What is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's dedicated law governing how organizations collect, use, and protect the digital personal data of individuals. It sets out consent requirements, the responsibilities of organizations that handle personal data, and the rights of the individuals that data belongs to. For any company employing people in India, it shapes how employee and candidate data must be handled, making it an important part of compliant operations.

Key terms in the DPDP Act

The Act introduces specific roles and concepts that define who is responsible for what. A few terms are central.

• Data Principal: the individual the personal data relates to, such as an employee or candidate.
• Data Fiduciary: the organization that decides why and how personal data is processed, for example the employer.
• Consent: data must generally be processed with the individual's clear consent, for a specified purpose.
• Data Protection Board: the body responsible for enforcement and handling complaints.

What does the DPDP Act require of employers?

Employers hold a large amount of personal data about their people, so the Act places clear duties on them. The main obligations include the following.

• Lawful, purpose-bound use: collect and use personal data only for clear, stated purposes.
• Security safeguards: put reasonable measures in place to protect data and report breaches.
• Respect individual rights: allow people to access, correct, and request erasure of their data.
• Retain only as needed: do not keep personal data longer than the purpose requires.

How does the DPDP Act compare to GDPR?

Companies familiar with Europe's GDPR will recognize many ideas in the DPDP Act, though the two are not identical. The table shows a rough mapping.

This information is for general guidance. The rules are still being finalized; confirm current provisions and consult legal experts for your specific situation.