Data Privacy & Protection Laws (India & Global)

What are the legal implications of non-compliance with data breach notification requirements in India?

Introduction

With the rise in cyberattacks, data theft, ransomware, and system vulnerabilities, data breaches have become one of the most critical risks faced by organizations today. To address this, India’s Digital Personal Data Protection Act (DPDPA) 2023, set to be fully operational as DPDPA 2025, imposes legal obligations on businesses and other entities to report data breaches to the appropriate authorities and affected individuals.

Failure to comply with these data breach notification requirements has serious legal consequences, including financial penalties, reputational damage, and even investigations by regulatory bodies. In this context, understanding the breach notification requirements and the legal risks of non-compliance is essential for organizations operating in India.

Definition of a Data Breach Under Indian Law

Under the DPDPA, a data breach refers to any unauthorized or accidental disclosure, sharing, alteration, loss, access to, or misuse of personal data that compromises the confidentiality, integrity, or availability of that data.

This includes:

  • Hacking of databases

  • Insider data theft

  • Ransomware attacks

  • Accidental leaks via emails or misconfigured servers

  • Third-party service provider breaches

Key Data Breach Notification Obligations Under DPDPA 2025

According to Section 8(6) of the DPDPA:

  • Every Data Fiduciary (organization processing data) must report a data breach to the Data Protection Board of India (DPBI) as soon as possible, and within the prescribed time (to be notified via rules).

  • If the breach poses a risk to the rights of Data Principals (individuals), the organization must also inform the affected individuals.

  • The notification must include:

    • The nature and scale of the breach

    • The personal data affected

    • Likely consequences for Data Principals

    • Steps taken to mitigate or prevent future breaches

    • A grievance redressal contact for users

This obligation exists regardless of intent or cause — whether the breach was accidental or malicious.

Legal Implications of Non-Compliance

1. Monetary Penalties by the Data Protection Board

The DPDPA authorizes the Data Protection Board of India to impose financial penalties for breach-related violations.

According to the Schedule of Penalties in the Act:

  • Failure to notify the Board and affected individuals of a data breach can result in a fine of up to ₹200 crore (2 billion INR).

  • The actual penalty depends on factors such as:

    • Nature and severity of the breach

    • Duration of delay in reporting

    • Volume of data and number of affected individuals

    • Intent or negligence involved

    • Damage caused to individuals

Example:
A fintech company suffers a breach of financial data of 1 million customers and delays reporting for 10 days. If found negligent, the Board may impose a significant portion of the ₹200 crore maximum penalty.

2. Additional Liability for Significant Data Fiduciaries

Organizations classified as Significant Data Fiduciaries (SDFs) — such as those dealing with large-scale sensitive personal data or those impacting national interest — have heightened obligations.

If an SDF fails to notify a breach:

  • It can attract stricter scrutiny

  • Senior officers may be personally liable

  • The firm may face compliance audits

  • DPOs (Data Protection Officers) can be held accountable

3. Civil Suits and Compensation Claims

Though DPDPA does not explicitly create a compensation framework, individuals whose rights are violated due to a data breach may:

  • File complaints with the Data Protection Board

  • Pursue legal action under contract law or consumer protection law

  • Seek damages for financial or emotional harm

If a breach causes identity theft, reputational loss, or fraud, affected persons may approach consumer forums or civil courts claiming compensation.

Example:
A healthcare app leaks medical records of patients. Affected users may sue the company for emotional distress or reputational damage under Indian tort law or the Consumer Protection Act.

