Why This Law Exists

Your customers give you data — their names, addresses, phone numbers, email IDs, and payment information. Before the DPDP Act came into effect on November 11, 2023, companies could collect this data with minimal transparency, minimal consent, and minimal accountability.

The Act changes that. It says: be honest about what data you collect, get clear permission, protect it seriously, and if something goes wrong, tell people immediately.

Everything else flows from this basic principle.

Three Things You Absolutely Must Do

1. Be Clear About What Data You Collect and Why

Write a privacy policy that explains in plain English what personal data you collect, why you collect it, how long you keep it, and who might see it.

You cannot hide this information in fine print. The policy must be clear enough that your average customer can understand it.

This is not optional. This is the foundation of DPDP compliance.

2. Get Real Permission Before Processing Data

Before using someone’s personal data, get their consent. This must be active, not assumed.

• Unchecked boxes do not count as consent.
• Implied consent does not count.
• Only affirmative, clear agreement counts.

Your customer should understand what they are agreeing to.

3. Protect The Data

Use password protection. Limit who can access data. Encrypt sensitive information.

If the data gets breached — whether hackers gain access or data is accidentally exposed — you must notify the Data Protection Board of India within 72 hours of discovering the breach.

You must also notify affected customers. This is a legal requirement.

How the Act Affects Your Specific Business

E-Commerce and Retail

You collect customer addresses, phone numbers, and payment information. You need a clear privacy policy explaining this collection.

You cannot keep data indefinitely. After a customer’s last transaction, a reasonable retention period is typically one year.

Software and SaaS

If you use cookies or analytics tracking, get explicit consent before deployment.

Be transparent if you use AI for recommendations or decisions.

Banking and Financial Services

Financial institutions handle extremely sensitive data and require strict access controls and security safeguards.

Marketing activities require explicit opt-in consent.

Healthcare

Medical data is treated as specially sensitive.

Using patient data for research or analytics requires explicit consent.

HR and Recruitment

Do not collect unnecessary employee or candidate data.

Unsuccessful candidate information should be deleted after a reasonable retention period.

Marketing and Advertising

Explicit, clear consent is mandatory for marketing communications and tracking technologies.

The Real Penalties Under the DPDP Act

• ₹250 Crore: Failure to implement reasonable security safeguards leading to a breach
• ₹200 Crore: Failure to notify authorities or customers within 72 hours
• ₹200 Crore: Violations involving children’s data protections
• ₹150 Crore: Non-compliance by designated data fiduciaries

Five Practical Compliance Steps

1. Map your data collection and storage systems.
2. Update your privacy policy in plain language.
3. Implement granular consent mechanisms.
4. Strengthen cybersecurity and access controls.
5. Create a 72-hour breach response plan.

One Critical Point About Data Transfers

If your business transfers customer data outside India — whether to cloud providers, overseas vendors, or subsidiaries — you must have a proper data processing agreement in place.

Overseas partners must be contractually bound to maintain DPDP-level protections.

The Bottom Line

The DPDP Act is serious legislation with serious penalties. But compliance is achievable.

It requires honesty about your data practices, clear permission from customers, reasonable security measures, and swift action if something goes wrong.

Think of it as respecting your customers’ information the same way you would want your own information respected.