INDIA’S DPDPA guidance and resources

by | Feb 13, 2026 | MongoDB | 0 comments

1. DPDP Compliance Overview

This framework is designed to ensure that personal data is protected and processed in a lawful, fair, transparent, and secure manner. It establishes principles and controls to ensure that personal data is collected and used only for clearly defined, specific, and legitimate purposes, with appropriate technical and organizational safeguards maintained throughout the data lifecycle.

This framework recognizes and supports the statutory rights of Data Principals and provides defined mechanisms that enable individuals to access, review, correct, update, or request deletion of their personal data, and to withdraw consent where applicable, through structured and accessible processes.

This framework applies across all digital platforms, applications, systems, and processes where personal data is collected, stored, used, shared, or otherwise processed.

2. Applicability & Scope

Applicability

  • Personal data collected in digital form.
  • Personal data initially collected in non-digital form and subsequently digitized.
  • Processing carried out within India.
  • Processing carried out outside India where goods or services are offered to individuals in India.

Scope

This framework covers personal data relating to:

  • Customers and users
  • Employees, interns, and contractors
  • Vendors, partners, and service providers
  • Website, application, and platform visitors
  • Anonymized data and non-personal data processed for lawful business purposes are excluded from scope.

3. Role of the Organization under DPDP

The organization performs its obligations under DPDP based on its role in each processing activity:

Data Fiduciary: Where the organization determines the purpose and means of processing personal data.

Explanation on Data Fiduciary

A Data Fiduciary is an entity (organization/company) that decides why personal data is collected and how it will be used. Under the DPDP Act, 2023, the Data Fiduciary is mainly responsible for collecting data lawfully, being clear with people about how their data is used, protecting the data, and making sure individuals can exercise their data protection rights.

Under India’s Digital Personal Data Protection (DPDP) Act, 2023, a Data Fiduciary is an organization that determines why and how personal data is processed.

As a Data Fiduciary, company/organization takes full responsibility for ensuring personal data is handled lawfully, transparently, and securely.

Purpose Limitation

  • Personal data is collected only for specific, lawful, and clearly defined purposes.
  • Data Minimization
  • Only data that is necessary for providing our services is collected.
  • Transparency

Users are informed about:

  • What data is collected
  • Why and how it is used
  • Retention period
  • How rights can be exercised
  • Valid Consent
  • Personal data is processed only with free, informed, and explicit consent where required.

Easy Consent Withdrawal

Users can withdraw consent at any time through simple and accessible mechanisms.

Data Processor: Where the organization processes personal data on behalf of another Data Fiduciary under contractual instructions
Role determination is conducted on an activity-by-activity basis and documented to ensure clear accountability and regulatory traceability.

Explanation on Data Processor

A Data Processor is a third party that processes personal data only on the instructions of a Data Fiduciary and does not decide the purpose or means of processing.

  • Common Examples include
  • Cloud & hosting providers
  • SaaS tools (CRM, payroll, email, and analytics)
  • IT & customer support vendors
  • Data storage and backup providers

A processor may store, organize, analyze, transfer, secure, retrieve, or delete data strictly as instructed by the Data Fiduciary. They cannot reuse, repurpose, or independently decide on data use.

DPDPA Self-Assessment tool

Use this tool to determine your organization’s role under the DPDP Act and understand the compliance responsibilities that apply to your processing activities

Check your DPDPA Self-Assessment Score

4. Personal Data Processing Context

Categories of Personal Data

The organization processes personal data limited to what is necessary for defined purposes, including:

  • Identity and contact information
  • Employment and professional data
  • Customer and account-related data
  • Vendor and business contact information
  • System-generated identifiers, logs, and access records

What is Personal Data?

Why is Personal Data regulated?

How Personal Data Must Be Handled?

What if Personal Data is LEAKED?

What is Personal Data?

  • Personal data is any data that can identify an individual, directly or indirectly.
  • This includes names, contact details, IDs, financial data, health information, online identifiers, location data, photographs, and user behavior data.
  • If a person can be identified now or in the future, the data is personal data.

Why is Personal Data regulated?

Personal data represents:

  • An individual’s identity
  • Their privacy
  • Their financial and personal safety
  • Uncontrolled use or misuse can lead to:
  • Identity theft
  • Financial fraud
  • Surveillance and profiling
  • Discrimination and reputational harm

The DPDP Act exists to protect individuals and build trust, while allowing legitimate digital use of data.

How Personal Data Must Be Handled?

  1. Lawful Collection
    • Data must be collected for specific and legitimate purposes.
    • Consent must be free, informed, and explicit, unless legally exempt.
  2. Minimal & Fair Use
    • Only data necessary for the purpose may be collected and no excessive or unrelated data.
  3. Transparency
    • Individuals must be informed about:
    • What data is collected
    • Why it is collected
    • How it is used and shared
    • How long it is retained
    • How to exercise their rights
  4. Secure Processing
    • Organizations must implement access controls, encryption, monitoring, secure storage, and vendor security checks.
  5. Controlled Sharing
    • Data may be shared only with authorized processors, and processors must act strictly under written instructions.
  6. Storage Limitation
    • Data must be deleted once the purpose is fulfilled. There should not be indefinite retention. Data must be retained only for the period specified in the legal agreement between the client and the organization.

What if Personal Data is LEAKED?

A data breach under DPDP is not just an IT issue, it is a legal failure. Which can cause immediate impact on business continuity and can harm to individuals which can lead to loss of customer trust and potential reputational damage to the organization. Moreover this data leakage can harm operational disruption and can lead to legal consequences and to mitigate this a mandatory breach response and cooperation is prerequisite and not adhering to this can cause penalties up to ₹250 crore to the organization.