4. Reputational and Commercial Consequences

Non-compliance, especially when exposed in the public domain, leads to:

  • Loss of customer trust

  • Brand damage

  • Investor concern

  • Loss of business contracts, especially from international clients demanding data security compliance

Many B2B SaaS or IT service contracts with global clients include data breach clauses. Failure to notify may result in:

  • Termination of contracts

  • Breach of SLA obligations

  • Exposure to global regulatory liabilities (like GDPR fines)

5. Criminal Implications Under Other Laws

While DPDPA focuses on civil penalties, criminal provisions under other Indian laws can also apply:

a. The Information Technology Act, 2000 (IT Act):

  • Section 72A punishes disclosure of personal data without consent with up to 3 years of imprisonment or ₹5 lakh fine

  • Section 43A makes companies liable to compensate users if data is mishandled due to negligence

b. Indian Penal Code (IPC):

  • Sections related to criminal breach of trust, cheating, or data theft may apply if insiders or hackers are involved

6. Impact on Regulatory Licenses and Industry Compliance

Non-compliance with data breach rules can lead to:

  • Suspension or revocation of licenses by industry regulators (e.g., RBI, IRDAI, SEBI)

  • Enforcement actions under sectoral IT/cybersecurity regulations

  • Additional compliance audits and scrutiny from data commissioners

Example:
A payment company regulated by the RBI suffers a breach but fails to report it within the mandated 6-hour window under RBI cybersecurity guidelines. It can be penalized both under RBI regulations and the DPDPA.

7. International Implications

For Indian companies handling EU or US customer data, failure to report breaches under Indian law may also:

  • Trigger GDPR penalties (which mandate 72-hour breach reporting)

  • Breach contract terms with global partners

  • Lead to blacklisting or loss of cross-border data transfer permissions

Example:
A Noida-based SaaS company serving French clients fails to report a breach affecting EU data. It may face enforcement by the EU Data Protection Authority, in addition to Indian penalties.

How Organizations Can Ensure Compliance

To avoid legal implications, companies should:

  • Establish incident detection and response plans

  • Define a 24×7 breach response team

  • Create a data breach notification policy

  • Set up automatic alerts for unusual activity or system compromise

  • Maintain contact databases for regulators and users to enable quick notification

  • Use tools for data classification and breach impact analysis

  • Train employees on breach response protocols

Example Policy Flow:

  1. Identify and contain the breach

  2. Assess its impact on personal data

  3. Notify internal DPO/legal team within 2–6 hours

  4. Draft and submit report to Data Protection Board

  5. Notify affected users with actionable steps (e.g., change passwords)

  6. Log the entire process for audit trails

Conclusion

Non-compliance with data breach notification requirements under the DPDPA 2025 exposes Indian businesses to severe financial penalties, legal action, criminal liability, and brand damage. With regulators increasingly taking a zero-tolerance stance on breach secrecy or delay, organizations must adopt proactive strategies, implement robust monitoring systems, and train teams to react swiftly.

Data privacy and breach preparedness must be treated as a core compliance and business continuity responsibility, not just a technical issue. By building a culture of transparency, accountability, and quick response, businesses can safeguard themselves from legal fallout and build greater trust in India’s fast-evolving digital ecosystem,

Understanding cross-border data transfer restrictions and guidelines under Indian law.

Introduction

As global digital interactions grow, the cross-border transfer of personal data has become an integral part of business operations. Whether it’s a tech company outsourcing customer support to another country, or a payment processor transmitting user data across borders for real-time transaction processing, seamless data flow is critical. However, such flows raise crucial concerns about privacy, misuse, jurisdiction, and national security.

India’s data protection framework — particularly through the Digital Personal Data Protection Act (DPDPA) 2023, operational as of 2025 — introduces a structured and legally enforceable approach to regulate cross-border transfers of personal data. These rules aim to strike a balance between enabling international business and protecting the rights and privacy of Indian citizens, known legally as Data Principals.

This article explores the meaning, restrictions, conditions, and compliance requirements for cross-border data transfers under Indian law, with examples and interpretations to help businesses and professionals understand their obligations.

