%20(compressed).jpg)
Consent, localization, and penalties—how to stay compliant under India’s new data privacy regime
1. Introduction: Why India’s New Privacy Law Matters
India is one of the world’s largest hubs for digital services, e-commerce, and IT outsourcing. With over 1.4 billion people and a fast-growing internet population, the country generates massive volumes of personal data—much of which is accessed or processed by foreign companies. Whether you operate a SaaS platform serving Indian users, run a remote support team, or work with local distributors, chances are you’re handling data subject to Indian law.
To regulate this growing digital landscape, the Indian government introduced the Digital Personal Data Protection Act, 2023 (DPDPA)—its first comprehensive data privacy law. The Act sets out clear rules for collecting, storing, and using personal data, with new obligations around user consent, cross-border transfers, security safeguards, and grievance redressal. Penalties for non-compliance can be severe.
Crucially, the DPDPA has extraterritorial reach. Even if your company has no physical presence in India, you may still be required to comply if you process the data of Indian individuals. This includes a wide range of businesses—from startups with Indian customers to global firms outsourcing services to India.
While the law shares similarities with the EU’s GDPR or California’s CCPA, it reflects India’s own regulatory priorities and business environment. Some concepts—like data consent and user rights—may sound familiar, but others differ in meaningful ways.
This guide is built for international businesses—especially SaaS companies, e-commerce platforms, SMEs, and those outsourcing operations to India. It explains what the DPDPA requires, how it applies to foreign companies, and what practical steps you can take to stay compliant and competitive in India’s evolving digital economy.
Let’s start with a high-level overview of the DPDPA and how it compares to other global data protection laws.
2. Overview of India’s Data Privacy Regime
India’s data protection framework has entered a new era with the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA). This law is the country's first comprehensive privacy legislation and establishes a clear legal foundation for how personal data must be collected, stored, and used. It applies to both Indian and foreign businesses that process data related to individuals in India.
Here’s what you need to know about how India’s new law works, how it compares with global standards, and why it matters to foreign companies.
2.1 What Is the Digital Personal Data Protection Act (DPDPA)?
The DPDPA is India’s landmark legislation governing the handling of digital personal data. It was passed by Parliament in 2023 and is expected to come into effect in phases, with detailed rules and regulations to be released by the Indian government (called “rules under the Act”).
At its core, the DPDPA seeks to:
- Protect the rights of individuals (called Data Principals) by requiring their informed consent before data is collected and processed.
- Place clear responsibilities on companies and organizations (called Data Fiduciaries) that collect and use such data.
- Provide mechanisms for individuals to seek redress if their data is mishandled.
- Introduce penalties for violations, with fines ranging up to INR 250 crore (approx. USD 30 million) for major breaches.
2.2 Key Terms You Should Know
To navigate the law effectively, it’s important to understand some of the key definitions under the DPDPA:
• Personal Data:
Any data about an individual who can be identified, either directly or indirectly. This includes names, phone numbers, email addresses, ID numbers, and even IP addresses or device IDs if linked to a person.
• Data Principal:
The individual whose personal data is being collected. This could be your customer, app user, website visitor, or employee.
• Data Fiduciary:
The company or entity that determines why and how personal data is processed. If your business collects or decides what to do with personal data, you are a Data Fiduciary.
• Consent Manager:
A new concept introduced by the Act. These are licensed entities that help individuals manage their consents given to different companies in a standardized way.
• Significant Data Fiduciary (SDF):
A company or organization that processes large volumes or sensitive categories of personal data, and is therefore subject to additional obligations (to be designated by the government).
2.3 Who Does the Law Apply To? (Extraterritorial Scope)
One of the most important aspects of the DPDPA for international businesses is its extraterritorial application. That means:
Even if your company is not based in India or doesn’t have a physical presence there, the law still applies if you process personal data of individuals located in India. It means if your operations involve Indian user data in any way, you’ll likely fall under the scope of the DPDPA. Common examples include:
- SaaS companies serving users in India.
- E-commerce platforms selling to Indian customers.
- Foreign firms outsourcing software development or customer service to Indian teams that access personal data.
- Global companies running marketing campaigns targeting Indian users.
