The DPDP Act 2023: What Every Delhi NCR Corporate Must Do Before Enforcement Begins

The Digital Personal Data Protection Act 2023 received Presidential assent on 11 August 2023. When the Rules are notified and the Act comes into force, organisations that process personal data of Indian citizens will face compliance obligations carrying penalties up to ₹250 crore per incident. **What the DPDP Act Requires** The Act establishes six core obligations for Data Fiduciaries (organisations that determine the purpose and means of processing personal data): 1. **Lawful basis for processing** — consent is the primary basis, with limited legitimate use cases 2. **Purpose limitation** — data can only be used for the purpose for which consent was obtained 3. **Data minimisation** — only data necessary for the stated purpose can be collected 4. **Data Principal rights** — rights to access, correct, erase, and grieve must be respected 5. **Cross-border transfer restrictions** — transfers to blacklisted countries are prohibited 6. **Breach notification** — the Data Protection Board must be notified of breaches **Significant Data Fiduciaries** The Central Government will designate certain organisations as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data processed. SDFs face additional obligations including a Data Protection Officer appointment, data audits, and Data Protection Impact Assessments. **Penalties** Non-compliance attracts civil penalties: - Failure to take reasonable security safeguards: up to ₹250 crore - Failure to notify data breach: up to ₹200 crore - Non-fulfilment of Data Principal rights: up to ₹150 crore - General non-compliance: up to ₹50 crore **What Delhi NCR Companies Must Do Now** The compliance window before enforcement is limited. Every organisation should: 1. **Conduct a data inventory** — map what personal data you collect, from whom, for what purpose, and where it is stored 2. **Review consent mechanisms** — ensure every consent mechanism meets the Act's requirements (free, specific, informed, and unambiguous) 3. **Update privacy notices** — notices must be in plain language and list the purposes and Data Fiduciary's details clearly 4. **Implement Data Principal rights workflows** — you must be able to respond to access, correction, and erasure requests within prescribed timeframes 5. **Review cross-border data flows** — identify all personal data transferred outside India and assess compliance with transfer restrictions 6. **Prepare a breach response plan** — when a breach occurs, the notification timeline is tight **The Bottom Line** The DPDP Act is India's most significant data regulation in a decade. The organisations that build compliance infrastructure now — before enforcement begins — will avoid the scramble, the penalties, and the reputational damage that non-compliance will bring. Corpus Juris Legal's Technology & Data Privacy practice offers a DPDP Act Readiness Assessment — a structured gap analysis that maps your current practices against the Act's requirements and delivers a prioritised remediation plan.