Meaning of Cross-Border Data Transfer

Cross-border data transfer refers to the transmission of digital personal data from servers or systems located within India to servers or entities outside India. This may include:

  • Storing customer data on foreign servers (e.g., cloud storage in the US or Europe)

  • Sharing employee data with overseas headquarters

  • Outsourcing data processing functions (analytics, marketing, payroll) to third-party vendors abroad

While such transfers are often essential for operational efficiency, they expose data to different legal systems and potentially lesser data protection standards, prompting the need for a regulatory safeguard.

Evolution of Cross-Border Data Regulation in India

India has long debated data localization and transfer rules:

  • 2017–2018: The Justice Srikrishna Committee proposed strict localization for sensitive personal data.

  • 2019 PDP Bill: Proposed that sensitive personal data must be stored in India, though copies could be transferred abroad with conditions.

  • 2023 DPDPA (final law): Took a more practical and business-friendly approach, removing the mandatory localization requirement but still introducing selective restrictions.

Key Provisions on Cross-Border Data Transfers Under DPDPA 2025

Unlike earlier drafts, the DPDPA 2023/2025 does not outright restrict all data transfers, nor does it require mandatory data localization. Instead, it allows cross-border data transfers by default, subject to certain government-issued restrictions.

The relevant features of the law are:

1. Government-Notified “Restricted Countries” Clause
Section 16 of the DPDPA empowers the Central Government to restrict the transfer of personal data to certain countries or territories based on considerations such as:

  • National security

  • Friendly relations with that country

  • Risk of misuse

  • Data protection standards in the receiving country

If a country is notified as “restricted”, then data transfers to that country will be prohibited.

However, as of now, no country list has been officially notified, meaning cross-border transfers are currently allowed unless and until specific countries are blacklisted.

2. Consent and Purpose Limitation
Even if transfers are permitted:

  • They must be based on valid user consent

  • The user must be informed in advance that their data may be transferred internationally

  • The transfer must adhere to the purpose for which data was originally collected

For example, if a travel booking platform is collecting passport and payment data for booking international tickets, it must inform users during consent that their data may be shared with global airlines or payment gateways abroad.

3. Contractual Safeguards
Although the DPDPA doesn’t mandate this, it is a best practice (and often required by foreign laws like the GDPR) to include Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) in contracts with foreign vendors. These clauses should:

  • Define how data will be handled

  • Restrict data misuse

  • Require security standards

  • Mandate breach notification protocols

4. Protection of Data Principal Rights
Regardless of where data is transferred, the Indian citizen’s rights (such as right to withdraw consent or correct data) must be enforceable and respected. This means that organizations must ensure their foreign partners have mechanisms to support such rights.

5. Role of Data Protection Board of India (DPBI)
If any cross-border data transfer leads to a breach, misuse, or violation of rights, the Data Protection Board can initiate an investigation, and the originating company in India can be held liable, even if the actual misuse happened abroad.

6. Special Rules for Government Data
Data related to government contracts, strategic infrastructure, or critical sectors (like defense, healthcare, telecom) may be subject to sectoral restrictions or national security guidelines, even if not specifically restricted under DPDPA. These restrictions are often issued under separate rules or government orders.

7. Sensitive Personal Data (SPD) and Children’s Data
While DPDPA treats all personal data under the same umbrella, businesses should treat sensitive personal data (such as biometric, health, financial, and children’s data) with additional caution. Cross-border transfers of such data should be conducted only when:

  • The receiving entity has adequate safeguards

  • User rights are contractually protected

  • Proper encryption and anonymization are used

Illustrative Example: How Cross-Border Transfer Works

Example 1: E-commerce Platform

A company named Shopora India Pvt. Ltd., based in Mumbai, uses an email marketing service hosted in Ireland to send personalized promotional emails to its Indian customers. It collects user data (email, purchase history, browsing behavior) and shares it with the Irish platform.