2.4 How Does DPDPA Compare to GDPR and Other Privacy Laws?
India’s DPDPA is influenced by global frameworks like the EU General Data Protection Regulation (GDPR), but there are several key differences foreign companies should be aware of.
Although inspired by GDPR, India’s regime aims to be business-friendly, with a stronger focus on compliance through simplicity and standardization, especially for startups and mid-sized companies.
2.5 Penalties for Non-Compliance
The DPDPA imposes significant monetary penalties for non-compliance, with the severity depending on the type and impact of the violation. Below are key penalty categories and their maximum fines:
• Failure to protect personal data
Up to INR 250 crore (approx. USD 30 million) for not implementing reasonable security safeguards and allowing data breaches or misuse.
• Breach involving children’s data
Up to INR 200 crore (approx. USD 24 million), reflecting the law’s special emphasis on minors (under 18). Parental consent is required.
• Failure to respond to data principal grievances
Up to INR 50 crore (approx. USD 6 million). Businesses must provide clear user complaint mechanisms and respond promptly.
• Failure to notify authorities of a data breach
Up to INR 200 crore (approx. USD 24 million). Non-disclosure to the Data Protection Board and impacted individuals is penalized.
Note: These are maximum penalties per violation. The actual amount imposed will depend on the size of the company, nature of the breach, harm caused, and whether the company has a history of violations.
3. Who Must Comply: Applicability for Foreign Companies
One of the most significant features of India’s Digital Personal Data Protection Act, 2023 (DPDPA), is its broad extraterritorial scope. This means that the law doesn't only apply to companies based in India—it can also apply to foreign companies that collect, store, or process personal data of individuals located in India, even if they don’t have an office or employees in the country.
3.1 Extraterritorial Reach of the DPDPA
The DPDPA applies to any data processing activity that involves personal data of individuals in India, regardless of where the organization is located. If your business processes personal data in connection with offering goods or services to people in India, or profiling Indian users, the law likely applies to you.
This includes:
• SaaS platforms with Indian users or subscribers.
• E-commerce websites selling or shipping products to customers in India.
• Marketing platforms or agencies targeting Indian users with online campaigns.
• Multinational corporations that share HR, payroll, or client data across international offices.
• Outsourcing companies or their clients, especially in IT services, customer support, or content moderation.
In all these cases, you are considered a Data Fiduciary under Indian law.
3.2 Understanding the Role of a Data Fiduciary
Under the DPDPA, a Data Fiduciary is any entity—Indian or foreign—that determines the purpose and means of processing personal data. This is similar to the concept of a “data controller” under the GDPR.
If your company collects data directly from users (e.g., through your website, mobile app, or sales channels), or if you determine how and why Indian user data is handled, then you’re acting as a Data Fiduciary.
Even if you're not directly collecting the data but are working with an Indian vendor that handles personal data on your behalf, you may still be liable for compliance failures if you do not ensure that proper safeguards and contractual clauses are in place.
3.3 Examples of Foreign Businesses That Must Comply
Let’s look at some concrete scenarios where the DPDPA would likely apply to non-Indian companies:
• A Canadian SaaS company offering a CRM platform to Indian small businesses collects user names, contact details, and business profiles. Even without an office in India, this company must comply with the DPDPA.
• A US-based e-commerce site delivers electronics and apparel to Indian customers. Since it processes order data, payment information, and shipping addresses of Indian users, it is subject to the law.
• A Singaporean software company contracts an Indian development team that accesses U.S. customer data and stores logs on Indian servers. The Singaporean firm must ensure its vendor contracts and internal practices meet DPDPA standards.
• A UK-based marketing firm runs a digital ad campaign targeting Indian audiences using browser cookies and analytics. Even though users do not make purchases, the data collected through tracking may bring the company under the DPDPA.
3.4 What This Means for You
If you are a foreign business that touches Indian personal data in any capacity, you should assume that the DPDPA applies to you. This means:
• You must obtain proper consent from Indian users.
• You should update your privacy notices and review your contracts with Indian partners or vendors.
• You may need to appoint a grievance officer or contact person responsible for handling user complaints from India.
• If you process large volumes of Indian personal data, you could be classified as a Significant Data Fiduciary, subject to additional obligations.
