The Digital Personal Data Protection Act, 2023 — commonly called DPDP — received Presidential assent on 11th August 2023. It is India’s first dedicated law governing how digital personal data is collected, stored, processed and protected.
This is not just a legal or compliance matter. At its core, DPDP is a technology obligation.
Here is what every IT leader, CTO, and technology team in India needs to understand right now.
What is DPDP?
The Act was designed to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes. It balances individual privacy rights with legitimate business and government needs.
Who does it apply to?
The Act applies to the processing of digital personal data within India — whether collected in digital form or collected in non-digital form and digitised subsequently. It also applies to organisations outside India if they offer goods or services to individuals (Data Principals) within India.
If your organisation collects a customer’s name, email ID, mobile number, transaction data, or any other information from which that individual can be identified — you are a Data Fiduciary under this law.
What does “processing” include?
Under Section 2(x) of the Act, processing covers collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, transmission, dissemination, restriction, erasure and destruction of personal data.
In short — almost everything your systems do with data.
Why does your IT team specifically need to pay attention?
Because the Act mandates “appropriate technical and organisational measures” to ensure effective observance of its provisions (Section 8(4)). The law does not just ask management to sign a policy. It requires your systems, architectures, and processes to reflect compliance by design.
It mandates encryption, access controls, logging, breach detection, automated erasure, and grievance portals — all of which live in the technology layer.
What happens if you don’t comply?
Penalties under the Schedule of the DPDP Act can extend up to ₹250 crore for a single breach. For failure to implement reasonable security safeguards, the penalty can reach ₹200 crore. These are not theoretical — the Data Protection Board of India has the power to investigate, inquire, and impose these penalties.
What’s next in this series?
Over the next 8 episodes, we will walk through every major area where technology directly enables DPDP compliance — from consent management platforms and encryption, to automated data erasure and breach notification pipelines.
Follow DSK Sustainability Tech LLP for the full series.
In association with our knowledge partners — Karthik & Sunil, Chartered Accountants.
#DPDP #DataPrivacy #DataProtection #CyberCompliance #ITCompliance #DPDPAct2023 #DigitalIndia #TechLaw #DSKSustainabilityTech #DataGovernance #CTO #ITLeadership
Disclaimer
This note is for general informational purposes only and should not be treated as legal opinion or professional advice. The applicability of Work from Home, employee monitoring, DPDP Act requirements and labour-law obligations may vary based on the facts, sector, state laws, employment terms and internal policies.
Organisations should obtain a specific legal opinion from a qualified advocate / labour-law expert / data-protection professional before implementing or relying on any Work from Home or employee monitoring policy.