To comply with DPDPA:

  • Shopora must inform users that their data may be processed outside India

  • It must take consent at the time of sign-up

  • It must ensure the foreign service provider has proper data security and privacy protocols

  • If Ireland is later designated as a restricted country, Shopora must stop transferring data there and find an alternate solution

Example 2: Indian Fintech Sharing Data with US Analytics Partner

An Indian fintech company shares customer transaction patterns with a US-based AI company for predictive analytics.

They must:

  • Get user consent

  • Ensure data is pseudonymized or encrypted

  • Enter into a binding agreement with the US partner on handling of data

  • Comply with sectoral RBI guidelines if applicable

  • Be ready to stop transfer if US is notified as a restricted country

Challenges in Cross-Border Transfers

Several businesses face operational challenges while ensuring cross-border compliance:

  • Lack of clarity on which countries may become restricted in the future

  • Inconsistent international laws (e.g., difference between Indian law and EU’s GDPR)

  • Difficulty in monitoring third-party data usage once transferred

  • Legal uncertainty when data is moved via global cloud platforms (like AWS, Azure)

To overcome these, organizations should:

  • Maintain a map of all international data flows

  • Limit transfers to countries with strong privacy laws

  • Use strong contracts and data processing agreements

  • Choose cloud regions and vendors based on data protection standards

Comparison with Global Laws

Let’s look at how DPDPA’s stance compares with other countries:

GDPR (EU): Allows transfers only to countries with adequate data protection, or via SCCs or Binding Corporate Rules. Very strict.

CCPA (California): Less restrictive, but requires disclosures and opt-outs for sale of personal data.

Singapore PDPA: Allows cross-border transfers if the receiving party ensures comparable protection.

India’s DPDPA: More flexible, permits transfer by default unless restricted. Places emphasis on consent and government control rather than adequacy assessments.

This shows that while India is adopting a liberal transfer model, it retains sovereign control by reserving the right to blacklist specific countries.

Conclusion

India’s DPDPA 2025 introduces a modern, globally-aligned yet India-first approach to cross-border data flows. It avoids blanket restrictions and allows transfers by default, while enabling the government to step in if necessary. For businesses, this means greater freedom — but also the responsibility to manage consent, partner contracts, user rights, and security across borders.

Organizations must treat cross-border data not just as a technical task, but as a legal obligation. They should audit their data flow, evaluate risks, and build policies that align with India’s emerging privacy regime. As the Central Government starts notifying restricted countries and more specific rules, compliance will shift from voluntary to mandatory. Early preparation is key to ensure business continuity, consumer trust, and legal safety in a world increasingly dependent on global data exchange.

What are the key obligations for data fiduciaries under the new Indian data protection rules?

Introduction
Under the Digital Personal Data Protection Act (DPDPA), 2023, which is set to become fully enforceable by 2025, the Government of India has laid out specific responsibilities for entities called data fiduciaries. A data fiduciary is any person, company, or organization that determines the purpose and means of processing personal data. These obligations are designed to ensure accountability, transparency, and the protection of individual privacy. All businesses that handle personal data in digital form must comply with these obligations, whether they collect it directly or receive it from another party.

Obligation 1: Obtain Valid and Informed Consent
Data fiduciaries must obtain clear, informed, and specific consent from users before collecting their personal data. The consent must be given voluntarily and must be based on clear information about what data will be collected and for what purpose. Consent should not be obtained by default or as a precondition for accessing unrelated services. Users should also have the right to withdraw their consent at any time.

Example
If a shopping website like Flipkart wants to collect data to send promotional emails, it must show users a checkbox asking for their consent. It cannot automatically assume consent or make it a hidden part of the terms and conditions.

Obligation 2: Purpose Limitation
Personal data must be collected only for specific, lawful, and stated purposes. A business cannot collect data for one reason and then use it for another unrelated purpose without obtaining additional consent from the user.

Example
If a travel site like MakeMyTrip collects a user’s passport number for flight booking, it cannot later use this information for unrelated services like insurance marketing unless it gets separate consent.

