DPDP Act 2024: A Plain-English Implementation Guide for Indian Companies

Introduction

The Digital Personal Data Protection (DPDP) Act 2024 is India's first comprehensive personal data protection law. It came into force in August 2024, and while the government has been phased in implementing its enforcement machinery, companies that haven't started their compliance journey are taking a significant risk.

This guide cuts through the legal language and tells you exactly what the DPDP Act requires — and what you need to do first.

Who Does the DPDP Act Apply To?

The Act applies to all entities that process 'digital personal data' — data in digital form, or data that has been digitised — of individuals in India. This includes data processed outside India if it relates to goods or services offered to individuals in India. There is no minimum size threshold.

Practically, this means: if you store customer data, employee records, or any other personal information in a digital system — including cloud software, email, or even scanned documents — the DPDP Act applies to you.

Key Obligations Under the DPDP Act

1. Consent Management

The Act requires 'free, specific, informed, unambiguous, and unconditional' consent before processing personal data. The consent must be given by a clear affirmative action — not pre-ticked boxes or buried terms and conditions. You must be able to prove the consent was given, which means your consent management system needs to log consent with a timestamp.

2. Data Principal Rights

Individuals (called 'Data Principals' under the Act) have the right to: access their personal data, correct inaccurate data, erase their data (the 'right to be forgotten' in certain circumstances), and nominate a representative to exercise rights on their behalf.

You need an operational process to handle these requests within the prescribed timeline (currently 30 days). This means training your customer service team, building a request intake mechanism, and connecting it to your data systems.

3. Data Fiduciary Obligations

Every company that processes personal data is a 'Data Fiduciary' under the Act. Your core obligations are: processing data only for specified, clear purposes; retaining data only as long as necessary; implementing appropriate security safeguards; and notifying the Data Protection Board and affected individuals in the event of a data breach.

4. Significant Data Fiduciaries

The government can designate certain organisations as 'Significant Data Fiduciaries' based on the volume and sensitivity of data processed, and the risk to Data Principals. Significant Data Fiduciaries face additional obligations including Data Protection Impact Assessments, a Data Protection Officer, and periodic audits.

5. Cross-Border Data Transfers

Personal data can be transferred outside India to countries notified by the government. The default list hasn't been finalised yet, but companies should be mapping their current international data flows now — particularly to cloud providers with servers outside India.

Where to Start: The Compliance Sequence

Step 1: Data inventory — map all personal data you hold, where it lives, how it was collected, and what it's used for. Step 2: Consent audit — assess whether existing data was collected with DPDP-compliant consent. Step 3: Policy update — update privacy notices, consent forms, and internal data handling policies. Step 4: Process design — build the operational processes to handle Data Principal rights requests. Step 5: Security review — assess your technical safeguards against the Act's requirements. Step 6: Breach response — design and test your breach notification process.

Getting Help

Chabil Consulting provides DPDP Act compliance programmes for Indian companies. Our programme takes 6–8 weeks and produces a complete compliance baseline, policy suite, and operational processes aligned to the Act. Start with our free assessment at https://chabilconsulting.com/contact.