Organisations doing business in India should note the differences between GDPR and DPDPA requirements, including potential programmes that may need uplift to ensure compliance.
By Gail E. Crawford, Calum Docherty, Fiona M. Maclean, Rhys McWhirter, Esther Franks, Danielle van der Merwe, Bianca H. Lee, and Amy Smyth
The Parliament of India enacted the country’s first comprehensive data protection law, the Digital Personal Data Protection Act 2023 (the DPDPA), on 11 August 2023. The DPDPA replaces India’s existing patchwork of data protection rules1 and triggers significant changes in how companies subject to Indian data protection laws process personal data. The DPDPA is an “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime.
As the DPDPA will become fully enforceable on 12 May 2027, enforcement risk remains low in the interim period. Organisations that are located in India or that process personal data of or provide goods and services to individuals in India (i.e., controllers, processors, and consent managers) should use this period to develop transition plans. Specifically, such organisations should align their current data privacy programmes with key requirements under the DPDPA (such as adherence to the duties of controllers, consent processes, and rights of data principals) in order to minimise future compliance risks.