Obligation 3: Data Minimization
Only data that is strictly necessary for fulfilling the stated purpose should be collected. Businesses should avoid asking for excessive or irrelevant information from users.

Example
An app that delivers groceries should only ask for name, address, contact number, and payment information. It should not ask for personal details like marital status or religion unless required by law or a specific service.

Obligation 4: Storage Limitation
Data fiduciaries must not retain personal data longer than necessary. Once the purpose for which the data was collected is fulfilled, the data should be deleted or anonymized. Businesses must set internal retention timelines and ensure old or unused data is cleared periodically.

Example
If an online learning platform like Byju’s collects user data for course access, it should delete the data once the course ends and the student no longer needs the service.

Obligation 5: Accuracy of Data
Data fiduciaries are required to keep personal data accurate and up-to-date. They must provide a mechanism for individuals to review and correct their data.

Example
If a user’s delivery address changes on Amazon, the platform must allow the user to update their information and ensure the new address is used for all future orders.

Obligation 6: Implement Security Safeguards
Businesses must implement reasonable technical and organizational security measures to protect personal data from unauthorized access, disclosure, or breach. These include encryption, firewall protection, access controls, employee training, and breach detection systems.

Example
A financial app like PhonePe must ensure that user data is encrypted, login credentials are securely stored, and regular security audits are conducted to detect vulnerabilities.

Obligation 7: Grievance Redressal Mechanism
Data fiduciaries must provide an effective and responsive grievance redressal system. Users should be able to file complaints related to their data, consent, deletion requests, or misuse, and businesses must resolve these within the time specified by law.

Example
If a user contacts Paytm with a complaint about unauthorized data sharing, Paytm must investigate the issue and provide a formal resolution within the legal time frame.

Obligation 8: Enabling User Rights
Data fiduciaries are responsible for enabling individuals to exercise their rights under the Act. These include the right to access personal data, the right to correct or delete it, the right to withdraw consent, and the right to be informed about how data is used.

Example
If a user of Swiggy wants to delete their account and associated data, Swiggy must allow the user to initiate the deletion request and confirm once the data has been removed from its systems.

Obligation 9: Breach Notification
In the event of a data breach, the data fiduciary must inform the affected individuals as well as the Data Protection Board of India. The notification must be made promptly, including details of the nature of the breach and steps taken to minimize its impact.

Example
If a cyberattack exposes customer emails and phone numbers at Ola, the company must immediately notify the affected users and report the incident to the Board with a full explanation.

Obligation 10: Appointment of Data Protection Officer (for SDFs)
Organizations that are classified as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process must appoint a Data Protection Officer (DPO). The DPO will be responsible for ensuring compliance, managing grievances, and acting as the point of contact with the Data Protection Board.

Example
A telecom company like Jio would be considered a Significant Data Fiduciary and must appoint a qualified DPO to oversee all data protection responsibilities within the company.

Obligation 11: Conducting Data Protection Impact Assessments (DPIAs)
SDFs must conduct regular assessments of the potential risks their data processing activities pose to individuals. These assessments help in identifying vulnerabilities and applying safeguards to reduce risk.

Example
An insurance company that uses automated algorithms to assess customer profiles must carry out DPIAs to ensure its system does not unfairly discriminate or expose users to harm.

Obligation 12: Cross-Border Data Transfer Compliance
Data fiduciaries can transfer personal data outside India only to countries approved by the central government. Even after the data is transferred, fiduciaries must ensure that the data continues to be processed in a manner that protects individual rights.

Example
A company like Google India can store or process user data on servers in the US only if the US is among the countries notified by the government and all protective safeguards are maintained.

Obligation 13: Maintain Records and Audit Trails
Data fiduciaries are required to maintain records of their data processing activities, including when consent was taken, how long the data was stored, who accessed it, and when it was deleted. This is important for audits and demonstrating compliance.

Example
A food delivery app like Zomato should keep an internal log of every user consent interaction, data sharing with delivery partners, and data deletion request history for verification purposes.