Note: Liability remains with the Data Fiduciary, even if the breach occurs at a third-party processor.
A breach of personal data can damage the organization's brand and market trust over time, as well as hurt its credibility with the public, cause customers to leave, and make partners and investors less confident in the company.

Purpose Limitation

Personal data is processed strictly for specified, explicit, and lawful purposes and is not retained or reused beyond those purposes unless legally required.

Data Lifecycle

  • Collection through digital channels and authorized interfaces
  • Validation and lawful use based on consent or legitimate use
  • Secure storage with role-based and need-to-know access
  • Controlled sharing with authorized internal and external parties
  • Retention aligned to purpose and statutory requirements
  • Secure deletion or irreversible anonymization

6. Rights of Data Principals

In accordance with Section 11of the DPDP Act, the organization enables Data Principals to exercise their rights, including:

  • Access to information about personal data processing
  • Correction of inaccurate or incomplete personal data
  • Erasure of personal data no longer required
  • Grievance Redressal
  • Nomination of a representative in case of death or incapacity

Note: Requests are subject to identity verification and are addressed within prescribed timelines.

7. Data Security & Safeguards

Security Measures

As required under Section 8,the organization must implement reasonable technical and organizational safeguards, including:

  • Role-based access controls
  • Encryption and secure transmission mechanisms
  • Logging and monitoring of data access
  • Secure system configuration and patching
  • Periodic risk assessments and reviews

Personal Data Breach Management

A personal data breach includes unauthorized access, disclosure, alteration, loss, or destruction of personal data.

The organization maintains an incident response mechanism to:

  • Detect and assess data breaches
  • Notify the Data Protection Board of India where required
  • Inform affected Data Principals where applicable
  • Implement corrective and preventive actions

8. Data Retention & Deletion

Personal data must be retained only for as long as necessary to fulfill the stated purpose or comply with legal and regulatory requirements.

Retention schedules are to be defined and reviewed periodically. Upon completion of purpose or withdrawal of consent, personal data must be securely deleted or irreversibly anonymized.

9. Third-Party & Vendor Management & Cross-Border Data Transfers

Data Processors

Where Data Processors are engaged:

  • Processing is governed by written contracts
  • Processors act only on documented instructions
  • Confidentiality and security obligations are enforced
  • Compliance is periodically reviewed

Vendor Management

To comply with Section 8obligations, the organization must maintain a structured vendor and third-party management framework to ensure that personal data processed by external entities will remain protected and lawfully handled.

Key controls include:

  • Vendor classification based on data access, sensitivity, and processing risk
  • Mandatory DPDP-aligned data protection clauses in contracts and agreements
  • Clear articulation of processing purpose, scope, and duration for vendors
  • Obligation on vendors to implement reasonable security safeguards equivalent to the organization
  • Contractual requirements for breach notification, cooperation, and remediation

Vendor due diligence &ongoing oversight

Pre-onboarding data protection due diligence for vendors handling personal data

Periodic vendor compliance reviews and reassessments

Right-to-audit or assurance mechanisms

Defined exit and data return or deletion obligations upon contract termination

Cross-Border Transfers

Personal data may be transferred outside India only to countries or territories notified by the Central Government, subject to applicable safeguards.

10. Governance & Accountability Structure

DPDP compliance is governed through:

  • Senior management oversight
  • Defined internal roles and responsibilities
  • Departmental SPOCs for data protection
  • Escalation and decision-making mechanisms

Where applicable, obligations of Significant Data Fiduciariessuch as appointment of a Data Protection Officer, DPIAs, and audits are fulfilled.

Significant Data Fiduciaries (SDF)

A Significant Data Fiduciary (SDF) under India’s DPDP Act, 2023 is an organization designated by the Government based on the scale, sensitivity, and risk of its personal data processing.

This classification applies to entities whose data practices can significantly impact individuals, public order, or national interest.

For instance, Digital platforms and Large online Services, FinTech Companies, Healthcare and HealthTech providers, EdTech and Child-Focused Platforms, Government-Linked and Public Service platform and AI, Analytics Companies.

The SDF framework follows a risk-based approach. Organizations that process large volumes of personal data or use advanced technologies are subject to higher accountability.

Once designated, an SDF must meet additional obligations, including appointing a Data Protection Officer in India, conducting Data Protection Impact Assessments (DPIAs), undergoing independent audits, and implementing enhanced security and governance controls.

SDF compliance is operational, not just policy-driven. It requires strong oversight of data processing, vendors, consent mechanisms, and security practices. The objective is to ensure that organizations with greater data power handle personal data responsibly, protect user rights, and maintain trust.

11. Grievance Redressal Mechanism

A Grievance Officer must designated to address complaints and queries from Data Principals.

Grievances can be raised through designated communication channels and are resolved within statutory timelines. Unresolved grievances may be escalated to the Data Protection Board of India.

12. Training, Monitoring & Continuous Improvement

Employees and relevant stakeholders should receive periodic training on DPDP obligations, secure data handling, and incident reporting.
The organization should conduct regular compliance reviews, internal audits, and gap assessments to ensure continuous improvement and alignment with regulatory developments.

13. Updates to This Guidelines and knowledge base

This framework is reviewed and updated periodically to reflect changes in law, regulatory guidance, business processes, and risk posture. The effective date and version history are maintained for transparency.

×

Fill the form to download file



    Submit a Comment

    Your email address will not be published. Required fields are marked *