{"id":905052,"date":"2026-04-07T05:39:01","date_gmt":"2026-04-07T09:39:01","guid":{"rendered":"https:\/\/thefrontiermanipur.com\/?p=25051"},"modified":"2026-04-07T05:39:01","modified_gmt":"2026-04-07T09:39:01","slug":"digital-personal-data-protection-act-dpdpa-2023-series-part-iii-impact-implementation-challenges","status":"publish","type":"post","link":"http:\/\/www.manipur.org\/news\/2026\/04\/07\/digital-personal-data-protection-act-dpdpa-2023-series-part-iii-impact-implementation-challenges\/","title":{"rendered":"Digital Personal Data Protection Act (DPDPA) 2023 Series: Part III \u2013 Impact & Implementation Challenges"},"content":{"rendered":"
\"\"<\/div>\n

Digital Personal Data Protection Act (DPDPA) 2023 Series: Part III \u2013 Impact & Implementation Challenges<\/strong><\/em><\/p>\n

\"\"<\/p>\n

By Lt Col Ujjual Abhishek Jha, Retd<\/strong><\/em><\/p>\n

The enactment of the Digital Personal Data Protection Act (DPDPA) 2023 marks a seismic shift in India\u2019s legislative approach to privacy and simultaneously introduces a complex web of operational demands for businesses. From re-engineering legacy data systems to navigating the nuances of “Data Fiduciaries” and “Significant Data Fiduciaries,” the road to compliance is paved with both technical hurdles and strategic questions. In this part of our series, we dive into the tangible impact of the DPDPA and the primary challenges organizations face in turning these legal mandates into functional realities.<\/p>\n

DPDPA: Enforcement Timeline<\/strong><\/p>\n

The DPDPA applies exclusively to digital personal data, data collected digitally or subsequently digitised, processed in India, or outside India in connection with offering goods or services to individuals in India.<\/p>\n

\"\"<\/p>\n

Impact & Challenges<\/strong><\/p>\n

\u2022 Impact on Individuals (Data Principals)
\nDPDPA strengthens individual control over personal data, translating the constitutional right to privacy into enforceable statutory rights. Data principals rights include: –
\n\u2022 Right to Access – obtain a summary of personal data held and processing activities though notably without a data portability right.
\n\u2022 Right to Correction and Erasure – request rectification of inaccurate data or deletion of data no longer required.
\n\u2022 Right to Withdraw Consent – revoke consent at any time, data fiduciaries must respond within 90 days.
\n\u2022 Right to Nominate – appoint a nominee to exercise rights in case of incapacitation or death.
\n\u2022 Right to Grievance Redressal \u2013 exhaustion of internal mechanism required for complaint be lodged with the DPBI.
\n\u2022 Children under 18: heightened protection – verifiable parental\/guardian consent is mandatory before processing a minor’s data, with specific exemptions carved out for healthcare professionals, educational institutions and child transport providers. Penalty up to Rs 200 crores.<\/p>\n

Implementation Challenges for Individuals<\/strong>
\n\u2022 Literacy and Awareness Gap – India’s low digital literacy users may not be able to practically exercise rights, file complaints or interpret consent notices. The notice requirement specifies English and all 22 Scheduled languages, creating a multilingual compliance obligation, which remains a challenge.
\n\u2022 Dark Patterns and Consent Quality – While the DPDPA prohibits conditional consent and pre-ticked boxes, enforcement against confusing consent flows or hidden opt-outs, will depend heavily on DPBI capacity and proactive complaint filing.
\n\u2022 Grievance Exhaustion Requirement – Data principals must exhaust the data fiduciary’s internal grievance mechanism before approaching the DPBI. The 90-day response window, while clear, could be exploited as a delay mechanism by less scrupulous operators.
\n\u2022 RTI Act Amendment: Right to Know vs Right to Privacy – One of the most consequential changes brought by the DPDPA is the amendment to Section 8(1)(j) of the Right to Information Act, 2005. The original provision allowed disclosure of personal data held by public authorities in the \u2018larger public interest\u2019. The DPDPA removes this override, significantly curtailing the ability of citizens and journalists to access personal data held by government bodies.<\/p>\n

