Personal Data Is Now
a Legal Obligation.
Not a Policy Question.
The Digital Personal Data Protection Act, 2023 is in force. The Rules are drafted. The Data Protection Board is being constituted with the power to adjudicate and impose penalties of up to ₹250 crore — the maximum penalty the statute prescribes. Every organisation that collects, processes or stores personal data of any Indian citizen is already governed by this Act — whether or not their legal team has read it. This is the knowledge centre for the ones who are reading it now.
India’s Own
Data Privacy Structure.
Every analysis of DPDPA that begins with “India’s answer to GDPR” is factually wrong before it finishes the sentence. The Digital Personal Data Protection Act, 2023 draws its constitutional mandate from Puttaswamy v Union of India — a unanimous nine-judge bench of the Supreme Court that held privacy to be a fundamental right under Article 21. That foundation changes everything. GDPR is a regulatory instrument. DPDPA is the legislative expression of a constitutional right.
“This Act does not regulate data. It protects people. The distinction is not semantic. It determines how every obligation must be read.”
The Act imposes obligations in a precise sequence. Notice before consent. Consent before collection. Collection only for the stated purpose. Processing only to the extent necessary. Retention only as long as required. Most Indian organisations have reversed this order for decades — collecting first, justifying later. DPDPA closes that window permanently.
The Rules, now drafted, address the operational architecture the Act left to subordinate legislation: the form and language of consent notices, the mechanics of cross-border data transfer approvals, the constitution and procedure of the Data Protection Board, and the additional obligations triggered by Significant Data Fiduciary status. Reading the Act without the Rules is like reading a statute without its Schedule. The enforcement standard is in both.
Twenty-seven years of practice teaches one thing above all: the organisations that survive regulatory transitions are not the ones who move fastest after the regulator acts. They are the ones who moved first, while others were still debating whether to begin.
Why DPDPA Cannot Be Diluted by Circular or Notification
Because DPDPA implements a fundamental right, its core obligations cannot be administratively removed or deferred. Any attempt by subordinate legislation to hollow out the Act's consent requirements or penalty framework would be constitutionally vulnerable. This is not an academic point — it directly constrains how regulators interpret and enforce the Act.
Five Words That End Your Existing Consent Framework
Free. Specific. Informed. Unconditional. Unambiguous. Each word is a test. Most Indian consent frameworks fail at "specific" — they obtain consent for a category of activity, not a defined purpose. Consent for "marketing purposes" does not satisfy DPDPA. Consent for "sending you updates on Product X" does.
The Board Counts Violations. Your Legal Team Should Too.
₹250 crore is the maximum penalty the statute prescribes. The Board determines the actual quantum in each proceeding, weighing the gravity of the violation, the number of data principals affected, and whether the contravention was wilful or negligent. The ceiling signals legislative intent about seriousness.
The Organisations That Understand This Will Win the Decade
DPDPA compliance, done properly, creates an audit trail of every personal data asset an organisation holds — its provenance, its purpose, its retention period, its processing history. That is not a compliance record. It is an enterprise data map. The organisations that build this architecture for compliance will discover they have built something far more valuable: a defensible, auditable data estate.
Eight Obligations.
None Optional.
These are not a checklist to be completed and filed. Each is a living legal obligation that must be demonstrable on any day the Board chooses to look. The question is not whether your organisation is compliant today. It is whether you can prove it.
Consent Architecture
A consent notice must be in plain language, must itemise every category of personal data sought and the purpose for each, must be available in all 22 scheduled Indian languages on request, and must be accompanied by a mechanism to withdraw consent as easily as it was given. A single missing element renders the entire consent invalid. There is no cure provision for defective consent obtained before the defect is discovered.
Data Principal Rights
DPDPA creates five rights that are immediately enforceable without the data principal being required to establish harm. The right to information. The right to correction and erasure. The right to grievance redressal with a defined response window. The right to nominate. Each right operates against a timeline the Rules prescribe. An organisation that fails to respond within that window has committed a violation.
Data Fiduciary Obligations
Section 8 imposes six duties that operate continuously, not periodically. Purpose limitation means you cannot use data you collected for marketing to improve your product, even internally. Data minimisation means you cannot retain fields your current processing does not require. The most common violation AMLEGALS has identified in gap assessments is an organisation with a correct policy and zero evidence of its operation.
Significant Data Fiduciary
The Central Government has not yet published the SDF notification. This is not a reason to wait. The criteria in Section 10 — volume of data processed, sensitivity, risk to national security, public order and individual rights — will catch every major Indian enterprise, every platform with more than a million registered users, and every organisation processing health, financial or biometric data at scale.
Cross-Border Data Transfers
DPDPA inverts India's prior data localisation approach. Rather than restricting transfers by default, it permits transfers to countries the Central Government whitelists. Organisations cannot wait for the finalised whitelist — cloud infrastructure decisions, group company data sharing agreements, and international vendor contracts are being executed today. Every cross-border data flow must be structured for retroactive compliance.
Data Protection Officer
The DPO under DPDPA must be a key managerial person or an officer of the Data Fiduciary, resident in India, with genuine authority and board-level access. Appointing a junior compliance officer with the title of DPO does not satisfy the statute. The Board will examine authority, access and accountability — not job titles. An ornamental DPO appointment is not compliance. It is a liability.
Data Breach Response
Section 8(6) requires notification to the Board of every personal data breach, without qualification. There is no materiality threshold. There is no minimum number of affected data principals. Every breach triggers mandatory notification. The Rules prescribe the format, content and timeline. An organisation that discovers a breach with no protocol will miss the notification window — which is a separate violation.
