loader image
• DPDP Act compliance deadline · 334 days to 13 May 2027    Get assessed →
Schedule a Consultation

India's Data Privacy Law Is Here. Is Your Organisation Ready?

The Digital Personal Data Protection Act 2023 (DPDPA) is now in force. Every organisation that collects, processes, or shares personal data of Indian citizens must comply — or face penalties of up to ₹250 crore per instance of non-compliance.

Zorixx is a specialist DPDPA consultation and implementation firm — combining legal compliance knowledge, technical implementation skills, and deep sector expertise across BFSI, insurance, fintech, manufacturing, and healthcare.

Free Initial Consultation
Up to ₹250 crore

Penalty for breach of significant obligations

Up to ₹250 crore

Penalty for non-implementation of security safeguards

Up to ₹200 crore

Penalty for breach of child data protections

Who is affected?

Every entity processing personal data of Indian citizens

Request an DPDPA Readiness Assessment Today

WHAT IS THE DPDPA?

The Digital Personal Data Protection Act 2023 is India’s comprehensive data protection legislation, enacted to protect the personal data of Indian citizens (Data Principals) and establish obligations for entities that process such data (Data Fiduciaries and Data Processors).

Data Principal

The individual whose personal data is processed. Has rights to access, correction, erasure, grievance redressal, and nomination.

Data Fiduciary

Any entity that determines the purpose and means of processing personal data. Carries the primary compliance obligations.

Significant Data Fiduciary (SDF)

Data Fiduciaries notified by the government based on volume of data, sensitivity, risk to data principals. Additional obligations apply — Data Protection Officer (DPO), Data Auditor.

Data Processor

Entity processing data on behalf of a Data Fiduciary. Must comply with DPA terms and Data Fiduciary instructions.

Consent Manager

DPDPA-registered entity enabling Data Principals to manage and withdraw consent across multiple fiduciaries.

Data Protection Board

Regulatory body under DPDPA — adjudicates complaints and imposes penalties.

Request an ERP & Technology Assessment

KEY DPDPA OBLIGATIONS

01.
Lawful Processing — Consent & Legitimate Use

Personal data may only be processed for a specific, clear, and lawful purpose with the explicit informed consent of the Data Principal, or under specific ‘Legitimate Uses’ defined by DPDPA.

  • Consent must be free, specific, informed, unconditional, and unambiguous
  • Consent notice must clearly describe the personal data to be processed and the purpose
  • Consent must be as easy to withdraw as to give
  • Legitimate Uses include processing for state functions, legal obligations, medical emergencies, employment, and public interest
  • Conditional access to services or products in exchange for consent is prohibited
02.
Purpose Limitation & Data Minimisation
  • Data may only be used for the specific purpose for which consent was obtained
  • No secondary use without fresh consent
  • Only data necessary for the stated purpose may be collected
  •  Zorixx Assessment: data flow mapping, purpose-to-collection alignment review
03.
Data Accuracy
  • Data Fiduciaries must take reasonable steps to ensure accuracy and completeness of personal data
  • Particularly important where inaccuracy may cause significant consequences for the Data Principal
  • Zorixx Assessment: data quality controls review, master data accuracy processes
04.
Storage Limitation
  • Personal data must not be retained beyond the period necessary for the stated purpose or as required by law
  •  Data must be erased once the purpose is fulfilled
  •  Retention schedules must be documented and automated where possible
  • Zorixx Service: data retention schedule design, automated erasure mechanism advisory
05.
Security Safeguards
  • Data Fiduciaries must implement reasonable security safeguards to prevent data breach
  • Includes technical controls (encryption, access management, VAPT) and organisational controls (policies, training)
  • Zorixx Service: security safeguard assessment, VAPT, access control review, encryption audit
06.
Breach Notification
  • Any personal data breach must be notified to the Data Protection Board and affected Data Principals
  • Notification must describe the nature of breach, data affected, and remedial action taken
  •  No specific timeline defined in the Act but rules will specify (expected to mirror global standards of 72 hours)
  •  Zorixx Service: breach response framework design, incident response plan, notification template library
07.
Data Principal Rights
  • Right to access — summary of personal data being processed and processing activities
  • Right to correction and erasure — correct inaccurate data, erase data when purpose is fulfilled
  • Right to grievance redressal — designated grievance officer, resolution within prescribed period
  • Right to nomination — nominate another person to exercise rights in case of death or incapacity
  • Zorixx Service: rights fulfilment framework, grievance officer designation support, process design
08.
Additional Obligations for Significant Data Fiduciaries (SDFs)
  •  Appointment of Data Protection Officer (DPO) — based in India, accountable to Board
  •  Appointment of independent Data Auditor
  • Periodic Data Protection Impact Assessment (DPIA)
  • Zorixx Service: DPO advisory and support, audit readiness for Data Auditor engagement
09.
Children's Data Protection
  •  Verifiable parental consent required before processing personal data of children (under 18)
  • Prohibition on processing data likely to cause detrimental effect on children
  • Prohibition on tracking, behavioural monitoring, or targeted advertising directed at children
  •  Penalty: up to ₹200 crore for violations

ZORIXX DPDPA IMPLEMENTATION JOURNEY

Phase 1: Discover (Weeks 1–2)

Personal data discovery and inventory. Data flow mapping. Legal basis analysis. Vendor/processor mapping.