Impact on MSMEs and Small Businesses<\/strong>
\n\u2022 Scope of Compliance Obligations – MSMEs that process digital personal data with customer-facing digital touchpoints, employee HR systems or supplier databases, are subject to the DPDPA. The aspects include, consent, notice requirements, purpose limitation, data minimisation, reasonable security safeguards, breach notification (72-hour deadline), data principal rights handling and contractual obligations with data processors. The Act offers no blanket small-business exemption.
\n\u2022 Sector-Specific Heightened Risk – Most MSMEs will not be classified as Significant Data Fiduciaries, avoiding the DPO and DPIA obligations. However, volume-driven or sector-specific designation is possible for Fintech and lending platforms processing KYC and financial data, Healthtech and telemedicine platforms with patient records, Edtech platforms with children’s data, SaaS and E-commerce.
\n\u2022 Compliance Cost and Capacity Challenges
\n\u2022 Budget and Resource Constraints – Legal, technical and organisational costs may range from ?5\u201325 lakh for a simple MSME to ?50 lakh or more for data-heavy verticals, costs that can be existentially challenging for businesses in early stages.
\n\u2022 Legacy Systems and Data Mapping – Many MSMEs operate on basic ERP systems, Excel-based databases, or fragmented CRMs that lack built-in consent tracking, automated data deletion workflows, or audit logging capabilities. Mapping all personal data flows including through informal channels such as WhatsApp Business, ad-tech trackers, and offline data later digitised to meet documentation requirements is technically complex without dedicated resources.
\n\u2022 Awareness Gap – Awareness of DPDPA obligations among MSME operators remains low and without targeted government outreach programmes, many small businesses risk inadvertent non-compliance.
\n\u2022 72-Hour Breach Notification – The 72-hour window to notify the DPBI and affected data principals of a personal data breach demands 24\/7 incident monitoring infrastructure that most MSMEs lack.<\/p>\n

Impact on Large Corporates and Conglomerates <\/strong><\/p>\n

For large enterprises, the DPDPA drives a fundamental shift toward institutionalised privacy governance and requires a privacy-by-design approach. Key enterprise-level requirements include enterprise privacy policies and data governance frameworks, role-based access controls and privileged access management, vendor and third-party data processing agreements with mandatory DPDPA compliance clauses, accountability through privacy registers, audit trails and board-level oversight and automated data lifecycle management.<\/p>\n

Significant Data Fiduciary Obligations – Large enterprises across sectors are likely to be designated as SDFs which entails appointment of an India based DPO, annual Data Protection Impact Assessments, annual independent audits, algorithmic risk verification and potential data localisation mandates for government-specified data categories.
\nImplementation Challenges for Large Corporates and Conglomerates<\/p>\n

\u2022 Legacy System Modernisation – India’s large corporate landscape runs on legacy architectures that lack support for consent tracking, automated erasure or granular access logging.
\n\u2022 Multi-Regulator Complexity (BFSI) \u2013 They will have dual-compliance challenge meeting RBI, SEBI, IRDAI and NPCI requirements and reconciling KYC data processing under DPDPA’s consent and purpose-limitation principles requirement.
\n\u2022 DPO Scarcity – The requirement of DPO creates a talent supply crisis with India has fewer than 5,000 practitioners with certifications.
\n\u2022 AI and Algorithmic Compliance – The requirement for algorithmic risk verification introduces compliance overhead at the model design, training and deployment stages and may require significant architectural changes.<\/p>\n

Impact on International Business<\/strong>
\n\u2022 Extraterritorial Reach – The DPDPA applies to any entity Indian or foreign that processes personal data of individuals located in India in connection with offering goods or services to those individuals. Foreign entities without an India office but serving Indian users through e-commerce, SaaS, mobile apps or digital services must comply with the full DPDPA regime, including responding to DPBI enforcement.
\n\u2022 Cross-Border Data Transfers: The Negative List – DPDPA establish a \u2018negative list\u2019 approach to cross-border transfers, personal data may be transferred to any country except those specifically restricted by the Central Government notification. However, it introduces a distinctive set of challenges, as no published criteria of blacklisted countries, No advance notice requirements for Blacklisting, No standard contractual clauses and persistence of sector specific laws.
\n\u2022 Compliance Cost – Multinational companies face layered compliance costs of updating global privacy policies for Indian requirements, implementing multilingual consent notices, deploying India-specific consent management infrastructure, renegotiating data processing agreements with India-based processors and sub-processors, and maintaining the technical capability to respond to DPBI enforcement actions.<\/p>\n

Impact on Government and Law Enforcement Agencies<\/strong>
\nGovernment as Data Fiduciary – Government entities are \u2018data fiduciaries\u2019 under the DPDPA when processing citizens’ digital personal data and subject to the same baseline obligations as private sector entities. However, Section 17 of the DPDPA provides exemptions for State processing for sovereignty, integrity, security, public order, and prevention\/investigation of offences, research, archiving or statistical purposes, Legal and judicial proceedings and Processing of non-residents personal data within India.
\nLaw Enforcement and Investigation Challenges – Law enforcement agencies face a contradiction, as data fiduciaries must comply with DPDPA and mandated for exemptions. This creates operational complexity as legacy systems holding this data still require security safeguards.<\/p>\n

