India’s data protection journey has been long and complex. For years, the Information Technology Act, 2000, and its 2011 rules on reasonable security practices were the only guardrails. These provisions were widely regarded as inadequate — they lacked a dedicated regulatory body, did not define individual rights comprehensively, and imposed no meaningful penalties for data mishandling.
The turning point came with the Justice B.N. Srikrishna Committee, constituted in 2017, which recommended a comprehensive data protection law. After multiple iterations — the 2018 draft, the 2019 Bill, and the withdrawn 2021 version — the Digital Personal Data Protection Act received Presidential assent on August 11, 2023. India became the nineteenth G20 nation to enact a comprehensive data protection statute.
Key Pillars of the New Framework
The Digital Personal Data Protection (DPDP) Act is anchored in five core principles that govern the lifecycle of personal data. These pillars define the legal and operational expectations for organisations, ensuring that data is processed in a lawful, controlled, and accountable manner.
1. Consent-Based Processing
Personal data may be processed only on the basis of valid consent or specific legitimate uses defined under the Act. Consent must be free, specific, informed, unconditional, and unambiguous, requiring organisations to implement clear notice mechanisms and auditable consent capture processes. This principle reinforces individual autonomy while establishing a lawful basis for processing.
2. Purpose Limitation
Personal data must be collected for a clear and specific purpose and cannot be used beyond that scope without obtaining fresh consent. Organisations are therefore required to define and document processing purposes at the point of collection, ensuring that data usage remains aligned with what has been communicated to the Data Principal.
3. Data Minimisation
The Act mandates that only data necessary for the specified purpose should be collected and processed. This requires organisations to adopt a need-based approach to data collection, limiting exposure to unnecessary risk and ensuring that data practices remain proportionate and relevant.
4. Storage Limitation
Personal data must not be retained beyond the period required to fulfil the specified purpose. Once the purpose is achieved, the data must be deleted unless retention is mandated under applicable law. This principle promotes disciplined data lifecycle management and reduces the risk associated with prolonged data storage.
5. Accountability of the Data Fiduciary
The responsibility for compliance rests with the Data Fiduciary, irrespective of whether processing activities are carried out internally or delegated to a Data Processor. Organisations must implement appropriate governance frameworks, internal controls, and oversight mechanisms to ensure continuous compliance with the Act.
Collectively, these pillars establish a robust foundation for data protection in India, aligning with global best practices while addressing the specific requirements of the domestic regulatory environment.
The Data Protection Board of India
The DPBI is the apex enforcement body. Established through the November 2025 notification, the Board investigates complaints, adjudicates disputes, and imposes penalties. It functions as a digital office, conducting proceedings through techno-legal measures that do not require physical presence.
Inquiries must be completed within six months, extendable by three months. The Board can impose penalties of up to INR 250 crore. Appeals go to the Telecom Disputes Settlement Appellate Tribunal (TDSAT). The Board’s Chairperson receives a consolidated salary of INR 4.5 lakh per month, and members receive INR 4 lakh per month, signalling the government’s intent to attract credible regulatory talent.
India vs. GDPR: Similarities and Differences
While the DPDP Act shares core principles with the GDPR, including consent, purpose limitation, data minimisation, and individual rights, important differences exist. The DPDP Act applies only to digital personal data, whereas the GDPR covers all forms of personal data. The DPDP Act does not distinguish between personal data and sensitive personal data, unlike the GDPR’s special categories.
The cross border transfer mechanism under the DPDP Act follows a negative list approach, where transfers are allowed unless specifically restricted by the government. This differs from the GDPR’s adequacy based framework. For multinational organisations, these differences mean that GDPR compliance alone does not ensure alignment with the DPDP Act, making a tailored compliance approach necessary.
Conclusion
India’s data protection framework has evolved from fragmented provisions to a comprehensive, principle-driven law with the introduction of the Digital Personal Data Protection Act, 2023. The Act establishes clear guidelines for how personal data is collected, processed, and governed, supported by defined accountability and enforcement through the Data Protection Board of India.
While it aligns with global privacy principles, the DPDP Act also introduces a distinct regulatory approach tailored to India’s ecosystem. For organisations, this makes it essential to move beyond generic compliance frameworks and adopt practices specifically aligned with the Act.
As data continues to drive business decisions, organisations that prioritise responsible data handling will be better positioned to build trust and sustain long-term growth.