Practice Tip: If you’re unsure whether the law applies to your business, it’s safer to assume that it does and take compliance steps accordingly. This is particularly true for fast-growing tech companies and startups scaling across borders.
4. Key Compliance Requirements under the DPDPA
4.1 Consent and Notice Obligations
Under the DPDPA, consent is the cornerstone of lawful data processing. You must obtain valid, informed, and voluntary consent from individuals (referred to as “Data Principals”) before collecting or using their personal data—unless a legal exemption applies.
• How consent must be obtained and documented: Consent must be specific to a purpose and must be recorded in a verifiable form (such as electronic records, logs, or signed forms). Blanket consent is not valid. Businesses must also maintain records showing when and how the user gave consent.
• Clarity, language, and format: The consent request must be presented in clear and simple language, in English or one of the 22 official Indian languages as appropriate. It must describe the purpose of processing and the types of data collected.
• Right to withdraw consent: Users must be given an easy way to withdraw consent at any time, and you are obligated to stop data processing promptly upon withdrawal. This could be a simple dashboard setting, email address, or link embedded in communications.
Practice Tip: Avoid lengthy legalese in consent forms. Use simple terms, separate checkboxes for each purpose, and make sure users know how to opt out.
4.2 Data Localization & Cross-Border Transfers
The DPDPA does not impose blanket data localization requirements. Instead, it adopts a “whitelist” approach to cross-border transfers of personal data.
• Cross-border transfer is permitted: Businesses are generally allowed to store and process Indian personal data outside India, unless the country is specifically blacklisted by the Indian government. A formal blacklist has not yet been published as of the date of this blog.
• No mandatory mirror copy or server requirement: Unlike data localization laws in countries like China, India does not require a mirror server or copy of data to be stored locally for most businesses.
• What businesses should do: Despite this flexibility, it is wise to include cross-border transfer clauses in your privacy policy, mentioning where data is stored and which third-party processors (e.g., AWS, Stripe, etc.) may access it.
Practice Tip: Consider using Standard Contractual Clauses (SCCs) or equivalent mechanisms when engaging overseas vendors for processing Indian users’ data.
4.3 Core Data Fiduciary Obligations
All businesses that determine the purpose and means of processing personal data are considered Data Fiduciaries under the DPDPA. This includes foreign businesses handling Indian user data.
Key obligations include:
• Grievance Officer: You must designate a grievance redressal officer, whose contact details are published in your privacy notice or app. This officer is responsible for resolving user complaints within a reasonable time frame.
• Security safeguards: Data Fiduciaries must adopt reasonable technical and organizational safeguards to protect against unauthorized access, data loss, or misuse. This includes using encryption, access controls, periodic audits, and breach protocols.
• Purpose limitation and retention: You are only permitted to collect and process data for the specific purpose disclosed to the user. You must delete the data once that purpose is fulfilled, unless the user consents to further use or the law requires retention.
Practice Tip: Conduct a quick audit of your data lifecycle. Are you holding old user data unnecessarily? If yes, delete or anonymize it to reduce risk.
4.4 Significant Data Fiduciary (SDF) Category
The DPDPA introduces a category called “Significant Data Fiduciaries” (SDFs), which are subject to stricter compliance obligations. While the government has yet to finalize thresholds, entities likely to be designated as SDFs include:
• Large tech companies processing high volumes of personal or sensitive data
• Businesses using AI or automated profiling for decision-making
• Entities handling data of children or vulnerable groups
Additional obligations for SDFs include:
- Appointing a Data Protection Officer (DPO): This officer must be based in India and act as the single point of contact with the Data Protection Board of India.
- Conducting Data Protection Impact Assessments (DPIAs): For high-risk processing activities, DPIAs are required to evaluate risks and design mitigation plans.
- Annual audits and compliance reports: SDFs must undergo periodic data audits to demonstrate accountability and submit compliance statements to the regulator.
Practice Tip: If your business is growing rapidly in India or handles sensitive sectors (e.g., finance, health), prepare early by drafting DPIA templates and appointing a DPO before you are formally designated as an SDF.