Judicial Implications<\/strong>
\n\u2022 Appellate Jurisdiction Telecom Disputes Settlement and Appellate Tribunal (TDSAT) – TDSAT is designated as the appellate body for DPBI decisions, is primarily a telecommunications regulator with limited data privacy jurisprudence.
\n\u2022 No Criminal Penalties \u2013 This reduces the risk of regulatory overreach against individuals but may limit deterrence effectiveness for misuse by corporate actors who can absorb financial penalties as a cost of business.
\n\u2022 Interpretation Challenges – Courts and the DPBI will face interpretive questions as What constitutes \u2018reasonable security safeguards\u2019, How Puttaswamy judgement applies to the government exemptions and interplay between DPDPA and sector-specific regulations where conflicts arise.<\/p>\n

\"\"<\/p>\n

DPDPA 2023 is more than just a compliance checklist and is a catalyst for a fundamental cultural shift in how data is perceived. While the implementation challenges are significant, they are implementable. Organizations that view these hurdles as an opportunity to build \u2018Privacy by Design\u2019 will likely find themselves with a competitive edge in an increasingly data-conscious global market.<\/p>\n

(Lt Col Ujjual Abhishek Jha, Retd is a Certified Data Privacy Professional and Strategic & Geopolitical Advisor with over two decades of experience in intelligence, insider threat management, financial crime investigations, and geopolitical risk analysis, advising on complex security and strategic risks.)<\/em><\/strong><\/p>\n

For Part I – Digital Personal Data Protection Act (DPDPA) 2023 Series: Part I \u2014 The Foundations of Privacy: Evolution of Indian Laws & A Roadmap to DPDPA – The Frontier Manipur<\/a>
\nFor Part II – Digital Personal Data Protection Act (DPDPA) 2023 Series: Part II \u2014 From Principles to Practice: The DPDP Rules 2025, Global Paradigms & India\u2019s Middle Path – The Frontier Manipur<\/a><\/p>\n

The post Digital Personal Data Protection Act (DPDPA) 2023 Series: Part III \u2013 Impact & Implementation Challenges<\/a> first appeared on The Frontier Manipur<\/a>.<\/p>\n\n

Read more \/ Original news source: https:\/\/thefrontiermanipur.com\/digital-personal-data-protection-act-dpdpa-2023-series-part-iii-impact-implementation-challenges\/<\/a><\/p>","protected":false},"excerpt":{"rendered":"

\"\"<\/div>\n

Digital Personal Data Protection Act (DPDPA) 2023 Series: Part III \u2013 Impact & Implementation Challenges By Lt Col Ujjual Abhishek Jha, Retd The enactment of the Digital Personal Data Protection Act (DPDPA) 2023 marks a seismic shift in India\u2019s legislative approach to privacy and simultaneously introduces a complex web of operational demands for businesses. From [\u2026]<\/p>\n

The post Digital Personal Data Protection Act (DPDPA) 2023 Series: Part III \u2013 Impact & Implementation Challenges<\/a> first appeared on The Frontier Manipur<\/a>.<\/p>\n","protected":false},"author":14,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20364,4],"tags":[8842,20482,20483,20369,319,15447,363,996],"class_list":["post-905052","post","type-post","status-publish","format-standard","hentry","category-frontiermanipur","category-news","tag-articles","tag-digital-connectivity","tag-digital-security","tag-frontiermanipur","tag-manipur-news","tag-news","tag-technology","tag-world"],"_links":{"self":[{"href":"http:\/\/www.manipur.org\/news\/wp-json\/wp\/v2\/posts\/905052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.manipur.org\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.manipur.org\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.manipur.org\/news\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"http:\/\/www.manipur.org\/news\/wp-json\/wp\/v2\/comments?post=905052"}],"version-history":[{"count":2,"href":"http:\/\/www.manipur.org\/news\/wp-json\/wp\/v2\/posts\/905052\/revisions"}],"predecessor-version":[{"id":905055,"href":"http:\/\/www.manipur.org\/news\/wp-json\/wp\/v2\/posts\/905052\/revisions\/905055"}],"wp:attachment":[{"href":"http:\/\/www.manipur.org\/news\/wp-json\/wp\/v2\/media?parent=905052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.manipur.org\/news\/wp-json\/wp\/v2\/categories?post=905052"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.manipur.org\/news\/wp-json\/wp\/v2\/tags?post=905052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}