DPDP Act Compliance for Businesses

The Digital Personal Data Protection Act, 2023 is in force. If your business collects, stores, or processes personal data of customers, employees, or vendors, you have obligations under this law. Most businesses are not yet compliant.

What the DPDP Act Requires

The Digital Personal Data Protection Act, 2023 establishes obligations for any entity referred to as a Data Fiduciary that processes the personal data of individuals in India. This includes businesses that collect customer information through websites, apps, or forms; employers who maintain employee records; and any organisation that shares personal data with vendors or service providers.

The Act requires, among other things, a lawful basis for processing personal data, explicit and informed consent from data principals, a documented privacy notice in clear language, a mechanism for individuals to access, correct, and erase their data, implementation of reasonable security safeguards, and notification obligations in the event of a data breach.

Non-compliance carries significant financial exposure. The Data Protection Board of India is empowered to impose penalties of up to Rs. 250 crore per instance of breach, with higher limits applicable to large scale or repeated violations.

Who This Affects?

DPDP compliance is not limited to large technology companies. Any business with a website that collects contact information, an app that processes user data, a loyalty programme, a patient database, an employee HR system, or a vendor network involving personal data sharing is a Data Fiduciary under the Act.

This includes e-commerce businesses, clinics and hospitals, educational institutions, fintech and SaaS companies, retail businesses, staffing agencies, and any organisation operating in India that handles customer or employee data.

What Gurman Chahal Chambers Provides

The practice offers structured DPDP Act compliance engagements calibrated to the scale and complexity of the client’s operations.

A baseline compliance engagement includes a privacy policy drafted for the specific business (not a generic template), terms of service, a consent notice meeting the Act’s requirements, a data processing agreement for use with vendors and processors, a cookie policy, and an employee data processing notice.

For more complex organisations, the engagement extends to a data audit framework, an internal compliance protocol, a data breach response procedure, and ongoing advisory as the Rules under the Act are notified and implemented.

DPDP compliance is also included as a component of the Annual Legal Retainer for Tier 2 and Tier 3 clients.

Frequently Asked Questions

Q: The Rules under the DPDP Act have not yet been finalised. Should I wait?

No. The Act itself is in force. The obligations of Data Fiduciaries consent, notice, security safeguards, grievance redressal are operative. The Rules will detail implementation timelines and thresholds, but waiting for them before beginning compliance preparation means you will be behind from the day they are notified.

Q: We are a small business. Does the DPDP Act apply to us?

The Act applies to any entity processing personal data, regardless of size, with certain exemptions for purely personal or domestic use. If you have a website with a contact form, you are processing personal data. If you have employees, you are processing personal data. Size does not determine applicability.

Q: We already have a privacy policy from a template we found online.

A generic or copied privacy policy does not constitute compliance. The DPDP Act requires that the consent notice and privacy policy reflect the actual data processing activities of your specific organisation, be written in plain language, and provide a functional mechanism for data principals to exercise their rights. A copied template drafted under a different legal framework (such as GDPR) does not meet these standards.

Discuss Your Compliance Position

A preliminary consultation to assess your organisation’s current data processing practices and compliance gaps is available. Contact chambers to schedule.

Resources

Contact Infomation

+91-9716148925

contact@gurmanchahalchambers.com

Mon-Sun, 24/7

Designed & developed by Simple Soluttions by MK

This website is for non-commercial, informational and educational purposes only. The Bar Council Rules of India prohibits lawyers to solicit work or advertise their services. There is no advertisement, personal communication, solicitation, invitation or inducement of any kind whatsoever from Gurman Chahal or any of its members to create an Attorney-Client relationship through this website.
By accessing the website, the visitor /user acknowledges that he/she on his own accord wishes to know more about Gurman Chahal for their own information and use. The visitor/user also acknowledges to have read and understood this Disclaimer. Continuous use or access of the website shall be construed as your deemed acceptance of the terms and conditions of the Disclaimer.