What is the Digital Personal Data Protection Act?
In July of 2024, India’s Digital Personal Data Protection (DPDP) Act came into force, following its approval from both houses of the Indian Parliament in August of 2023. This ground-breaking legislation balances the rights of individuals to protect their personal data with the necessity of processing such data for lawful purposes. The act:
- Outlines the rights and duties of Data Principals (data owners).
- Imposes obligations on Data Fiduciaries (data processors).
- Introduces financial penalties for breaches.
Below is a high-level overview of India’s DPDP Act, to whom and what it applies, penalties for non-compliance, and the Fortra solutions that can help you meet the DPDP requirements.
Who must adhere to India’s Digital Personal Data Protection Act (DPDP Act)?
India’s DPDP Act covers all digital personal data processed in India and excludes non-digitized and offline personal data. Specifically, it applies to:
By Organization
Organizations processing data that could ultimately identify an individual.
Organizations processing data that could ultimately identify an individual.
By Data Type
Data that is collected or stored digitally.
Data that is collected or stored digitally.
By Location
Organizations processing data within Indian territory, or external third parties processing data that involves goods and services offered to those in India.
Organizations processing data within Indian territory, or external third parties processing data that involves goods and services offered to those in India.
Rights Protected by the Act
The DPDP Act protects individuals’ rights in respect to their personal data in the following ways:
Achieving Compliance with India’s Personal Data Protection Act
Discover the key impacts of India's Digital Personal Data Protection (DPDP) Act on organizations with our free comprehensive guide.
Organizational Obligations Under the Act
The DPDP Act requires that organizations:
Obtain consent from individuals before processing their personal data
Use personal data only for the purposes for which it was collected
Protect personal data from unauthorized use
Respond to individuals’ requests
Report data breaches to the DPB
Penalties of non-compliance
The penalties for non-compliance under the DPDP Act include the following:
| Breach of Provisions | Penalty |
| Failure to prevent a personal data breach | Up to 250 crore INR/$30 million |
| Failure to give notice of a personal data breach to Board or affected Data Principal | Up to INR 200 crore/$25 million |
| Failure to meet additional obligations in relation to children | Up to INR 200 crore/$25 million |
| Failure to meet additional obligations of significant data fiduciary | Up to 150 crore INR/$18 million |
| Breach in observation of duties | Up to 10k INR/$120 |
| Breach of any term of voluntary undertaking accepted by the Board | Up to the extent applicable for the breach |
| Breach of any other provision of this Act | Up to 10k INR/$6 million |
Achieve DPDP Compliance with Fortra
Because digital data can hide in a number of places across your network, complying with DPDP requires layered solutions that can be seamlessly integrated across your entire enterprise. Fortra’s security suite offers a variety of such integrative, stackable solutions to help you meet your DPDP obligations.
Securing personal information requires a strong suite of data protection solutions. That includes:
Data Loss Prevention (DLP)
Apply data protection policies that will help ensure no digitized personal data falls through the cracks. To help, Fortra Data Loss Prevention (DLP) will:
- Deploy rapidly for immediate visibility into your organization’s assets.
- Discover, monitor for, and block threats to sensitive data.
- Give you out-of-the-box dashboards and guide users on next-best security steps.
Data Classification
Create custom rules based on each classification and sensitivity level, so a public data store will receive a different (and less resource-intensive) level of cybersecurity than a repository of private personal data. And with Fortra, you can:
- Apply visual and metadata labels that simplify and support your DLP policies.
- Get AI engine suggestions for quick label application.
Secure Collaboration
Safely do business across Indian territory lines while complying with DPDP policies, no matter if you are an Indian organization or external third party. Fortra’s secure collaboration solution:
- Encrypts files to secure them no matter where they go.
- Revoke file access at any time (even after the file is sent).
- Supports a zero-trust approach to file sharing and collaboration.
Identity and Access Management (IAM)
Protecting personal data means protecting all access points into the organization – including those of supply chain partners. Fortra’s IAM and privileged access management (PAM) solutions:
- Provide informed provisioning.
- Improve identity governance with actionable data insights.
Summary
In today’s highly regulated data environment, nothing less than a person’s identity and fundamental rights are at stake. In 2017, the Supreme Court of India recognized the Right to Privacy in a landmark verdict and India’s Digital Personal Data Protection Act is a direct product of that.
While mandatory, compliance with the new DPDP Act will grant adopters a competitive advantage, both with partners and customers, and serve as a business initiative as much as a security boon.
Fortra supports initiatives like these around the world by bringing our best to the table, enabling those striving to meet even the most stringent compliance requirements to meet the needs of their customers, protect the privacy of their citizens, and continue to advance towards complete privacy and security maturity.
For more, check out Fortra’s suite of data protection solutions.