5. Rights of Indian Data Principals (Users)
Under the Digital Personal Data Protection Act (DPDPA), individuals whose data is being processed are referred to as Data Principals. These users are granted a set of legal rights intended to give them control over how their personal data is collected, used, and retained. Businesses that collect or process personal data of Indian residents—whether based in India or abroad—must understand and prepare to honor these rights.
5.1 Right to Access, Correction, and Erasure
• Right to Access: Data Principals have the right to request information about how their data is being used. This includes knowing what personal data is being held, for what purpose, who it has been shared with, and for how long it will be retained.
• Right to Correction and Updating: If a user finds that their personal data is inaccurate, incomplete, or outdated, they can ask for it to be corrected. Businesses are required to make these corrections without undue delay.
• Right to Erasure: Users can request that their personal data be erased once the purpose of processing is completed, or if they withdraw their consent. Businesses must ensure secure deletion of the data unless there is a legal obligation to retain it (e.g., for tax, audit, or law enforcement purposes).
Compliance Tip: Build an easy-to-use online portal or email-based request system where users can view their data, submit correction requests, and ask for deletion. Automate confirmations to ensure transparency.
5.2 Right to Grievance Redressal and Nominate Representatives
• Right to Grievance Redressal: Every Data Principal has the right to lodge a complaint with the company if they believe their data has been misused or if their privacy rights have been violated. The business must appoint a Grievance Officer and publish their contact details prominently in the privacy notice or platform.
The officer must acknowledge complaints and resolve them within a reasonable timeframe, typically 7 to 15 business days depending on the complexity of the issue.
• Right to Nominate a Representative: Data Principals also have the right to nominate another individual (e.g., family member or legal advisor) to exercise their rights in the event of incapacity or death. Businesses should have a process to verify such representation and act on legitimate requests.
Practice Tip: Add a grievance mechanism link or contact form directly into your website or mobile app. Keep logs of complaint responses to demonstrate compliance during audits.
5.3 How Businesses Should Respond to Data Subject Requests
Responding to data access, correction, and erasure requests is not optional—it is a legal requirement under the DPDPA. Companies must:
• Acknowledge requests promptly (ideally within 24–48 hours), even if additional verification is needed.
• Verify identity of the requester to prevent unauthorized disclosures. This can include asking for confirmation via registered email or account verification steps.
• Fulfill the request without unreasonable delay, usually within 7 working days unless legally justified.
• Document the process internally, including the date of the request, how it was handled, and what outcome was provided.
Failure to respond to user requests can result in regulatory scrutiny and penalties up to INR 50 crore (~USD 6 million).
Best Practice: Train your support and compliance teams to recognize data subject requests and route them to the appropriate legal or privacy contact. Set up internal SLAs (service level agreements) to ensure timely responses.
6. Penalties and Enforcement Risks
The DPDPA introduces a well-defined enforcement mechanism that empowers a newly formed regulatory body to investigate violations and impose financial penalties. For international businesses handling Indian user data—whether through remote teams, local subsidiaries, or outsourcing partners—it is essential to understand what non-compliance looks like and what risks it entails.
6.1 Role of the Data Protection Board of India (DPBI)
The Data Protection Board of India (DPBI) is the central regulatory authority established under the DPDPA to:
- Receive and adjudicate complaints filed by Data Principals (users) or third parties.
- Investigate potential violations of data protection obligations by businesses, especially Significant Data Fiduciaries.
- Impose penalties based on the facts of each case and issue directions to ensure compliance.
- Order data fiduciaries to implement corrective measures, such as halting specific types of processing or enhancing their security protocols.
The Board functions independently but may coordinate with other regulators if the data breach or misuse overlaps with sector-specific rules—such as in finance, telecom, or healthcare.
Best Practice: Assign a compliance officer or team member to monitor DPBI updates and ensure that any inquiries or requests from the Board are addressed promptly and professionally.
6.2 Real-World Scenarios That Could Trigger Investigations
Even well-meaning businesses can face investigations if their data handling practices fall short. Common triggers for enforcement include:
• Failure to obtain or record valid consent
Lack of proper logs or documentation can trigger scrutiny.
• Data breach without proper notification
Delayed or missing reports to users or regulators can lead to fines.
