DPDP Act Explained: What Every Business Needs to Know

Editors Note - This post was originally published in May 2025 and was updated in Mar 2026 for accuracy and comprehensiveness.

The Digital Personal Data Protection Act 2023 governs processing of digital personal data in India. It requires organisations to ensure informed consent, safeguard personal data at all stages and implement appropriate security measures for lawful data use.

In 2023, India saw over 67,000 digital data breaches. By 2026, protecting customer data is no longer just an IT responsibility. It is a legal and business imperative for every organization.

The Digital Personal Data Protection Act (DPDP Act), 2023, is India’s landmark law governing the collection, storage, and use of digital personal data. It balances citizens’ rights to privacy with the need for lawful data processing and sets clear obligations for businesses handling personal information.

With cyber threats continuing to rise, safeguarding customer data is critical. The DPDP Act, fully operational under the Draft Rules notified in January 2025, marks a turning point in how businesses collect, process, and protect consumer data. Even a single weak link in your vendor chain can expose sensitive information, and the law holds you accountable.

Whether you are a small business, regional dealership, or large OEM, the DPDP Act applies to you, including your partners, agencies, and third-party vendors. This means your marketing, lead generation, and customer engagement operations must comply with the Act’s requirements.

In this blog, we break down the DPDP Act in simple terms, explain what it means for your business in 2026, and show how you can stay compliant, even when outsourcing or using third-party services.

What Is the Digital Personal Data Protection Act

The DPDP Act establishes a legal framework to protect citizens’ privacy and ensure transparent, fair, and secure processing of personal data. It defines clear roles, responsibilities, and accountability across the data ecosystem.

Key Highlights (2026 Updates):

Purpose: Protect personal data and empower individuals to control their information.

Applicability:

- Businesses operating in India

- Foreign companies handling the personal data of Indian citizens

- Startups, agencies, dealerships, franchises, and third-party vendors

Scope: Covers names, emails, phone numbers, location data, purchase history, and other digital personal data. 

Outsourcing data handling does not transfer legal accountability. Businesses must ensure compliance across all partners and vendors.

Key Terms to Know in the Digital Personal Data Protection (DPDP) Act

Understanding these terms helps your business manage responsibilities and reduce compliance risk.

1. Data Principal

The individual whose personal data is collected. Examples include a customer filling out a lead form or booking a service. The DPDP Act ensures Data Principals have rights over how their data is used and shared.

2. Data Fiduciary 

The entity that decides the purpose and method of processing personal data. Examples include dealerships, OEMs, e-commerce platforms, and agencies. The Data Fiduciary remains fully accountable even if a third-party vendor mishandles the data.

3. Data Processor

A third-party service provider that handles personal data on behalf of the Data Fiduciary. Examples include marketing agencies, CRM providers, or call centers. They manage operations, but the legal responsibility stays with the Data Fiduciary.

You can outsource execution, but not accountability. Ensure all partners and vendors comply with the DPDP Act.

Gain more insights: Watch this short video on Consent and Compliance: Navigating Privacy in Retail Marketing to understand practical steps for 2025 compliance. 
 

Why Is the DPDP Act Important for Businesses?

The Digital Personal Data Protection Act fundamentally changes how businesses in India collect, store, and use customer data. It is not just another compliance checkbox. The consequences of getting it wrong are significant and immediate.

1. It applies to every business handling personal data - Whether you run a single retail outlet or a large ecommerce platform, if you collect names, phone numbers, emails, location data, or purchase history from Indian citizens, the DPDP Act applies to you. No exemptions based on business size.

2. The penalties are substantial - Non-compliance can result in fines up to ₹250 crore for a single breach. A single non-compliant vendor in your ecosystem can trigger penalties that fall entirely on you as the Data Fiduciary.

3. Customer trust is at stake - Customers are increasingly aware of how their personal data is being used. Businesses that handle data responsibly build stronger relationships and genuine competitive advantage over those that don't.

4. Compliance is a board-level responsibility - The DPDP Act makes data protection a legal and strategic priority, not just an IT function. Leadership teams are directly accountable for their entire vendor ecosystem meeting the Act's requirements.

Who Must Comply With the Digital Personal Data Protection Act India?

The DPDP Act has broad applicability. Understanding whether it applies to your business is the first step toward compliance.

- Businesses operating in India: Any organisation collecting or processing digital personal data within India must comply. This includes retailers, ecommerce platforms, automotive dealerships, healthcare providers, financial institutions, and any business that collects customer information digitally.