Obligation 14: Accountability and Transparency
Data fiduciaries must publish a privacy policy, clearly outline how personal data is handled, and be transparent about any data-sharing with third parties. They are also accountable for ensuring that all their third-party vendors or processors comply with DPDPA regulations.

Example
If Myntra outsources its customer support to a third-party agency, it must ensure that the agency handles personal data with the same level of security and compliance required under Indian law.

Conclusion
The DPDPA 2023 places significant responsibilities on data fiduciaries to manage personal data ethically, securely, and transparently. These obligations reflect a broader shift toward recognizing data privacy as a fundamental right in India. For businesses, this means redesigning data systems, rewriting privacy policies, setting up grievance redressal procedures, implementing technical safeguards, and ensuring organizational compliance. Non-compliance can attract penalties of up to ₹250 crore, reputational loss, and possible suspension of operations. Companies that embrace these changes proactively will not only avoid penalties but also build stronger relationships with users, win trust, and position themselves for sustainable success in a privacy-first digital economy.

How does India’s DPDPA 2023/2025 impact data handling practices for businesses?

Introduction
The Digital Personal Data Protection Act (DPDPA) 2023, expected to be fully implemented by 2025, is India’s first comprehensive law dedicated to governing the use, processing, and storage of digital personal data. It reflects a major shift in India’s digital regulatory framework, placing strong emphasis on the protection of individual privacy and personal data rights. The DPDPA is designed to create a balance between the rights of individuals (Data Principals) and the lawful interests of businesses (Data Fiduciaries). Inspired by global data protection frameworks such as the European Union’s GDPR, it sets out detailed requirements for how businesses should collect, handle, store, and process personal data in India.

Core Principles of the DPDPA
The DPDPA is based on important foundational principles including purpose limitation, consent-based data processing, data minimization, storage limitation, accuracy, accountability, and transparency. These principles are embedded throughout the Act and form the guiding standards for all data handling practices in India. Businesses must not only comply with these principles in letter but also in spirit, by redesigning internal processes and technologies.

Requirement of Valid Consent
The Act mandates that no personal data shall be processed without obtaining explicit, clear, and informed consent from the individual. Consent must be free, specific, informed, unambiguous, and given through affirmative action. Individuals must also have the ability to withdraw consent at any point.

Impact on Businesses
Businesses must redesign all user interfaces where personal data is collected—such as websites, forms, and mobile applications—to include transparent consent forms and options to revoke consent. The commonly used practices of passive consent or bundled terms and conditions are no longer allowed. Every business must track consent and show proof that it was legally obtained.

Example
If Flipkart collects user data for sending promotional emails, it must show a separate opt-in checkbox where users can agree or disagree. It cannot automatically enroll users in marketing communication by default.

Obligations of Data Fiduciaries
Under the DPDPA, all businesses that handle personal data are known as Data Fiduciaries and must follow legal obligations such as informing users about the purpose of data collection, processing data only for legitimate use, ensuring data accuracy, implementing security safeguards, and allowing users to exercise their rights. Fiduciaries are expected to build systems that support these requirements.

Example
An app like Practo that stores sensitive health data must now provide a mechanism for users to correct errors in their medical history or delete outdated records, while ensuring data is encrypted and protected from unauthorized access.

Purpose Limitation and Data Minimization
The DPDPA requires that data be collected only for specific and declared purposes. The purpose must be shared with the user at the time of consent, and businesses are expected to collect only data that is strictly necessary for the stated purpose. Collecting extra data “just in case” is not allowed under this law.

Example
A ticket booking platform like IRCTC can ask for the passenger’s name, age, and ID, but it cannot ask for income, education level, or religious beliefs unless that data is essential for the service being provided.

Data Principal Rights
The DPDPA introduces several important rights for individuals, including the right to access their data, the right to correct inaccuracies, the right to delete data, the right to be informed, and the right to withdraw consent. Businesses are obligated to create internal systems to allow users to exercise these rights efficiently.

