Site icon Local Press Co

What India’s new Data Protection Law – the DPDP Act – means for You and Your Business

India DPDP Act

“We will need your Aadhaar card to verify your identity.”
“Please send us a soft copy of your Driving License or Passport for KYC.”
“Just WhatsApp your ID proof.”

Do any of these sound familiar? You have likely heard at least one such sentence in the last few weeks, if not sooner.

Sharing private documents with a shopping platform, clinic, ISP, bank, housing society, gym, courier company and others has become so common that we never stop to think about what happens with our data. Every so often, when we get a spam call, we do wonder how they got our number. We seldom question the things we should: how did they get it, how long will they keep it and how do I ensure they don’t store it anymore.

A quick online search will tell you that it’s wrong for anyone to share or store your private data or documents without your consent. But who do we complain to? Until now, there was no single law in India that made it harder for anyone to collect your data, hoard it indefinitely and make them accountable for handling it. That’s changing.

What is DPDP Act?

The Digital Personal Data Protection Act, 2023, or DPDP Act, is India’s first dedicated data protection law. The rules that bring it into force were notified in November 2025, giving businesses until mid-2027 to fully comply.

It gives both sides – the company collecting the data and the individual sharing the data – a clear mandate on their rights and responsibilities. A dedicated regulator, the Data Protection Board of India, has been established under the Act to investigate complaints and impose penalties. Companies flouting the DPDP Act norms can face penalties as high as 250 crores.

What It Means For Individuals?

For an ordinary Mumbaikar, or Indian citizen for that matter, the law treats any information that identifies you – like your name, phone number, address, even your face or fingerprint – as something a business can’t just collect and keep. If a business is collecting your data, it has to spell out why it needs it, what it will do with it, how it will keep it and how you can seek its deletion anytime. The law, in a nutshell, empowers people to exercise much greater control over their private data.

The law also makes it harder for businesses that casually seek private documents without a mechanism to show whether the data was collected with the individual’s consent, how it was stored and when it was deleted. It also allows citizens to see what data a company holds about you, the right to have wrong information corrected, and the right to ask for your data to be deleted once a business no longer needs it.

If a company holding your private data gets breached, resulting in your data being exposed, the law makes it mandatory for them to inform you.

What It Means For Professionals & Businesses?

If you are a professional or run a business/company where you regularly collect private data or documents from clients, this law makes you a “data fiduciary.” Which means, you have a real obligation toward the data you collect.

You are required to tell customers clearly what data you are collecting, get valid consent for it before accepting it and delete the data once its purpose is served. You also have to respond to a customer if they wish to know what data you have on them and honour their request if they ask you to delete their data. Failure to do so can lead to heavy penalties, which increase with the severity of the lapse.

Most notably, the responsibilities apply just as much to a five-person shop keeping a customer list as they do to a large company. If you are collecting customer’s private data via WhatsApp or emails, you will have to act fast and set up a new process well before the mid-2027 deadline outlined above to be compliant under the DPDP Act.

If you would like to know more about whether the law applies to you and whether your existing process is in line with what is deemed acceptable, you can get a free comprehensive evaluation from this DPDP exposure self-check tool. The tool is open to everyone and does not require you to enter any personal data. Just answer a few questions and receive a detailed evaluation about where you stand and what you can do to become compliant.

This article does not contain legal advice

Exit mobile version