• Outsourcing without adequate controls
If a vendor mishandles data and safeguards were missing in your contract, your company may still be liable.
• Repeated user complaints
If the Grievance Officer fails to address issues adequately, it can lead to audits or formal investigations.
Compliance Tip: Conduct regular internal audits of your data handling processes and vendor contracts. Document your efforts to demonstrate accountability in the event of a dispute or investigation.
7. How to Build a Compliant Data Privacy Program in India
The DPDPA has introduced important obligations for any business—foreign or domestic—that handles the personal data of individuals in India. To avoid legal risks, protect your brand reputation, and ensure smooth operations, international companies should put in place a structured data privacy compliance program tailored to Indian legal requirements.
Here’s a four-step roadmap to help your company build a compliant and defensible privacy program:
Step 1: Conduct Data Mapping and Flow Audits
The first step to compliance is understanding what data you collect, how you collect it, and where it goes.
• Conduct a thorough data inventory to identify the categories of personal data collected from Indian users (e.g., names, emails, contact numbers, financial data).
• Map how data flows through your systems—from collection (web forms, apps, customer service) to storage (servers, cloud platforms) to third-party sharing (vendors, affiliates, analytics tools).
• Identify whether any cross-border transfers are involved and assess whether they comply with India’s transfer rules (e.g., whether the destination country is on India’s permitted list).
Why this matters: Without knowing your data flows, you can’t determine where compliance gaps or risks exist. This step lays the foundation for every other part of your privacy program.
Step 2: Update Privacy Policies and Consent Language
Under DPDPA, privacy notices and consent forms are not just formalities—they must be clear, specific, and easy to understand.
• Review and update your privacy policy to include all mandatory disclosures: types of personal data collected, purpose of processing, retention period, user rights, and contact information of the Grievance Officer.
• Revise consent mechanisms to ensure they are affirmative (opt-in), freely given, and not bundled with unrelated services. Avoid vague language or pre-checked boxes.
• Enable easy withdrawal of consent, such as through a “Manage My Data” link or email contact.
Why this matters: If your consent forms or privacy policies are unclear or incomplete, they may be deemed invalid—and any data collected may be considered unlawful, opening the door to penalties or complaints.
Step 3: Train Staff and Contractors Handling Indian Data
Even with great policies on paper, human error is one of the biggest causes of privacy violations.
• Conduct regular privacy training for employees, customer support staff, software developers, and anyone else who has access to Indian user data.
• Make sure your contractors and vendors (such as IT outsourcing firms or local distributors) also receive training on key obligations under Indian law, especially if they are part of your data processing chain.
• Provide training on data minimization, secure data handling, and how to respond to data subject requests.
Why this matters: A single employee’s or contractor’s mistake—such as sharing a customer list with an unauthorized party—can trigger a breach investigation or financial penalty. Training builds a culture of compliance and lowers that risk.
Step 4: Prepare Breach Response and Grievance Protocols
India’s DPDPA requires companies to act quickly and transparently when something goes wrong.
• Develop a data breach response plan, outlining how you’ll detect, investigate, and report breaches involving Indian users. Identify which internal teams are responsible and set timelines for notifying the DPBI and affected users.
• Appoint a Grievance Officer and set up a structured mechanism for receiving and addressing user complaints or requests (e.g., through email, a contact form, or a helpdesk portal).
• Keep detailed records of all user requests (for access, correction, deletion, etc.) and how you responded, in case your actions are reviewed later by regulators.
Why this matters: Having no process—or an inadequate one—can turn a minor issue into a regulatory crisis. Preparing now helps protect your legal position and maintain customer trust.
8. Special Considerations for Tech and Outsourcing Companies
Tech companies and service providers handling personal data—especially in SaaS, AI, cloud services, and outsourcing—face unique risks under the DPDPA. Whether you're offering remote software solutions or outsourcing backend processes to India, it's crucial to tailor your compliance program to your business model.
Here are key issues to watch out for:
8.1 Common Pitfalls in SaaS, AI, and Outsourced Services
Tech-driven businesses often handle large volumes of personal data, including sensitive financial, health, or behavioral information. This makes them more likely to be scrutinized by Indian regulators or data principals.
