Digital Personal Data Protection Act (DPDPA) 2023 Series: Part III – Impact & Implementation Challenges
By Lt Col Ujjual Abhishek Jha, Retd
The enactment of the Digital Personal Data Protection Act (DPDPA) 2023 marks a seismic shift in India’s legislative approach to privacy and simultaneously introduces a complex web of operational demands for businesses. From re-engineering legacy data systems to navigating the nuances of “Data Fiduciaries” and “Significant Data Fiduciaries,” the road to compliance is paved with both technical hurdles and strategic questions. In this part of our series, we dive into the tangible impact of the DPDPA and the primary challenges organizations face in turning these legal mandates into functional realities.
DPDPA: Enforcement Timeline
The DPDPA applies exclusively to digital personal data, data collected digitally or subsequently digitised, processed in India, or outside India in connection with offering goods or services to individuals in India.
Impact & Challenges
• Impact on Individuals (Data Principals)
DPDPA strengthens individual control over personal data, translating the constitutional right to privacy into enforceable statutory rights. Data principals rights include: –
• Right to Access – obtain a summary of personal data held and processing activities though notably without a data portability right.
• Right to Correction and Erasure – request rectification of inaccurate data or deletion of data no longer required.
• Right to Withdraw Consent – revoke consent at any time, data fiduciaries must respond within 90 days.
• Right to Nominate – appoint a nominee to exercise rights in case of incapacitation or death.
• Right to Grievance Redressal – exhaustion of internal mechanism required for complaint be lodged with the DPBI.
• Children under 18: heightened protection – verifiable parental/guardian consent is mandatory before processing a minor’s data, with specific exemptions carved out for healthcare professionals, educational institutions and child transport providers. Penalty up to Rs 200 crores.
Implementation Challenges for Individuals
• Literacy and Awareness Gap – India’s low digital literacy users may not be able to practically exercise rights, file complaints or interpret consent notices. The notice requirement specifies English and all 22 Scheduled languages, creating a multilingual compliance obligation, which remains a challenge.
• Dark Patterns and Consent Quality – While the DPDPA prohibits conditional consent and pre-ticked boxes, enforcement against confusing consent flows or hidden opt-outs, will depend heavily on DPBI capacity and proactive complaint filing.
• Grievance Exhaustion Requirement – Data principals must exhaust the data fiduciary’s internal grievance mechanism before approaching the DPBI. The 90-day response window, while clear, could be exploited as a delay mechanism by less scrupulous operators.
• RTI Act Amendment: Right to Know vs Right to Privacy – One of the most consequential changes brought by the DPDPA is the amendment to Section 8(1)(j) of the Right to Information Act, 2005. The original provision allowed disclosure of personal data held by public authorities in the ‘larger public interest’. The DPDPA removes this override, significantly curtailing the ability of citizens and journalists to access personal data held by government bodies.
Impact on MSMEs and Small Businesses
• Scope of Compliance Obligations – MSMEs that process digital personal data with customer-facing digital touchpoints, employee HR systems or supplier databases, are subject to the DPDPA. The aspects include, consent, notice requirements, purpose limitation, data minimisation, reasonable security safeguards, breach notification (72-hour deadline), data principal rights handling and contractual obligations with data processors. The Act offers no blanket small-business exemption.
• Sector-Specific Heightened Risk – Most MSMEs will not be classified as Significant Data Fiduciaries, avoiding the DPO and DPIA obligations. However, volume-driven or sector-specific designation is possible for Fintech and lending platforms processing KYC and financial data, Healthtech and telemedicine platforms with patient records, Edtech platforms with children’s data, SaaS and E-commerce.
• Compliance Cost and Capacity Challenges
• Budget and Resource Constraints – Legal, technical and organisational costs may range from ?5–25 lakh for a simple MSME to ?50 lakh or more for data-heavy verticals, costs that can be existentially challenging for businesses in early stages.
• Legacy Systems and Data Mapping – Many MSMEs operate on basic ERP systems, Excel-based databases, or fragmented CRMs that lack built-in consent tracking, automated data deletion workflows, or audit logging capabilities. Mapping all personal data flows including through informal channels such as WhatsApp Business, ad-tech trackers, and offline data later digitised to meet documentation requirements is technically complex without dedicated resources.
• Awareness Gap – Awareness of DPDPA obligations among MSME operators remains low and without targeted government outreach programmes, many small businesses risk inadvertent non-compliance.
• 72-Hour Breach Notification – The 72-hour window to notify the DPBI and affected data principals of a personal data breach demands 24/7 incident monitoring infrastructure that most MSMEs lack.
Impact on Large Corporates and Conglomerates
For large enterprises, the DPDPA drives a fundamental shift toward institutionalised privacy governance and requires a privacy-by-design approach. Key enterprise-level requirements include enterprise privacy policies and data governance frameworks, role-based access controls and privileged access management, vendor and third-party data processing agreements with mandatory DPDPA compliance clauses, accountability through privacy registers, audit trails and board-level oversight and automated data lifecycle management.
