DPDP Compliance Service in Delhi: Key Legal Obligations Under the DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) has introduced a comprehensive legal framework governing the processing of personal data in India. For organisations headquartered or operating in Delhi — one of India’s foremost commercial and administrative centres — understanding the specific legal obligations imposed by this legislation is critical. The DPDP Act establishes a tiered system of duties applicable to Data Fiduciaries, Significant Data Fiduciaries, and Consent Managers, each carrying distinct compliance requirements. This blog provides an analytical overview of the key legal obligations under the Act that businesses in Delhi must navigate.

The Obligation to Provide Notice and Obtain Consent

One of the foundational pillars of the DPDP Act is the requirement for informed consent. Before processing personal data, a Data Fiduciary must provide the Data Principal with a clear notice in plain language that describes the personal data to be processed, the purpose for which it will be used, the manner in which the Data Principal may exercise their rights, and the process for filing a complaint before the Data Protection Board.

Consent obtained must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action by the Data Principal. Critically, consent may be withdrawn at any time, and the withdrawal must be made as easy as the initial grant of consent. Organisations in Delhi must audit their existing data collection mechanisms to ensure they meet these standards, particularly for digital platforms that process large volumes of user data.

Data Retention and Erasure Obligations

The DPDP Act mandates that personal data not be retained beyond the period necessary for the purpose for which it was collected. Once the purpose has been fulfilled or the Data Principal withdraws consent — and there is no other legal basis for retention — the Data Fiduciary must erase the personal data. This principle of storage limitation requires organisations to implement automated or procedural data lifecycle management systems.

The Act also requires Data Fiduciaries to ensure that data processed by Data Processors — third parties engaged to process data on behalf of the Fiduciary — is handled in accordance with the Fiduciary’s obligations. Data Processing Agreements must therefore be reviewed and updated to reflect the requirements of the DPDP Act, including obligations relating to data security and breach notification.

Security Safeguards and Breach Notification

Every Data Fiduciary is required to implement reasonable security safeguards to prevent personal data breaches. While the Act delegates the specification of detailed technical standards to subordinate rules, the overarching expectation is that organisations adopt measures commensurate with the nature and volume of data they process. This may include access controls, encryption, pseudonymisation, audit logging, and periodic security assessments.

In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board as well as affected Data Principals in such form and within such time as may be prescribed. Failure to report a breach in a timely manner is itself a ground for penalty under the Act, making robust incident response planning an indispensable component of DPDP compliance.

Obligations of Significant Data Fiduciaries

The DPDP Act introduces a heightened compliance tier for Significant Data Fiduciaries (SDFs), designated by the Central Government based on criteria such as the volume and sensitivity of personal data processed, potential risk to national security, and likely impact on fundamental rights. SDFs are required to appoint a Data Protection Officer (DPO) based in India, conduct periodic Data Protection Impact Assessments (DPIAs), and engage an independent data auditor to evaluate their compliance posture.

For large technology companies and data-intensive businesses operating in Delhi, the possibility of being classified as an SDF necessitates a proactive assessment of current data governance frameworks. Establishing a dedicated DPO function and instituting a DPIA process should be prioritised as organisations prepare for the Act’s full operationalisation.

Conclusion

The DPDP Act, 2023 represents a significant shift in how organisations must approach the collection and processing of personal data. For businesses in Delhi, compliance is a multi-dimensional exercise spanning consent management, data lifecycle governance, security infrastructure, breach response protocols, and — for some entities — the enhanced obligations of Significant Data Fiduciaries. Understanding these obligations in detail is the first step toward building a legally sound and operationally resilient data protection programme.

This blog is for informational purposes only and does not constitute legal advice. Organisations should consult qualified legal counsel for DPDP Act compliance.