Example
If a Zomato user decides to delete their profile and all order history, Zomato must comply with this request and confirm the deletion. They must not keep any data unless it is legally required (such as for tax records).

Consent Managers
DPDPA introduces the concept of Consent Managers—neutral platforms authorized by the government to help individuals manage their consents across platforms. These managers can help users view, withdraw, or provide consent for multiple services from a single dashboard.

Example
A financial app like PhonePe might integrate with a consent manager such as Sahamati, enabling users to manage their consents for data sharing with various banks, lenders, and apps.

Children’s Data Protection
Special provisions are made for protecting the personal data of children under the age of 18. Parental consent is mandatory before processing data of minors. Businesses are also restricted from conducting behavioral tracking or serving targeted advertisements to minors.

Example
EdTech platforms like Byju’s must collect verifiable parental consent before enrolling a child and must ensure no personalized ads or data tracking are done on children’s usage patterns.

Cross-Border Data Transfer Rules
The law allows data to be transferred to countries that the Indian government notifies from time to time. This is a more relaxed stance compared to earlier drafts that called for strict data localization. However, the receiving countries must have strong data protection standards in place.

Example
Amazon India may process some of its data using servers in the United States, provided the US is among the countries approved by the Indian government and Amazon ensures compliance with Indian laws.

Data Breach Notification Requirements
In the event of a data breach, businesses must inform both the affected individuals and the Data Protection Board of India. Timely reporting and transparency are emphasized to ensure users are not kept in the dark.

Example
If Paytm faces a cyberattack in which credit card details are leaked, the company must immediately notify all affected users, publish a disclosure, and report the incident to the Data Protection Board.

Significant Data Fiduciaries (SDFs)
Some businesses will be classified as Significant Data Fiduciaries (SDFs) based on factors such as volume and sensitivity of data handled, potential impact on user rights, and scale of operations. These businesses will be subject to enhanced obligations like data audits, privacy impact assessments, appointing Data Protection Officers, and publishing compliance reports.

Example
Jio, which manages sensitive call records and customer data, would likely be an SDF and must hire a full-time Data Protection Officer and regularly submit reports to the Data Protection Board.

Penalties and Enforcement
The DPDPA establishes a Data Protection Board that will monitor compliance, investigate complaints, and impose penalties. Financial penalties for non-compliance can go up to ₹250 crore for serious violations. The Board can also recommend remedial actions and initiate legal proceedings.

Example
If MakeMyTrip fails to provide a user with access to their personal data within the required time, or continues using deleted data, the company can be fined and investigated by the Board.

Impact on Specific Sectors
E-commerce platforms must be careful with recommendation engines and user profiling. They must collect only necessary data and obtain explicit consent for marketing. Healthcare organizations must follow data encryption and access control standards while allowing data corrections. Financial institutions will need robust security infrastructure and must implement customer-controlled consent flows. EdTech firms must ensure no behavioral tracking of minors. Startups will face compliance costs but can benefit from early adoption and user trust.

Opportunities for Businesses
While the DPDPA presents a strong compliance challenge, it also offers new business opportunities. Companies that proactively follow the law will earn customer trust, become eligible for international partnerships, and strengthen brand reputation. Businesses that prioritize data protection can turn compliance into a competitive advantage.

Conclusion
The DPDPA 2023/2025 is a transformative law that impacts every stage of data handling—from collection and storage to sharing and deletion. It requires Indian businesses to treat personal data with transparency, accountability, and respect. Although compliance will involve reworking policies, building consent mechanisms, training staff, and deploying secure technologies, the long-term benefits include increased user trust, reduced risk of data breaches, and enhanced global competitiveness. By embedding privacy-by-design and user rights into their systems, businesses can not only meet legal requirements but also lead the way in building a responsible digital economy in India.