Significant Data Fiduciary Obligations – Large enterprises across sectors are likely to be designated as SDFs which entails appointment of an India based DPO, annual Data Protection Impact Assessments, annual independent audits, algorithmic risk verification and potential data localisation mandates for government-specified data categories.
Implementation Challenges for Large Corporates and Conglomerates
• Legacy System Modernisation – India’s large corporate landscape runs on legacy architectures that lack support for consent tracking, automated erasure or granular access logging.
• Multi-Regulator Complexity (BFSI) – They will have dual-compliance challenge meeting RBI, SEBI, IRDAI and NPCI requirements and reconciling KYC data processing under DPDPA’s consent and purpose-limitation principles requirement.
• DPO Scarcity – The requirement of DPO creates a talent supply crisis with India has fewer than 5,000 practitioners with certifications.
• AI and Algorithmic Compliance – The requirement for algorithmic risk verification introduces compliance overhead at the model design, training and deployment stages and may require significant architectural changes.
Impact on International Business
• Extraterritorial Reach – The DPDPA applies to any entity Indian or foreign that processes personal data of individuals located in India in connection with offering goods or services to those individuals. Foreign entities without an India office but serving Indian users through e-commerce, SaaS, mobile apps or digital services must comply with the full DPDPA regime, including responding to DPBI enforcement.
• Cross-Border Data Transfers: The Negative List – DPDPA establish a ‘negative list’ approach to cross-border transfers, personal data may be transferred to any country except those specifically restricted by the Central Government notification. However, it introduces a distinctive set of challenges, as no published criteria of blacklisted countries, No advance notice requirements for Blacklisting, No standard contractual clauses and persistence of sector specific laws.
• Compliance Cost – Multinational companies face layered compliance costs of updating global privacy policies for Indian requirements, implementing multilingual consent notices, deploying India-specific consent management infrastructure, renegotiating data processing agreements with India-based processors and sub-processors, and maintaining the technical capability to respond to DPBI enforcement actions.
Impact on Government and Law Enforcement Agencies
Government as Data Fiduciary – Government entities are ‘data fiduciaries’ under the DPDPA when processing citizens’ digital personal data and subject to the same baseline obligations as private sector entities. However, Section 17 of the DPDPA provides exemptions for State processing for sovereignty, integrity, security, public order, and prevention/investigation of offences, research, archiving or statistical purposes, Legal and judicial proceedings and Processing of non-residents personal data within India.
Law Enforcement and Investigation Challenges – Law enforcement agencies face a contradiction, as data fiduciaries must comply with DPDPA and mandated for exemptions. This creates operational complexity as legacy systems holding this data still require security safeguards.
Judicial Implications
• Appellate Jurisdiction Telecom Disputes Settlement and Appellate Tribunal (TDSAT) – TDSAT is designated as the appellate body for DPBI decisions, is primarily a telecommunications regulator with limited data privacy jurisprudence.
• No Criminal Penalties – This reduces the risk of regulatory overreach against individuals but may limit deterrence effectiveness for misuse by corporate actors who can absorb financial penalties as a cost of business.
• Interpretation Challenges – Courts and the DPBI will face interpretive questions as What constitutes ‘reasonable security safeguards’, How Puttaswamy judgement applies to the government exemptions and interplay between DPDPA and sector-specific regulations where conflicts arise.
DPDPA 2023 is more than just a compliance checklist and is a catalyst for a fundamental cultural shift in how data is perceived. While the implementation challenges are significant, they are implementable. Organizations that view these hurdles as an opportunity to build ‘Privacy by Design’ will likely find themselves with a competitive edge in an increasingly data-conscious global market.
(Lt Col Ujjual Abhishek Jha, Retd is a Certified Data Privacy Professional and Strategic & Geopolitical Advisor with over two decades of experience in intelligence, insider threat management, financial crime investigations, and geopolitical risk analysis, advising on complex security and strategic risks.)
For Part I – Digital Personal Data Protection Act (DPDPA) 2023 Series: Part I — The Foundations of Privacy: Evolution of Indian Laws & A Roadmap to DPDPA – The Frontier Manipur
For Part II – Digital Personal Data Protection Act (DPDPA) 2023 Series: Part II — From Principles to Practice: The DPDP Rules 2025, Global Paradigms & India’s Middle Path – The Frontier Manipur
The post Digital Personal Data Protection Act (DPDPA) 2023 Series: Part III – Impact & Implementation Challenges first appeared on The Frontier Manipur.
Read more / Original news source: https://thefrontiermanipur.com/digital-personal-data-protection-act-dpdpa-2023-series-part-iii-impact-implementation-challenges/