- Foreign companies handling Indian citizen data: Businesses operating outside India but processing personal data of Indian citizens, whether for offering goods, services, or any other purpose, fall under the Act's jurisdiction.

- The entire vendor and partner ecosystem: This is where many businesses underestimate their exposure. The DPDP Act applies not just to your organisation but to every vendor, agency, and partner that handles personal data on your behalf. Marketing agencies, CRM providers, call centres, lead generation platforms, and data analytics firms all fall within scope.
 

If your business touches personal data of Indian citizens at any stage of the customer journey, the DPDP Act applies. Compliance cannot be delegated to vendors. The Data Fiduciary remains fully accountable regardless of who handles the data operationally.

What the DPDP Act Requires from You

The Digital Personal Data Protection Act (DPDP Act), 2023, defines clear responsibilities for businesses handling personal data, whether you are collecting leads from a website, managing customer databases, or running marketing campaigns through third-party partners.

Here’s what every Data Fiduciary must do to stay compliant in 2026:

1. Clear and Informed Consent

Obtain explicit consent from users before collecting their personal data. Consent must be informed, specific, and freely given. Avoid burying terms in fine print. Users should clearly understand what data is collected, why it is collected, and how it will be used.

2. Purpose Limitation

Use personal data only for the purpose for which the user has provided consent. For instance, if a customer shares data to schedule a test drive, that data cannot be repurposed for unrelated marketing campaigns.

3. Data Minimization

Collect only the data that is necessary for your intended purpose. For example, do not ask for a date of birth if it is not relevant to the service being provided.

4. Storage Limitation

Keep data only as long as needed for its intended purpose. Implement data lifecycle management practices, and ensure that unnecessary or outdated data is securely deleted in line with the DPDP Act.

5. Accountability

Even if a third-party vendor collects, stores, or processes personal data on your behalf, you remain fully responsible as the Data Fiduciary. Any mishandling of data by partners still carries legal and financial risk under the DPDP Act.

Compliance is not optional. The DPDP Act applies to every business handling Indian citizens’ personal data, and failing to comply can result in:

- Hefty financial penalties

- Data breaches

- Long-term reputational damage

Conduct regular audits of your vendors and data handling practices to ensure compliance across all touchpoints.

What Companies Must Do to Comply With the DPDP Act

Compliance requires practical, operational changes across every part of your business that touches customer data.

- Build a Consent Management System: Every data collection point needs explicit, informed consent before any personal data is collected. Consent must be specific, freely given, and easy to withdraw across your website, app, lead forms, and every customer touchpoint.

- Appoint a Data Protection Officer: Under Rule 9, organisations handling significant volumes of personal data must publish Data Protection Officer contact information. This person oversees compliance internally and acts as the regulatory point of contact.

- Audit Your Vendor Ecosystem: Every vendor, agency, and partner handling personal data on your behalf must be assessed for DPDP compliance. Sign Data Processing Agreements with all third parties. A single non-compliant vendor creates legal exposure for your entire organisation.

- Implement Technical Safeguards: Encrypt all stored and transmitted personal data. Enable role-based access control. Maintain audit logs for at least one year as required under Rule 6 of the DPDP Rules 2025.

- Establish a Breach Response Protocol: Under Rule 7, data breaches must be reported to the Data Protection Board and affected individuals within 72 hours. Build and test your incident response workflow before a breach happens, not after.

Why You Can’t Afford to Ignore the DPDP Act

Ignoring the Digital Personal Data Protection Act (DPDP Act), 2023 is no longer just a compliance risk. It can seriously damage your brand, erode customer trust, and attract heavy legal penalties.

1. Hefty Penalties

Under the DPDP Act, businesses can face fines up to ₹250 crore for non-compliance. Even a single breach caused by a third-party vendor or internal oversight can trigger these penalties. This makes it crucial to implement robust data protection measures.

2. Reputation at Risk

A data breach does not just make headlines. It breaks the trust you have built with your customers. Once sensitive information is compromised, regaining credibility is costly and time-consuming. Prioritizing data protection demonstrates responsibility and strengthens your brand’s reputation.

3. Vendor Blind Spots

Many businesses, especially OEMs, dealerships, and e-commerce platforms, outsource lead generation, marketing, or data handling to third-party vendors. If these vendors fail to comply with DPDP requirements, the legal accountability remains with your business.

Key Insight: You cannot delegate accountability. The DPDP Act holds the Data Fiduciary responsible even if a third party mishandles the data.

