting Data Protection Impact Assessments and periodic audits.
7. Build your DPDP programme
- Map your personal data: what you hold, where it flows and why (RoPA).
- Fix your consent and notice mechanisms.
- Stand up a process to fulfil data-principal rights within timelines.
- Implement security safeguards and a breach-response process.
- Govern your processors and set retention/erasure schedules.
8. Why it matters
Non-compliance can attract significant financial penalties. Beyond penalties, demonstrable data protection is increasingly a condition of doing business with enterprise and regulated customers.
How CyberSigma helps
Our SigmaAssist DPDP capability and senior privacy team help you map data, run consent and rights operations, produce cryptographic evidence, and stand up an audit-ready DPDP programme.
This guide is educational and not legal advice. Requirements evolve — validate specifics against the current standard or regulation for your situation.
