TL;DR: India’s Digital Personal Data Protection Act sets a consent-centric privacy model with new obligations for data fiduciaries, rights handling, security safeguards, and breach notification, while also giving the Central Government wide rulemaking authority, according to OneTrust. The compliance challenge is operational, not just legal: organisations must connect data discovery, consent records, rights workflows, and cross-border controls into one governable programme.
NHIMG editorial — based on content published by OneTrust: India DPDPA Compliance Guide: Requirements, Rights, Consent, and Governance
By the numbers:
- The DPDPA can trigger civil penalties of up to INR 250 crore, approximately USD 31 million.
Questions worth separating out
Q: How should organisations operationalise consent management under the DPDPA?
A: Treat consent as a lifecycle control, not a one-time capture event.
Q: Why do data principal rights create governance challenges for privacy teams?
A: Rights requests require the organisation to locate, verify, and act on the correct data across multiple systems and processors.
Q: What do organisations get wrong about privacy compliance in AI systems?
A: They often assume AI governance is separate from privacy governance.
Practitioner guidance
- Map consent to processing states Link every consent record to the specific systems, purposes, and downstream processors that rely on it so withdrawal can be enforced without manual reconciliation.
- Build identity checks into rights workflows Add verification and record-matching steps before fulfilling access, correction, or erasure requests so the request is tied to the correct individual and complete data set.
- Inventory transfer dependencies now Maintain a current map of personal data destinations, subprocessors, and cross-border routes so future government restrictions can be assessed quickly and consistently.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- How the DPDPA's consent and notice requirements map to real implementation workflows across portals, records, and downstream systems.
- The article's breakdown of rights handling for access, correction, erasure, and grievance redressal, including the practical process considerations.
- Its explanation of significant data fiduciary obligations and how future rules may change governance expectations over time.
- The discussion of international transfer restrictions and how organisations should monitor future government notifications.
👉 Read OneTrust's India DPDPA compliance guide for governance and operational details →
India's DPDPA: what privacy and IAM teams need to fix?
Explore further
Consent is becoming an access-control problem in privacy programmes. The DPDPA pushes consent from a legal record into an operational dependency that must be enforced across workflows, processors, and downstream systems. When consent state is inconsistent, the organisation can still technically process data while losing legal authority to do so. Practitioners should treat consent governance as part of broader access governance, not as a standalone privacy register.
A question worth separating out:
Q: Who is accountable when personal data transfers or breach handling fail under the DPDPA?
A: Accountability sits with the data fiduciary, especially where processing decisions, transfer governance, or notification duties are not enforced consistently. Organisations also need clear ownership across privacy, security, legal, and third-party management because the law ties governance failures to regulatory penalties and remediation obligations.
👉 Read our full editorial: India's DPDPA raises the bar for consent, rights, and governance