4. Operational and Strategic Risks

Non-compliance can lead to:

- Operational disruptions due to investigations or audits

- Customer churn as users lose trust in your brand

- Financial losses from penalties and breach remediation

5. Competitive Advantage for Compliant Businesses

Businesses that proactively comply with the DPDP Act can differentiate themselves in the market. Data privacy becomes a trust-building tool, attracting privacy-conscious customers and partners.

Conduct regular audits of your vendors, data handling processes, and internal systems. Ensure all consent management, storage, and processing practices are fully aligned with DPDP Act requirements to minimize legal and reputational risks.

DPDP Implications for API and AI Systems

As businesses rely increasingly on APIs and AI to collect and process customer data, the DPDP Act introduces specific obligations that technology teams need to understand.

API Systems - Every API transmitting personal data between systems, platforms, or third-party vendors must be secured and compliant with consent and purpose limitation requirements. Data shared through APIs to CRM systems, marketing platforms, or analytics tools remains subject to full DPDP obligations.

AI Systems - AI models processing personal data of Indian citizens fall within the DPDP Act's scope. Customer profiling, lead scoring, personalisation, and predictive analytics all require data collected with proper consent and used only for the stated purpose.

DPDP vs Indian Sector Laws:
 

The DPDP Act is India's most comprehensive data protection framework and supersedes sector-specific guidelines where personal data is concerned.

Real-World Relevance: The OEM - Vendor Risk Chain and the DPDP Act

In today’s digital ecosystem, your data security is only as strong as your weakest vendor. Under the Digital Personal Data Protection Act (DPDP Act), 2023, even a single weak link can create legal and reputational exposure for your business.

One Weak Link = Total Exposure

Consider these scenarios:

- A marketing agency running a lead-generation campaign mishandles customer data

- A call center accesses unmasked customer information without proper safeguards

- A vendor stores emails or phone numbers in unsecured spreadsheets

Even one non-compliant partner can trigger a data breach, and the Data Fiduciary remains fully accountable under the DPDP Act.

The OEM-Dealer-Vendor Chain

If a dealer executes a campaign and a vendor mishandles the data, the presence of the OEM’s branding on digital assets can implicate the brand directly. The DPDP Act ensures that legal and reputational accountability is shared across the chain, even if the OEM did not directly manage the data.

Reputational Risk is Shared

- Breach at the dealer or vendor level can lead to public backlash against OEMs

- Customers may lose trust in both the dealer and the OEM brand

- Regulatory investigations may impact business operations and partnerships

The DPDP Act places legal accountability squarely on the Data Fiduciary, making it essential for businesses to:

- Vet all vendors for compliance

- Sign Data Processing Agreements (DPAs)

- Conduct regular audits of data handling processes

- Implement privacy-by-design systems across the ecosystem

Treat your entire data ecosystem as a single security perimeter. Ensuring vendor compliance and transparency safeguards your brand, reduces legal risk, and builds customer trust.

Read Also - 5km Radius Strategy for Hyperlocal Auto Dealer Discovery

How Does the DPDP Act Impact IT Companies?

IT companies occupy a unique position under the DPDP Act. They often act simultaneously as Data Processors for their clients and Data Fiduciaries for their own employee and customer data, creating compliance obligations on both fronts.

As Data Processors IT companies providing software, cloud infrastructure, CRM, or marketing technology handle personal data on behalf of clients. They must process data strictly per the Data Fiduciary's instructions, implement technical safeguards, and maintain audit logs. Any breach at the processor level creates liability for the client.

As Data Fiduciaries IT companies collecting employee data or user data through their own products are themselves Data Fiduciaries. They must obtain proper consent, implement security measures, and comply with all DPDP obligations independently.

Key priorities for IT companies:

- Update all client contracts with DPDP-compliant Data Processing Agreements

- Implement encryption, RBAC, and access logging across all products

- Build consent management capabilities into products serving Indian markets

- Establish 72-hour breach notification workflows

For IT companies building products for Indian businesses, DPDP compliance is rapidly becoming a procurement requirement. Clients will increasingly demand proof of compliance before signing contracts.

How Sekel Tech Helps You Stay Compliant with the Digital Personal Data Protection Act (DPDP Act)

Sekel Tech offers a comprehensive approach to data privacy and security, ensuring that businesses using its hyperlocal discovery and omnicommerce platform remain fully compliant with India’s Digital Personal Data Protection Act (DPDP Act). Here’s how Sekel Tech supports your compliance journey in 2026:

1. Consent-Driven Data Collection and Processing

Sekel Tech’s solutions are built around clear, explicit consent mechanisms, allowing customers to control how their personal data is collected, processed, and shared. Users can view consent terms easily and withdraw consent at any time, aligning with the DPDP Act’s emphasis on transparency and user control.

