Who needs to appoint a DPO under DPDPA?

Only Significant Data Fiduciaries (SDFs) designated by the Central Government must appoint a Data Protection Officer under Rule 13 of the DPDP Rules 2025. The DPO must be a resident of India and serve as the primary contact point for the Data Protection Board of India.

What are DPO qualifications under DPDPA?

DPDPA does not prescribe specific qualifications. However, the DPO should possess expertise in data protection law, understanding of organizational operations, and ability to interface effectively with the Data Protection Board. Professional certifications like CIPP/E or CIPM are recommended.

What are the maximum penalties under DPDPA?

DPDPA establishes graduated penalties: Rs 250 Crore for security safeguard failures, Rs 200 Crore for breach notification violations, Rs 200 Crore for children's data violations, and Rs 50 Crore for consent and rights violations. Penalties are cumulative across multiple violations.

What is the breach notification timeline under DPDPA?

Data Fiduciaries must notify the Data Protection Board and affected Data Principals within 72 hours of becoming aware of a personal data breach. Additionally, CERT-In Directions require reporting of cyber security incidents within 6 hours.

How does DPDPA handle cross-border data transfers?

Section 16 of DPDPA adopts a negative list approach - personal data may be transferred to any country except those specifically notified as restricted by the Central Government. No adequacy determinations or Standard Contractual Clauses are required for permitted destinations.

What are the key differences between DPDPA and GDPR?

Key differences include: DPDPA applies only to digital personal data (GDPR is medium-agnostic), DPDPA uses fixed penalties up to Rs 250Cr (GDPR uses 4% of global turnover), DPDPA has no direct "legitimate interests" processing basis, and DPDPA mandates withdrawal parity with statutory force.

What is a Consent Manager under DPDPA?

Consent Managers are intermediaries registered with the Data Protection Board that enable Data Principals to manage consent across multiple Data Fiduciaries through a single platform. They must meet interoperability standards and consent provided through them has equivalent validity to direct consent.

What are Data Principal rights under DPDPA?

Chapter IV of DPDPA establishes five key rights: Right to Access Information (Section 11), Right to Correction and Erasure (Section 12), Right to Grievance Redressal (Section 13), Right to Nominate (Section 14), and Right to Withdraw Consent (Section 6).

DPO Resource Centre

DPO Pro

Authoritative guidance for Data Protection Officers navigating DPDPA 2023 compliance. Ten essential briefings and ten visual guides covering appointment mandates, breach protocols, consent architecture, and enforcement preparedness.

10 Comprehensive Briefings

10 Visual Guides

Statutory Cross-References

Featured Publication

Latest authoritative analysis

Legislative Analysis22 January 202635 min

India's Digital Personal Data Protection Act 2023 Stagewise Implementation

The Digital Personal Data Protection Act, 2023 represents India's most significant legislative development in data governance since the Information Technology Act, 2000. After years of deliberation spanning multiple draft iterations and extensive stakeholder consultations, India now possesses a dedicated statutory framework governing the processing of digital personal data.

Read Full Analysis

Authors

Anandaday Misshra

Founder & Managing Partner

Rohit Lalwani

Associate Partner

Mridusha Guha

Principal Associate

Khilansha Mukhija

Associate

Essential DPO Briefings

Each briefing provides statutory foundations, practical implementation guidance, and actionable checklists for immediate application.

Appointment & Tenure12 min

The DPO Appointment Mandate Under DPDPA

Understanding Section 10(2) and Rule 13 Obligations

"The Data Protection Officer shall act as the point of contact for the Data Principal and shall represent the Significant Data Fiduciary."

— DPDPA Section 10(2)

DPDPA Section 10(2)DPDP Rules 2025 Rule 13+1 more

Governance15 min

Operational Independence of the DPO

Navigating Conflicts of Interest and Reporting Lines

"The DPO shall not be dismissed or penalised for performing their tasks."

— GDPR Article 38(3) — Applicable Principle

DPDPA Section 10(2)GDPR Article 38+1 more

Breach Response18 min

Personal Data Breach Response: The 72-Hour Protocol

CERT-In Directions and DPDPA Section 8(6) Harmonisation

"Any service provider, intermediary, data centre, body corporate shall mandatorily report cyber incidents to CERT-In within 6 hours."

— CERT-In Directions 2022

DPDPA Section 8(6)CERT-In Directions April 2022+1 more

Consent Management16 min

Architecting Compliant Consent Mechanisms

Section 6 Requirements and Rule 3 Implementation

"Consent shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action."

— DPDPA Section 6

DPDPA Section 6DPDP Rules 2025 Rule 3+2 more

International Transfers14 min

Cross-Border Data Transfers: Section 17 Compliance

Permitted Jurisdictions and Transfer Mechanisms

"The Central Government may restrict transfer of personal data to such country or territory outside India as may be notified."

— DPDPA Section 17

DPDPA Section 17RBI Circular on Storage of Payment Data+2 more

Children's Data13 min

Processing Children's Data: Enhanced Obligations

Section 9 Compliance and Verifiable Parental Consent

"The Data Fiduciary shall, before processing any personal data of a child, obtain verifiable consent of the parent of such child."

— DPDPA Section 9(1)

DPDPA Section 9DPDP Rules 2025 Rule 10+1 more

Rights Management17 min

Responding to Data Principal Rights Requests

Section 11-14 Compliance and Response Timelines

"The Data Principal shall have the right to obtain from the Data Fiduciary confirmation whether personal data is being processed."

— DPDPA Section 11(1)

DPDPA Section 11DPDPA Section 12+3 more

Vendor Management15 min

Data Processor Oversight: Vendor Management Programme

Section 8(2) Obligations and Contractual Safeguards

"The Data Fiduciary shall engage a Data Processor only under a valid contract."

— DPDPA Section 8(2)

DPDPA Section 8(2)DPDP Rules 2025 Rule 6+1 more

Risk Assessment16 min

Data Protection Impact Assessments

Risk-Based Compliance Under Section 10

"A Significant Data Fiduciary shall undertake Data Protection Impact Assessment."

— DPDPA Section 10(2)(b)

DPDPA Section 10(2)(b)DPDP Rules 2025 Rule 13+1 more

Enforcement19 min

Navigating Data Protection Board Proceedings

Enforcement Response and Penalty Mitigation

"The Board may, on a complaint or a reference made to it or on its own motion, inquire into any breach of the provisions of this Act."

— DPDPA Section 27

DPDPA Section 27DPDPA Section 28+2 more

Grounded in Statute

Every briefing in DPO Pro is anchored to specific provisions of the Digital Personal Data Protection Act, 2023 and the DPDP Rules 2025. Cross-references enable direct verification against authoritative legislative text.