DPDPA 2023: What India's New Data Protection Law Means for Your IT Team
IT Insights

DPDPA 2023: What India's New Data Protection Law Means for Your IT Team

ITSolvez Team7 min readIT Insights

India's Digital Personal Data Protection Act 2023 became law in August 2023 and brings significant new IT obligations for businesses that collect, store or process personal data of Indian citizens. This is not a future requirement — it is current law, with rules and penalties that apply now.

Who it applies to

DPDPA applies to any organisation that processes "digital personal data" in India, or processes personal data outside India in connection with offering goods or services to Indian residents. This is broad — if you collect names, email addresses, phone numbers or any other identifying information from Indian customers, employees or vendors, DPDPA applies to you.

Key obligations for IT teams

Data minimisation

You may only collect personal data that is necessary for the specified purpose. Collecting fields "just in case" is no longer compliant. Audit your forms, databases and CRM entries for unnecessary personal data collection.

Purpose limitation

Data collected for one purpose cannot be used for another without fresh consent. If you're using a customer's email for marketing when they signed up for support notifications, that needs to change.

Data retention limits

Personal data must be erased once the purpose for which it was collected is fulfilled. You need a documented retention policy and a technical mechanism to enforce it — this is not something most Indian businesses currently have.

Breach notification

Any personal data breach must be reported to the Data Protection Board and to the affected data principals "in the prescribed manner." Penalties for failure to notify can reach ₹200 crore.

Security safeguards

DPDPA requires "reasonable security safeguards" to protect personal data. While this is principles-based rather than prescriptive, it effectively mandates encryption, access controls, audit logging and incident response capabilities.

Practical first steps

  • Map where you store personal data across all systems (CRM, ERP, email, support tickets, backups)
  • Identify data flows — who collects it, who processes it, who has access
  • Review consent mechanisms on all forms and touchpoints
  • Implement a data retention policy with automated enforcement
  • Establish a breach detection and notification process

ITSolvez can help your team conduct a DPDPA readiness assessment and implement the technical controls required for compliance.

Put this into practice for your business

ITSolvez works with businesses across India to implement exactly what you've just read — with the expertise to do it right.