• FastrackGovind
• DPDP ACT 2023
• April 6, 2026

Introduction DPDP Act Compliance

There is a dangerous illusion circulating in boardrooms and startups alike: that compliance with the Digital Personal Data Protection Act, 2023 is a matter of drafting a privacy policy and moving on.

It is not.

The Act does not regulate documents. It regulates conduct. It does not ask what you say about data. It asks what you actually do with it—and whether you can prove it.

Most organizations today cannot.

They collect data without mapping it.
They retain data without reason.
They share data without control.
And when asked basic questions—why do you have this data? who has access? how long is it kept?—they do not have answers. They have assumptions.

The DPDP framework converts those assumptions into legal exposure.This article is not a checklist for ticking boxes.
It is a checklist for surviving scrutiny

I. The First Principle: If You Handle Data, You Are Already in the Frame

The applicability question is often asked in the wrong way.

Businesses ask: “Does the DPDP Act apply to us?”
The correct question is: “Where exactly are we processing digital personal data?”

Section 3 of the Act answers this with uncomfortable clarity. It applies to:

• digital personal data processed in India,
• personal data collected offline but digitised later, and
• certain processing outside India where linked to offering goods or services in India

The threshold is not a scale. It is activity.

A small consultancy with a website contact form is closer to the Act than it realizes.
An employer with HR software is already inside it.
A startup with a waitlist is not “early-stage”; it is already processing data.

The law does not wait for maturity. It attaches at first contact.

II. Data Mapping: The Step Most Businesses Skip—and Regret

Before compliance comes visibility.

Most businesses do not know:

• what categories of personal data they hold,
• how many systems store it,
• how many people access it,
• or how many third parties receive it

That is not a compliance gap. That is a control failure.

A defensible organisation should be able to answer, at any point:

• what data is collected,
• the exact purpose for each category,
• the system in which it is stored,
• access control layers,
• onward sharing chains,
• and retention timelines

Without this, everything else—privacy policy, consent, safeguards—is guesswork dressed as governance.

III. Consent: The Most Misused Concept in Indian Compliance

Consent under the DPDP Act is not a ritual. It is a legal standard.

It must be:

• free,
• specific,
• informed,
• unconditional, and
• unambiguous

Now compare this with prevailing practice:

• bundled consent for multiple purposes
• pre-ticked boxes
• vague descriptions like “for business improvement”
• no real mechanism for withdrawal

That is not consent. That is convenience.

A legally sustainable consent framework requires:

• purpose-wise separation
• clear language tied to actual processing
• visible linkage to privacy notice
• real withdrawal mechanism

The test is simple:

If challenged, can you show exactly what the individual agreed to—and for what purpose?

If not, the consent will not hold.

IV. The Website Problem: Where Most Exposure Begins

Most businesses underestimate their website.

They treat it as marketing real estate. The law treats it as a data collection interface.

A typical website today includes:

• enquiry forms
• appointment bookings
• CV uploads
• newsletter subscriptions
• chat integrations
• user accounts

Each of these is a point of data capture.

Under the DPDP Rules, 2025, the law goes further. It requires the Data Fiduciary to:

• publish contact details for data-related queries on the website or app
• provide a grievance redress mechanism
• disclose how rights can be exercised

This is not incidental drafting. It is intentional design.

The Rules assume your website is not passive.
They assume it is part of your compliance architecture.

And in most businesses, it is the weakest part.

V. Employee Data: The Most Ignored Risk

If customer data is visible risk, employee data is hidden risk.

Employers process:

• identity documents
• financial data
• health disclosures
• performance records
• disciplinary material
• surveillance-linked data (attendance, CCTV, access logs)

Yet internally:

• access is rarely restricted
• retention is undefined
• sharing is informal
• documentation is weak

This creates a structural vulnerability.

Employee data is not exempt by default. It is personal data.
And mishandling it is often easier to prove because the data trail is internal.

A compliant structure requires:

• employee-facing privacy notice
• access control protocols
• defined retention
• controlled sharing with vendors

Without this, HR becomes a compliance blind spot..

VI. Vendor Risk: Liability Does Not Outsource

Every organization uses third parties:

• cloud providers
• payroll processors
• CRM tools
• IT vendors
• consultants

These entities process data—but on your behalf.

The Act recognises them as Data Processors.
But it does not shift responsibility away from the Data Fiduciary.

That means:

• you must control how vendors handle data
• you must define contractual obligations
• you must ensure safeguards exist

A vendor breach is not “their problem.”
It becomes your compliance failure.

VII. Retention: The Habit That Will Hurt You Most

Indian organisations have one deeply embedded instinct:

Do not delete anything.

From a litigation perspective, that instinct has logic.
From a data protection perspective, it creates risk.

The DPDP framework requires:

• purpose limitation
• storage limitation

Data must not be retained indefinitely without justification.

The longer you hold unnecessary data:

• the greater your breach exposure
• the greater your compliance burden
• the weaker your defence

Retention is not a storage issue.
It is a liability multiplier.

VIII. Breach Preparedness: Where Theory Meets Reality

Most organisations assume breach is a technical problem.

It is not.
It is a legal event.

A breach response must include:

• identification
• containment
• escalation
• legal assessment
• documentation
• notification (where applicable)

The real risk is not just breach. It is unstructured response.

When questioned later, what matters is:

• what you knew
• when you knew it
• what you did
• and what you recorded

Without documentation, even a well-handled breach looks negligent.

IX. Grievance Redress: The First Point of Escalation

Under the DPDP framework:

• individuals have rights
• they can raise grievances
• you must respond

This is not optional courtesy. It is statutory obligation.

A functioning system requires:

• a designated contact point
• response timelines
• internal escalation
• tracking

Ignoring grievances is not neutral.
It is escalation waiting to happen.

X. The Real Compliance Test

Strip away the jargon, and the DPDP Act asks one question:

Can you justify your data practices with evidence?

Not explanations.
Not intentions.
Not policies written after the fact.

Evidence.

• why the data was collected
• how consent was obtained
• where it was stored
• who accessed it
• how long it was retained
• what safeguards existed

If you can answer these with records, you are compliant in substance.
If you cannot, you are exposed—regardless of how polished your documents look.

Conclusion

The Digital Personal Data Protection Act, 2023 is not a compliance checklist law. It is a discipline law.

It forces organisations to:

• understand their data,
• control their processes,
• document their decisions, and
• take responsibility for their systems

The businesses that approach it as documentation will struggle.
The businesses that approach it as governance will adapt.

Because in the end, the law does not punish ignorance.
It exposes it.

And once exposed, it is very difficult to defend.