• SaaS platforms that collect and process user data (even indirectly through clients) must ensure that the entire data chain—from collection to storage to third-party use—is compliant with DPDPA’s purpose limitation and security requirements.
• AI developers need to be cautious about using Indian personal data for model training or profiling without clear consent. Profiling based on automated processing can be controversial, especially if it leads to adverse decisions.
• Outsourcing providers (e.g., for customer support, payroll, or analytics) often act as data processors. If they fail to comply with security or data handling obligations, the liability can fall on the foreign data fiduciary (your company).
Practice Tip: If your company relies heavily on automated processing or AI tools, consider conducting a Data Protection Impact Assessment (DPIA)—especially if you're categorized as a Significant Data Fiduciary (SDF).
8.2 Contractual Provisions with Indian Vendors and Clients
In outsourcing and tech partnerships, contracts are your first line of defense. Every agreement involving the handling of Indian personal data should contain clear, enforceable data protection clauses.
Key contract elements include:
• Data Processing Agreements (DPAs): These should specify the scope of data processing, permitted uses, retention periods, security safeguards, and return/deletion of data upon termination of the contract.
• Confidentiality and audit clauses: Require vendors to protect personal data against unauthorized access and allow your company to audit or review their data security practices.
• Breach notification obligations: The vendor must inform you immediately of any breach, and both parties should coordinate responses to Indian authorities (such as the DPBI).
• Cross-border transfer clauses: If the data will move outside India (e.g., to U.S. or EU servers), ensure your contracts reference DPDPA requirements for transfers and consent.
Practical Tip: Don’t assume your global contract templates cover Indian legal requirements. Adapt your vendor agreements to reflect local data protection obligations.
8.3 Cloud Storage, Third-Party Processors, and Audit Rights
Many tech companies rely on cloud infrastructure or third-party tools to store or analyze user data. Under Indian law, you're still responsible for ensuring compliance—even if a breach happens through a vendor.
• Cloud storage providers must follow DPDPA's security principles. Ensure their data centers are located in permitted jurisdictions if cross-border transfers are involved.
• If you're using a third-party analytics or marketing platform that handles Indian user data, verify their security certifications (e.g., ISO 27001), legal agreements, and past compliance history.
• Maintain audit rights in your contracts, allowing you to inspect or request documentation on how Indian data is stored, accessed, or shared. This becomes especially important if you are later investigated by Indian regulators.
Practice Tip: Maintain a vendor due diligence checklist for any partner that touches Indian personal data. This could include legal terms, breach history, data protection certifications, and grievance redress mechanisms.
9. How Trustiics Can Help
Whether your business is working with Indian contractors, managing cross-border data, or planning to expand into India, Trustiics can support you with practical guidance and legal insight to help you navigate data protection obligations with confidence.
Our team and legal network offer support in:
- Reviewing and drafting data protection policies and cross-border contracts
- Clarifying DPDPA requirements and how they affect your business operations
- Assisting with compliance strategies, breach protocols, and user rights responses
- Advising on best practices across jurisdictions with a focus on actionable next steps
We understand that India’s data privacy landscape is still evolving. That’s why we take a solution-oriented, research-based approach to help our clients address real-world compliance needs—quickly, efficiently, and securely.
You can get started by submitting your request and receiving a free quote, or contact our team at support@trustiics.com for tailored assistance.
As always, our services are transparent, pay-as-you-go, and accessible—wherever you are.
10. Conclusion: Privacy Compliance as a Competitive Advantage
India’s Digital Personal Data Protection Act (DPDPA) signals a major shift in how personal data is handled in one of the world’s largest and fastest-growing digital economies. For international businesses, this is not just a regulatory hurdle—it’s a strategic opportunity.
Companies that proactively align with Indian privacy requirements will not only reduce the risk of investigations, fines, and business disruption but will also build deeper trust with customers, employees, and regulators. In today’s data-driven environment, transparency and compliance are essential assets.
Whether you are operating a SaaS platform, managing remote teams, outsourcing software development, or collecting customer data in India, now is the time to act. Build a compliance framework that fits your operations, train your team, and review your cross-border data strategies carefully.
And if you’re not sure where to start—Trustiics is here to help.