AI & Automated Processing
DPDPA contains no separate AI chapter because it does not need one. Every AI system that processes personal data of Indian citizens is a Data Fiduciary function, subject to the full Act. The consent required to collect data for training a model is not the same as the consent required to use that model's output to make a decision about the individual whose data was used. Inferred data and model outputs that identify individuals are all personal data.
Not Commentary.
Counsel.
The Compliance Mirage Doctrine™ — Why Your Gap Assessment Is Measuring the Wrong Thing
Every gap assessment conducted today measures your organisation against the standard as it exists today. The Data Protection Board will adjudicate against the standard at the time of the violation. The Compliance Mirage Doctrine™ names the gap between these two standards. Most Indian organisations are standing inside that gap, believing they are on the right side of it.
The Data Protection Board — Powers, Procedure and What Indian Organisations Must Prepare For
The Board has the power to conduct inquiries suo motu, accept complaints from data principals, and impose penalties without requiring the complainant to prove financial harm. It operates on a civil standard of proof. The bar for triggering an inquiry is lower than most Indian legal teams have been told to expect.
Consent Capital™ — The Balance Sheet Asset Your Finance Team Has Not Noticed Yet
Every validly obtained consent record is a unit of Consent Capital™ — a legally defensible authorisation to process a defined data set for a defined purpose. In a post-DPDPA economy, the difference between an organisation with auditable consent records and one without is the difference between a lawful data operation and a liability.
Section 9 Has No Grey Areas — What Every Platform With Young Users Must Do Now
Section 9 prohibits processing of personal data of children without verifiable parental consent and prohibits behavioural monitoring and targeted advertising directed at children — without a de minimis carve-out. Platforms that rely on self-declaration of age have not satisfied the standard. The statute does not distinguish between intent and effect.
The DPDPA–Labour Codes Collision — Why India's HR Function Has Two Compliance Problems, Not One
India's Four Labour Codes regulate the same employee data sets that DPDPA governs — biometrics for attendance, health data for insurance, financial data for payroll, performance data for assessment. Where the Codes permit collection, DPDPA adds a consent and purpose limitation layer. The two regimes do not conflict — but navigating both simultaneously requires a compliance architecture that almost no Indian HR function currently has.
The Digital Atman Theory™ — Reading DPDPA the Way Parliament Intended It to Be Read
If personal data is an extension of the individual's identity — as the Digital Atman Theory™ holds — then every DPDPA obligation must be read not as a procedural requirement but as a rights protection measure. Organisations that have built their compliance on a purely regulatory reading are building on an interpretation that will not survive the first significant judicial challenge.
The Doctrines That
Define the Practice.
These are not summaries of the law. They are original analytical frameworks developed by Anandaday Misshra through 27 years of legal practice — ways of seeing DPDPA that no commentary or circular will give you. Each has been presented at industry conferences, published in legal journals, and applied in live advisory mandates.
The Consent Trap™
India's legal culture around consent has historically been acquisitive — get the signature, file the record, close the matter. DPDPA breaks this model. Consent under Section 6 is not a transaction. It is a continuing relationship. The moment a data principal withdraws consent, processing must stop. Not eventually. Not after the next system update. Immediately.
Compliance Mirage Doctrine™
A gap assessment is a photograph. The Board's enforcement is a video. The photograph shows the organisation on a good day, measured against a standard that existed on the day the assessment was conducted. Enforcement happens months or years later, against a standard that has been hardened by Board decisions, High Court orders and peer organisations' compliance experiences.
Digital Atman Theory™
The Atman — in Advaita Vedanta — is the individual consciousness that is simultaneously personal and universal. It cannot be separated from the individual without destroying the individual. The Digital Atman Theory™ holds that personal data occupies the same ontological position in the digital economy. It is not merely information about a person. It is a dimension of the person's identity in digital space.
Agentic AI Surface Area Index™
Every AI system that processes personal data does not create one DPDPA obligation. It creates a stack of obligations, one at each point where the system touches personal data — at ingestion, during training, at inference, when generating output, when storing results, and when that output is acted upon. The AASAI™ is the framework for identifying every one of these points and the precise DPDPA obligation that attaches at each.
Understand the Law
Before It Understands You.
The DPDPA Rules — Section by Section. Every Obligation. Every Timeline.
The Rules are drafted. They are not a simplification of the Act — they are an extension of it, adding specificity that significantly increases the compliance burden. This session dissects every Rule that creates a new or additional obligation, with the implementation implication of each stated in plain terms.
DPDPA Implementation for Legal, Compliance and HR — Ahmedabad
A practitioner-led full-day session. The morning is the law — Act, Rules, Board constitution, enforcement architecture. The afternoon is your organisation — building consent frameworks, data principal rights response systems, and breach notification protocols that hold up under Board scrutiny. You leave with a sector-specific implementation roadmap.
AI Governance under DPDPA — The AASAI™ Framework Keynote
Indian enterprises are deploying AI at scale while their DPDPA consent frameworks were designed for human-operated data collection. The gap between these two realities is the legal risk this keynote addresses. Anandaday Misshra presents the Agentic AI Surface Area Index™ — a live mapping of where AI deployments create DPDPA liability.
This knowledge hub is the public-facing practice of AMLEGALS — Legal 500 Asia Pacific ranked, 27 years of practice, 10 offices across India. For advisory mandates, retainer arrangements, Data Protection Board representation or DPO engagements, the conversation begins at amlegals.in.