DPDPA

The Digital Personal Data Protection Act 2023 (DPDPA) received Presidential assent in August 2023 and is being implemented in phases. The law applies to personal data collected in India (even if processed outside India) and to personal data collected outside India if it involves offering goods or services to Indian residents. It establishes rights for Data Principals (individuals) including the right to information, correction, erasure, and grievance redressal.

DPDPA's consent framework is stricter than many businesses currently practice — requiring granular, specific consent for each purpose of processing, presented in clear and plain language in multiple languages if requested. Consent Management Platforms (CMPs) that meet GDPR standards may not fully satisfy DPDPA requirements without India-specific adaptations, particularly around language and the Consent Manager intermediary model.

Significant Data Fiduciaries — organizations designated by the Indian government based on data volume, sensitivity, and risk — face additional obligations including mandatory data protection officers, data audits, and data impact assessments. The designation criteria are being finalized, but organizations processing large volumes of Indian consumer data should architect for Significant Data Fiduciary requirements from the start.

We architect DPDPA compliance into India-serving platforms with the same rigor we apply to GDPR — building consent management, data principal rights workflows, and data localization into the system architecture. Our regulatory intelligence practice tracks DPDPA implementation guidance as it is published and updates technical requirements accordingly.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.