2. Data Subject Rights Management

The platform includes built-in tools to manage data subject rights, such as access, correction, and erasure requests. This automated infrastructure enables businesses to respond quickly and consistently to user requests, ensuring compliance with the DPDP Act’s legal obligations. Data erasure requests are processed programmatically, ensuring prompt and accurate deletion.

3. Robust Security and Data Protection Measures

Sekel Tech applies advanced security protocols to safeguard data, including end-to-end encryption, role-based access control (RBAC), two-factor authentication, and Web Application Firewalls (WAF). Regular compliance audits, vulnerability assessments, and continuous monitoring strengthen security and help businesses stay ahead of potential threats.

4. Data Localization and Secure Infrastructure

Sekel Tech’s hyperlocal data fabric ensures that the personal data of Indian citizens is stored and processed within India, supporting DPDP Act localization requirements while maintaining performance and accessibility. Data is securely backed up through trusted cloud partners like AWS and Google Cloud to ensure high availability and resilience.

5. Compliance Certifications and Global Standards

Sekel Tech is certified for SOC 2 Type I & II and ISO/IEC 27001:2022, and GDPR-compliant practices. These globally recognized standards demonstrate a mature approach to information security and privacy. Since GDPR and DPDP share core principles of consent, transparency, and accountability, Sekel Tech’s alignment with international frameworks gives businesses a strong compliance foundation.

6. Privacy-First Platform Design and Partner Support

The platform is built with privacy by design, making compliance simple for brands, dealerships, franchises, and partners. Sekel Tech provides thorough documentation, transparent privacy policies, and responsive partner support to help businesses meet their compliance responsibilities, even if they don’t have in-house privacy teams.

7. Proactive Incident Response and Accountability

Sekel Tech maintains detailed activity logs and has proactive incident response protocols to ensure that any data incidents are handled swiftly and transparently. This supports businesses in meeting their DPDP Act reporting and accountability requirements, minimizing legal and reputational risks.

Sekel Tech doesn’t just help you comply with the DPDP Act; it makes compliance operationally simple and scalable, so your teams can focus on growth with confidence.

Key DPDP Compliance Features at Sekel Tech

Sekel Tech’s holistic, privacy-first approach ensures that your business can confidently meet the requirements of the DPDP Act, protecting both your customers’ data and your organization’s reputation.

“With Sekel Tech, you gain more than leads; you gain data peace of mind.
Protect your brand, secure your data, and ensure full compliance - all from one intelligent platform.”

See how Sekel Tech's platform helps brands manage customer data responsibly across every location and touchpoint. "Manage Listings, Content, Reviews and Sales - All in One Place"
 

What the DPDP Act Says About Customer Data Leaks

In January 2025, the IT Ministry released the Draft Digital Personal Data Protection Rules to operationalize the 2023 Act. These rules clarify how businesses must prevent, detect, and respond to customer data leaks, reinforcing accountability across the entire data lifecycle.

Under Rule 6, Data Fiduciaries are required to implement strong technical and organizational safeguards, including data encryption, role-based access control, and secure logging for at least one year, to reduce the risk of breaches.

Rule 7 mandates that breaches must be reported to both the Data Protection Board and affected Data Principals within 72 hours, including details such as cause, mitigation steps, and the responsible contact person, ensuring full transparency and timely response.

Why this matters: Even a small leak of sensitive customer data can trigger penalties up to ₹250 crore under the DPDP Act, not to mention significant reputation loss for your brand.

Quick Checklist for Data Leak Preparedness

- Encrypt all stored and transmitted data

- Enable role-based access control (RBAC)

- Maintain audit logs for at least one year

- Establish a 72-hour breach response workflow

- Keep customer communication channels ready for prompt notifications

How to Manage Customer Data Under the DPDP Act

The Draft DPDP Rules, 2025 emphasize that customer data management must be transparent, purpose-driven, and time-bound, from collection to retention and erasure.

Rule 3 requires Data Fiduciaries to provide plain-language notices explaining:

- What personal data is collected (e.g., name, email, location, purchase history)

- Why is it collected (e.g., improving services, marketing)

- How users can withdraw consent or exercise their rights

Rule 8 introduces strict retention limits. Examples:

Rule 13 ensures businesses provide easy ways for customers to access, correct, or erase their data, responding within set timeframes, which is especially important for automotive dealers, retailers, and hyperlocal platforms managing large lead volumes daily.

