India’s Digital Personal Data Protection Act, 2023 (DPDP Act) establishes a comprehensive regulatory framework for the governance of personal data in the digital economy. For businesses based in or operating from Delhi — one of India’s primary commercial hubs — understanding the architecture of this framework and the specific responsibilities it imposes is essential. The Act not only sets out obligations for organisations that process personal data but also creates institutional structures — most notably the Data Protection Board of India — to enforce compliance. This blog examines the regulatory structure under the DPDP Act and the corresponding responsibilities of businesses.

The Regulatory Architecture Under the DPDP Act

The DPDP Act establishes the Data Protection Board of India (DPBI) as the principal regulatory and adjudicatory authority. The Board is empowered to receive and adjudicate complaints filed by Data Principals, conduct inquiries into alleged violations, and impose monetary penalties on Data Fiduciaries and Data Processors found to be in breach of their obligations. The Board’s decisions are subject to appeal before the Appellate Tribunal, and thereafter to the High Court.

The Act also vests significant rule-making and designation powers in the Central Government. Rules made under the Act are expected to specify matters such as the form and manner of consent notices, the categories of Significant Data Fiduciaries, data localisation requirements, and the conditions under which personal data may be transferred outside India. Businesses in Delhi must monitor both the primary legislation and evolving subordinate legislation to maintain compliance.

Defining Business Responsibilities Under the Act

The DPDP Act categorises entities involved in data processing into Data Fiduciaries — organisations that determine the purpose and means of processing personal data — and Data Processors — entities that process data on behalf of a Data Fiduciary. Both bear distinct legal responsibilities. Data Fiduciaries are primarily responsible for ensuring that personal data is processed lawfully, that consent obligations are met, and that Data Principals can exercise their rights.

Data Processors, while not directly liable to Data Principals for most obligations under the Act, must process data only in accordance with the instructions of the Data Fiduciary and must implement security measures to prevent breaches. The contractual arrangement between

Fiduciaries and Processors is therefore a key instrument of DPDP compliance, and businesses in Delhi should ensure their data processing agreements are updated to reflect the Act’s requirements.

Significant Data Fiduciaries: Enhanced Obligations

Businesses designated as Significant Data Fiduciaries (SDFs) by the Central Government face a heightened set of obligations under the DPDP Act. These include appointing a Data Protection Officer resident in India, undertaking periodic Data Protection Impact Assessments to identify and mitigate risks associated with data processing activities, and engaging an independent data auditor to assess their compliance.

The designation as an SDF is based on criteria including the volume and sensitivity of personal data processed, the risk posed to national security or public order, and the potential impact on the rights of Data Principals. Large technology companies, e-commerce platforms, financial institutions, and health-tech organisations in Delhi should assess whether they may fall within the SDF category and take preparatory steps accordingly.

Cross-Border Data Transfers and Localisation

The DPDP Act permits the transfer of personal data outside India to countries or territories notified by the Central Government, subject to any conditions that may be prescribed. This is a departure from earlier legislative proposals that envisaged blanket data localisation requirements. However, businesses must remain attentive to rules that may impose conditions on cross-border transfers, particularly for sensitive personal data.

For Delhi-based multinationals and companies with international operations, establishing a clear understanding of permissible transfer mechanisms — and ensuring that overseas recipients maintain equivalent data protection standards — will be a critical component of the DPDP compliance programme.

Conclusion

The regulatory framework established by the DPDP Act, 2023 places significant responsibilities on businesses operating in Delhi. From obtaining lawful consent and enabling Data Principal rights to implementing security safeguards and managing cross-border data flows, the scope of compliance is both broad and substantive. The penalties prescribed under Section 33 of the Act — with fines of up to INR 250 crore for certain violations — further underscore the importance of building robust, institutionalised data governance practices that evolve alongside the regulatory landscape.

This blog is for informational purposes only and does not constitute legal advice. Organisations should consult qualified legal counsel for DPDP Act compliance.

#DPDPAct #DPDPCompliance #DataProtectionIndia #PrivacyLawIndia #DataGovernanceIndia #RegulatoryCompliance #DataFiduciaryObligations #TechnologyLaw #DelhiBusinesses #DataProtectionBoardIndia

Recent Posts