Phase 2: Assess (Weeks 3–4)

Gap assessment against all DPDPA obligations. Risk-rated gap register. Penalty exposure quantification.

Phase 3: Design (Weeks 5–8)

Consent framework design. Privacy governance structure. Retention schedule. Breach response framework. Policy and notice drafting.

Phase 4: Implement (Weeks 9–16)

Consent management implementation. Security safeguards implementation. Data Principal rights fulfilment processes. DPO onboarding support.

Phase 5: Train (Week 17)

Organisation-wide DPDPA awareness training. Role-specific training for data handlers, IT, legal, HR teams.

Phase 6: Monitor & Sustain (Ongoing)

Quarterly compliance health check. Annual re-assessment. Consent audit. Breach response drill. Regulatory update monitoring.

Banking, Financial Services & Insurance

BFSI entities are among the highest-risk categories under DPDPA — processing enormous volumes of sensitive financial, health, and identification data. They also operate under multiple overlapping regulators (RBI, SEBI, IRDAI) creating a complex compliance environment.

  • KYC data (PAN, Aadhaar, address) — highest sensitivity, specific handling requirements
  • Credit and financial data — purpose limitation critical; no secondary use for marketing without consent
  • Health data for insurance — sensitive personal data requiring heightened protection
  • Investment and portfolio data — investor rights under DPDPA + SEBI
  • Payment transaction data — overlap with RBI data localisation requirements

Zorixx BFSI DPDPA Package: Includes DPDPA readiness assessment + sector-specific consent framework + BFSI-tailored policy library + regulatory overlap analysis (RBI/SEBI/IRDAI vs DPDPA)

Insurance Specific DPDPA Requirements
  • Policyholder health data — highest-risk category; specific consent for processing
  •  Claims data processing — purpose limitation; no use for underwriting without consent
  •   Nominee data — Rights to nomination under DPDPA align with nomination in insurance
  •  Re-insurer data sharing — Data Processor agreement requirements
  •  Broker data practices — consent for contacting policy seekers
  •  ISNP customer data — platform-specific consent design for online insurance distribution
SWIFT Security Controls Assessment (CSCF)

SWIFT CSCF v2025 — 22 mandatory controls assessment

  • 9 advisory controls assessment
  • SWIFT interface and infrastructure security review
  • Operator access controls and four-eye principle verification
  • Payment transaction flow security review
Manufacturing & Enterprise
  •  Employee personal data — payroll, HR data, biometric attendance data
  •  Customer data — warranty registration, service records, CRM data
  • Supplier and vendor data — personal data in procurement processes

Frequently asked questions

DPDPA applies to any entity that processes digital personal data of Indian citizens — whether the processing occurs in India or outside India. There is no minimum turnover or size threshold.

Unlike earlier frameworks, DPDPA does not define a separate 'sensitive personal data' category. However, the government can notify certain categories as requiring higher protection — expected to include health, financial, biometric, and children's data.

DPO is mandatory only for 'Significant Data Fiduciaries' notified by the government. However, all organisations should designate a data protection point of contact for grievance redressal.

DPDPA allows cross-border data transfers to countries that will be notified by the government. Until that list is published, transfers should be reviewed against contractual safeguards and Data Principal consent.

Penalties range from ₹10,000 to ₹250 crore depending on the nature and severity of the violation. The Data Protection Board adjudicates complaints and determines penalties.

For a mid-size organisation, a full implementation typically takes 12–20 weeks depending on the complexity of data flows and the number of systems involved. Zorixx's phased approach allows you to achieve baseline compliance quickly while building toward full compliance.

WHAT IS THE DPDPA?

DPDPA Readiness Checklist (Free)

40-point checklist covering all DPDPA obligations. Download and assess your current compliance status.

DPDPA Compliance Roadmap Template (Free)

Phased implementation roadmap template. Customise for your organisation.

DPDPA Penalty Exposure Calculator (Free)

Estimate your penalty exposure based on data volumes and compliance gaps.

DPDPA for BFSI — White Paper

Deep-dive on DPDPA obligations for banks, NBFCs, insurance companies, and fintechs. Includes RBI/SEBI/IRDAI overlap analysis.

DPDPA vs GDPR — Comparison Guide

Side-by-side comparison for organisations with both Indian and EU data processing.

Children's Data Under DPDPA — Implementation Guide

Practical guide for edtech, gaming, and digital platforms serving users under 18.

Request an DPDPA Readiness Assessment Today
Zorixx Assistant