Rakshan.
Back to Frameworks
🇮🇳
Enacted

India DPDP Act

India/APACRepublic of India

Summary

India's Digital Personal Data Protection Act (DPDP Act) is a comprehensive data protection law enacted in August 2023. While not specifically an AI regulation, it has significant implications for AI systems that process personal data of Indian citizens, introducing important requirements around data minimization, purpose limitation, consent, and automated decision-making.

Key Obligations

  • Obtain clear, specific consent before processing personal data for AI systems
  • Use personal data only for the specified purposes for which consent was obtained
  • Respect data principal rights to access, correct, and erase their personal data
  • Implement reasonable security safeguards and report data breaches
  • Ensure data accuracy and completeness
  • Comply with restrictions on cross-border data transfers

Enforcement

Regulator

Data Protection Board of India (to be established)

Penalties

Up to ₹250 crore (approximately $30 million) for serious violations

Audit Mechanism

Regulatory investigations, data principal complaints, mandatory breach notifications

Applicable To

  • Organizations processing personal data of Indian citizens
  • Companies with operations in India processing personal data
  • AI system developers using personal data of Indian citizens
  • Data fiduciaries and data processors as defined in the Act

AI-GPM Coverage

Rakshan provides comprehensive DPDP Act compliance support for AI systems, including consent management tools, purpose registry, data principal rights management workflows, security controls, data transfer compliance tools, and breach notification workflows.

Resources

Overview

The Digital Personal Data Protection Act (DPDP Act) is India's comprehensive data protection law, enacted in August 2023 after several years of development. While not specifically an AI regulation, it has significant implications for AI systems that process personal data of Indian citizens.

The DPDP Act establishes rights for individuals (data principals) and obligations for organizations (data fiduciaries) processing personal data. It applies to both digital personal data processed in India and data processed outside India if it relates to offering goods or services to individuals in India.

For AI developers and deployers, the DPDP Act introduces important requirements around data minimization, purpose limitation, consent, and automated decision-making that must be incorporated into AI governance practices. Compliance with the DPDP Act is essential for organizations using AI to process personal data in the Indian market.

Key Components

1. Consent Requirements

Organizations must obtain clear, specific consent before processing personal data for AI systems, with limited exceptions. Consent notices must be clear, in plain language, and available in multiple Indian languages.

2. Purpose Limitation

Personal data collected for AI training or operation can only be used for the specified purposes for which consent was obtained, challenging broad, multi-purpose data collection practices.

3. Data Principal Rights

Individuals have rights to access, correct, and erase their personal data, including data used in AI systems, as well as the right to grievance redressal for automated decisions.

4. Data Fiduciary Obligations

Organizations using AI must implement reasonable security safeguards, report data breaches, and ensure data accuracy and completeness, with additional obligations for significant data fiduciaries.

5. Cross-Border Data Transfers

Restrictions on transferring personal data outside India may impact cloud-based AI services and international AI development collaborations, with specific countries to be notified for permitted transfers.

Implementation Timeline

August 11, 2023

Digital Personal Data Protection Act enacted

2023-2024

Government drafting and releasing rules and regulations under the Act

Expected 2024

Establishment of the Data Protection Board of India

Expected 2024-2025

Full implementation and enforcement of the Act

How Rakshan Helps

Rakshan's AI Governance Platform helps organizations comply with the DPDP Act requirements for AI systems:

  • Consent Management: Tools to document and manage consent for personal data used in AI systems
  • Purpose Registry: Track and enforce purpose limitation for data used in AI training and operation
  • Data Principal Rights Management: Workflows to handle access, correction, and erasure requests
  • Security Controls: Implementation guidance for reasonable security safeguards for AI systems
  • Data Transfer Compliance: Tools to manage and document compliant cross-border data transfers
  • Significant Data Fiduciary Assessment: Determine if your organization qualifies and implement additional requirements
  • Breach Notification Workflows: Streamlined processes for timely breach reporting
  • India-Specific Documentation: Templates and guidance tailored to DPDP Act requirements

By implementing Rakshan's platform, organizations can ensure their AI systems comply with India's DPDP Act while maintaining documentation to demonstrate compliance to regulators and data principals, enabling confident operation in the Indian market.

Need Help With Compliance?

Our platform automates compliance with India DPDP Act and other global AI regulations.