Data Privacy & Protection in India

The Digital Personal Data Protection Act, 2023 reshaped India's privacy regime. The Act and its rules introduce a consent-based processing standard, clear data principal rights, a notification-driven breach regime, and a regulator (the Data Protection Board) with significant penalty-imposing powers.

The articles in this section translate the DPDP Act into operational consequences for digital businesses: how consent notices must be drafted and presented, how data principal rights (access, correction, erasure, grievance) need to be operationalised, when the obligations of a Significant Data Fiduciary trigger, what the cross-border transfer architecture under the rules actually permits, and the breach notification timelines that compliance teams must build for.

The treatment is deliberately practical and is informed by direct experience of running compliance programs inside technology companies. Where the rules leave gaps, those gaps are flagged rather than papered over.