Feb 12 / Punit Bhatia

Key Requirements in the Digital Personal Data Protection (DPDP) Bill of India

Drag to resize

In the realm of data privacy and protection, India's Digital Personal Data Protection Bill of 2023 stands as a significant milestone, ushering in a new era of regulations aimed at safeguarding personal information and promoting its responsible use. Let's delve into the key aspects of this bill discussed by Punit Bhatia in the FIT4Privacy Podcast.

Key Requirements in Digital Personal Data Protection Bill (DPDP) 2023 of India

The bill outlines 12 fundamental requirements, each crucial for ensuring compliance and fostering a culture of privacy within organizations operating in India.

Grounds for Processing Personal Data

The bill emphasizes processing personal data for legitimate purposes, primarily relying on consent. Unlike GDPR, which offers multiple grounds for processing, this bill prioritizes explicit consent from individuals.

2. Contracts with Data Processors

Similar to GDPR, organizations must establish valid contracts with third-party processors outlining their responsibilities in handling personal data.

Security of Personal Data

The bill mandates data fiduciaries to implement appropriate technical and organizational measures to safeguard personal data, echoing GDPR principles.

Data Breach Notifications

While resembling GDPR, the bill does not enforce a strict 72-hour rule for data breach notifications, providing some relief for companies. However, data fiduciaries must inform the Data Protection Authority and affected individuals about breaches.

Personal Data Retention

Data fiduciaries are required to erase personal data upon withdrawal of consent or fulfillment of the specified purpose. Additionally, they must notify data processors of such actions, ensuring transparency and accountability.

Contact for Concerns and Complaints

Transparency is key, with data fiduciaries obligated to provide business contacts for addressing queries and grievances of data principals.

Rights and Duties

Balancing rights with duties, the bill empowers data principals while emphasizing their responsibilities in providing accurate information and refraining from false grievances.

Significant Data Fiduciary

The government may designate certain data fiduciaries as significant, subjecting them to additional requirements such as appointing a data protection officer and conducting data audits.

Processing of Personal Data Outside India

The law applies not only to personal data processed in India but also to entities processing personal information outside India for Indian data subjects, ensuring comprehensive protection.


Various exemptions are provided, including those for outsourcing contracts and specific government functions, with a focus on balancing regulatory requirements with practical considerations.

Data Protection Board of India

Similar to GDPR's supervisory authorities, India's Data Protection Board oversees compliance, issues fines, and provides an avenue for appeals through a dedicated tribunal.


Non-compliance with the bill may result in hefty fines, underscoring the importance of adhering to data protection standards and fostering a culture of compliance.


India's Digital Personal Data Protection Bill presents a comprehensive framework for protecting personal data, aligning with global privacy standards while addressing unique challenges within the Indian context. While reminiscent of GDPR in many aspects, the bill caters to India's cultural and geopolitical nuances, paving the way for a robust data protection regime. As organizations navigate these regulations, understanding and implementing these key requirements will be paramount to ensuring compliance and fostering trust among data subjects. With the right strategies in place, organizations can embrace data privacy as a core value, driving innovation while safeguarding individual rights in the digital age.

About Punit Bhatia

Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high AI & privacy awareness and compliance as a business priority by creating and implementing a AI & privacy strategy and policy.

Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 50 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts.
As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one’s value to have joy in life. He has developed the philosophy named ‘ABC for joy of life’ which passionately shares. Punit is based out of Belgium, the heart of Europe.


About Punit Bhatia

Punit Bhatia is one of the leading privacy experts who helps CXOs and DPOs to identify and manage privacy risks by creating a privacy strategy and implementing it through setting and managing your privacy program and providing scenario based training to your key staff.  In a world that is digital, AI-driven, and has data in the cloud, Punit helps you to create a culture of privacy by establishing a privacy network and training your company's management and staff. 
For more information, please click here.

Listen to the top ranked EU GDPR based privacy podcast...

Stay connected with the views of leading data privacy professionals and business leaders in today's world on a broad range of topics like setting global privacy programs for private sector companies, role of Data Protection Officer (DPO), EU Representative role, Data Protection Impact Assessments (DPIA), Records of Processing Activity (ROPA), security of personal information, data security, personal security, privacy and security overlaps, prevention of personal data breaches, reporting a data breach, securing data transfers, privacy shield invalidation, new Standard Contractual Clauses (SCCs), guidelines from European Commission and other bodies like European Data Protection Board (EDPB), implementing regulations and laws (like EU General Data Protection Regulation or GDPR, California's Consumer Privacy Act or CCPA, Canada's Personal Information Protection and Electronic Documents Act or PIPEDA, China's Personal Information Protection Law or PIPL, India's Personal Data Protection Bill or PDPB), different types of solutions, even new laws and legal framework(s) to comply with a privacy law and much more.
Created with