Digital Personal Data Protection Act 2023 (DPDP) — Data Governance

Q: Does Digital Personal Data Protection Act 2023 (DPDP) require Data Governance?

Yes. Digital Personal Data Protection Act 2023 (DPDP) addresses Data Governance through 1 provision.

Does Digital Personal Data Protection Act 2023 (DPDP) require Data Governance?

India • phased enforcement

Yes — 1 provision

Requirements at a glance

This regulation imposes 7 specific requirements for Data Governance across 1 provision:

Lawful basis — Personal data may only be processed for lawful purpose with explicit consent or specified legitimate use (Section 4)
Purpose limitation — Data must be used only for the purpose for which consent was given (Section 6)
Data accuracy — Data fiduciaries must ensure personal data is accurate and complete for the purpose of processing, including automated decisions affecting data principals (Section 8)
Security safeguards — Implement reasonable security measures to prevent data breach (Section 8)
Breach notification — Report personal data breaches to Data Protection Board and affected data principals; 72-hour indicative timeline under Rules (Section 8)
Data minimization — Process only data necessary for the stated purpose (Section 6)
Erasure on withdrawal — Upon consent withdrawal or purpose completion, data must be erased unless retention is legally required (Section 8)

Data Governance and Processing Obligations #

Obligation:

Data Governance

enforcing

Effective:

Nov 14, 2025

Risk tier:

all

Scope:

deployers, providers

sleepercross-domain

India's foundational data protection law applies to all automated processing of personal data — including AI inference, profiling, and recommendation systems. No explicit ADM opt-out right (unlike GDPR Article 22), but data accuracy and consent obligations bind AI deployers handling Indian user data. Penalties reach ₹250 crore (~$30M USD) per breach.

Requirements

Requirement	Details
Lawful basis	Personal data may only be processed for lawful purpose with explicit consent or specified legitimate use (Section 4)
Purpose limitation	Data must be used only for the purpose for which consent was given (Section 6)
Data accuracy	Data fiduciaries must ensure personal data is accurate and complete for the purpose of processing, including automated decisions affecting data principals (Section 8)
Security safeguards	Implement reasonable security measures to prevent data breach (Section 8)
Breach notification	Report personal data breaches to Data Protection Board and affected data principals; 72-hour indicative timeline under Rules (Section 8)
Data minimization	Process only data necessary for the stated purpose (Section 6)
Erasure on withdrawal	Upon consent withdrawal or purpose completion, data must be erased unless retention is legally required (Section 8)

Penalties

Violation	Fine
Failure to implement security safeguards	Up to ₹250 crore
Failure to notify breach	Up to ₹200 crore
Non-fulfilment of data principal rights	Up to ₹50 crore

View full regulation View obligation Obligation matrix