Companies can save up to ₹250 crore: Navigating the DPDP Act 2023

With over 900 million internet users and an anticipated one-trillion dollar digital market by 2026, India is at the forefront of global digital innovation (Ministry of Electronics and Information Technology, 2023). However, this growth introduces complex challenges like privacy breaches and cybersecurity threats (NITI Aayog, 2018). The Digital Personal Data Protection (DPDP) Act, 2023 is India's definitive response to these risks.

An interesting hallmark of this legislation is its commitment to inclusivity. The Act marks a “first of its kind” shift in Indian legislative drafting by using female pronouns (“she/her”) to refer to all individuals, explicitly stating that “she” includes references to individuals of any gender.

As per Section 3, the Act is clear about its scope, but its application is irrespective of your turnover or financial status. If you handle digital personal data, you are likely a Data Fiduciary.

With respect to the scope of data, it covers Digital Personal Data, which includes any personal data collected in digital form or collected offline and later digitized (for instance, scanning a physical KYC form into a computer).

With respect to territorial reach, it includes not only processing within India by any entity operating on Indian soil but also processing outside India that implies that even foreign companies are covered if they process data to offer goods or services to individuals within India (for instance, a US-based streaming service or a Singaporean airline with Indian customers).

E-commerce and Retail companies like online marketplaces or local chains must protect customer delivery details, while the BFSI sector (Banks and Fintechs) is heavily impacted due to the sensitive nature of KYC and transaction data. In Healthcare, hospitals and diagnostic labs managing patient records face strict requirements, as do EdTech platforms and universities handling student information. Even the hospitality sector, which collects ID proofs like Aadhaar or Passports, and the Technology/SaaS industry, which processes employee and B2B client data, are fully covered. Essentially, any business, from a local business to a neighbourhood gym, that maintains digital client records is subject to these regulations.

Under Section 4, a company is only permitted to process personal data only if it meets a dual-pronged test: being “in accordance with the provision of the DPDP Act” and that the processing must be for a “lawful purpose."

The Act defines a “lawful purpose” as “any purpose that is not expressly forbidden by law”. This has faced criticism for being negatively couched. This broad language creates a massive legal grey area; technically, if a specific data use isn't explicitly banned by some other Indian law, it could be argued as “lawful purpose”. However, this breadth is a double-edged sword, as it leaves significant room for the Data Protection Board to interpret “lawful purpose” in ways that might catch companies off guard.

Once you establish that the purpose is “lawful”, you must now anchor your data usage as either consent to be valid, it must be free, specific, informed, unconditional, and unambiguous or be for certain legitimate uses.

By strictly adhering to mandates, companies can ensure their data processing remains within the safe harbour of the Act and avoid the looming threat of the penalty.

The most critical takeaway for any boardroom, at present, is Section 8(5) of the Act. This section mandates that every company, with respect to the data in possession or under its control, whether with itself or a Data Processor, implement “reasonable security safeguards” to prevent personal data breaches. Under the Schedule of the Act, a breach of this specific obligation carries a staggering penalty of up to ₹250 crore.

While the substantive compliance for this section begins in May 2027 (as per the DPDP Rules 2025), companies must begin implementation immediately to build the necessary infrastructure and due diligence. Rule 6 of the DPDP Rules 2025 specifies that these safeguards “shall include” certain bare minimums. This phrasing indicates that the list is not exhaustive and the companies must do more if the risk demands it, but they must at least do the ones expressly provided.

1. Comprehensive data security measures: The first mandate requires the use of appropriate technical tools to shield data from prying eyes. This includes encryption (making data unreadable without a key), obfuscation, masking (hiding parts of the data, like showing only the last four digits of a phone number), or the use of virtual tokens mapped to personal data.

2. Strict access controls: Companies must implement robust measures to control who can access the “computer resources” where data is stored. This is about ensuring that data isn't just sitting in an open folder accessible to any employee. Deploying Multi-Factor Authentication (MFA) for all staff logins and using Role-Based Access Control (RBAC) so that a marketing intern cannot access the payroll or medical history files of a client.

3. Real-time visibility and monitoring: It is not enough to have locks; you must have “eyes” on the data. This requires visibility through systematic logs, continuous monitoring, and periodic reviews. This ensures that if an unauthorized person tries to access data, the system flags it immediately.

4. Business continuity and recovery: The Act acknowledges that breaches or system failures happen. Therefore, companies must have measures for continued processing even if data integrity or availability is compromised. This primarily involves robust data backups. Maintaining an immutable cloud backup of all personal data, ensuring that even if the primary system is hit by ransomware, the company can restore operations without paying the hackers or losing customer data.

5. Mandatory one-year log retention: To assist in investigations and prevent the recurrence of breaches, it mandates that companies must retain logs and personal data for at least one year. This creates, so to say, a “black box” for the Data Protection Board to analyse in case of a dispute.

6. Contractual obligations for data processors: One of the most critical legal shifts is the requirement for specific provisions in contracts between a Data Fiduciary and their Data Processor. You cannot simply outsource your way out of liability; you must legally bind your vendors to follow these same security standards. There must be a watertight, bulletproof contract setting out all the measures taken clearly and unambiguously. All existing and future contracts are to include a “Data Protection Addendum” (DPA) that explicitly requires them to follow Rule 6 safeguards in its entirety and lay down additional measures taken by both parties to protect and prevent any data breach.

7. Effective technical and organisational measures: This requires a broader commitment to “technical and organisational measures” to ensure these safeguards work. This moves compliance from an “IT problem” to a “company culture and structure” priority, involving regular training and policy updates. All companies must ensure that their employees must be up to date with laws and even their contracts are periodically revised to ensure no lapse in these compliances. Conducting quarterly “Cyber Hygiene” workshops for employees and performing annual independent security audits to test the effectiveness of existing firewalls and encryption protocols should be added in the regular roster.

It is vital to remember that under the DPDP Act, the Data Fiduciary remains vicariously liable for any breach committed by its Data Processor. Even if the fault lies with your third-party cloud vendor, the law treats the data as being under “the company’s control”, making it your primary responsibility to ensure the processor has these seven pillars in place.

The Digital Personal Data Protection Act, 2023, along with the Rules 2025, represents a tectonic shift in India's legal landscape, moving from a "buyer beware" digital economy to one rooted in accountability and trust. For companies, this isn't just about avoiding a ₹250 crore penalty; it’s about securing a seat in India’s projected one-trillion-dollar digital future.

About the author: Varun Singh is the Founder and Managing Partner of Foresight Law Offices India.

Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.