Key Dos for Data Fiduciaries

- Provide clear, consent-based notices

- Register consent managers for standardized data collection

- Conduct annual Data Protection Impact Assessments (DPIAs) if handling - large or sensitive datasets

- Publish Data Protection Officer contact information (Rule 9)

- Erase inactive data after retention limits expire

Key Don’ts

- Don’t delay breach notifications beyond 72 hours

- Don’t process children’s data without verifiable parental consent

- Don’t retain unnecessary data indefinitely

- Don’t transfer data abroad without Central Government approval (Rule 14)

Aligning your practices with these rules not only avoids legal penalties but also builds trust with customers, a key advantage in hyperlocal and omnichannel marketing.

How to Prepare for the DPDP Act

Preparing for DPDP compliance is an ongoing operational commitment, not a one-time project. Here is where to start.

- Map Your Data: Identify every point where personal data enters your organisation. Lead forms, CRM systems, marketing platforms, and vendor integrations all need to be documented. You cannot protect data you don't know you have.

- Review Your Consent Mechanisms: Audit every customer touchpoint where data is collected. Ensure consent is explicit, specific, and freely given. Remove pre-ticked boxes and vague terms that don't meet DPDP requirements.

- Audit Your Vendors: List every third party handling personal data on your behalf. Assess their compliance. Sign Data Processing Agreements. Replace vendors who cannot demonstrate DPDP compliance.

- Implement Technical Controls: Deploy encryption for stored and transmitted data. Enable role-based access control. Maintain audit logs for at least one year as required under Rule 6.

- Build a Breach Response Plan: Establish a clear internal process for detecting and reporting breaches within 72 hours. Assign responsibilities and test the workflow before a breach happens.

Frequently Asked Questions (FAQs)

1. Why is the Digital Personal Data Protection Act important for businesses?

The DPDP Act makes data protection a legal obligation for every business handling personal data of Indian citizens. Non-compliance carries penalties up to ₹250 crore and significant reputational damage. For businesses managing customer data across multiple locations and vendors, compliance is both a legal necessity and a competitive advantage.

2. How can organisations prepare for the DPDP Act?

Map every point where personal data enters your organisation. Review consent mechanisms, audit your vendor ecosystem, sign Data Processing Agreements, implement encryption and role-based access control, and build a 72-hour breach response workflow. Train all teams handling personal data regularly.

3. How does the DPDP Act impact IT companies?

IT companies face dual obligations as Data Processors for clients and Data Fiduciaries for their own data. They must implement technical safeguards, update client contracts, and build consent management into products. DPDP compliance is becoming a standard procurement requirement for enterprise clients.

4. What obligations does the DPDP Act place on organisations?

Organisations must obtain explicit consent, use data only for its stated purpose, implement security measures, appoint a Data Protection Officer, audit vendors, maintain audit logs for one year, and report breaches to the Data Protection Board within 72 hours.

5. What happens in case of a data breach under the DPDP Act?

Under Rule 7, organisations must notify the Data Protection Board and affected individuals within 72 hours. The notification must include the breach cause, mitigation steps taken, and responsible contact details. Late reporting carries additional penalties on top of those for the breach itself.

Conclusion: Data Privacy is Brand Safety

Data privacy and brand safety are no longer separate conversations. Every customer who shares their name, phone number, or purchase history with your business is extending a form of trust. The Digital Personal Data Protection Act gives that trust a legal framework and makes protecting it a non-negotiable business responsibility.

The businesses that treat DPDP compliance as a genuine commitment rather than a checkbox exercise will build stronger customer relationships, face fewer regulatory risks, and earn a competitive advantage that is genuinely difficult for non-compliant competitors to replicate.

Sekel Tech's privacy-first platform makes compliance operationally simple. Consent-driven data collection, automated rights management, role-based access controls, and proactive incident response are all built in so your teams can focus on growth rather than regulatory risk. For multi-location brands managing customer data across complex vendor ecosystems, that operational simplicity is not just convenient. It is essential
 

Citations & References

The Hindu: IT Ministry notifies draft rules under data protection law
Innovate India: Draft Digital Personal Data Protection Rules, 2025
National Law Review: Key Highlights of India's Draft Digital Personal Data Protection Rules, 2025

Read More Blogs - 

1. Consent and Compliance: Navigating Privacy in Retail Marketing

2. How Compliance Builds Trust Between Brands & Customers

3. Ensuring Warranty and Guarantee Compliance for Trust