DPDP Roles, explained simply

India's Digital Personal Data Protection Act. Who is who.

‹ General awareness

General awareness

Nine DPDP misconceptions that will not die

Over the last few weeks I have worked through the assumptions about the DPDP Act that come up again and again in conversations with businesses. Almost every one is a spot where people assume the Act hands them a threshold, a shield, or a shortcut, and it does not.

  1. "We are too small to be a Data Fiduciary." The Act does not ask your size. It asks who decides the purpose and means of the processing.
  2. "We need consent for everything." Consent is the main road, but Section 7 is a closed list of legitimate uses. There is no general balancing test where commercial benefit is enough.
  3. "We have a privacy policy, so we are compliant." A notice is a paragraph. Compliance is the system that can actually deliver what the paragraph promises.
  4. "We use a processor, so it is their problem now." You can outsource the processing. You cannot outsource the accountability.
  5. "The DPDP Act forces data to stay in India." It does not. Section 16 is a blocked list, not a guest list. Transfer is allowed until a destination is restricted, subject to any stricter sectoral law.
  6. "Get parental consent and children's data is handled." Consent does not lift the ban on tracking, behavioural monitoring and targeted advertising of children.
  7. "Cross two crore users and you become a Significant Data Fiduciary." SDF status is a Government designation on sensitivity and risk, not a user count. The two crore line is a different regime, about retention.
  8. "We have seventy two hours to tell the regulator." Seventy two hours is the deadline for the detailed Board report. The first intimation, to the Board and to every affected person, is without delay.
  9. "Access means give me my data, and there are three rights." There are four, including nomination, and access also means telling the person everyone you shared their data with.

The pattern across all nine

The DPDP Act rarely works the way the familiar word suggests. Consent, breach, processor, transfer, significant: each carries a meaning in the Act that is narrower, wider, or simply different from the one people carry into it. Reading the Act for what it says, rather than what the word usually means, is most of the work.

I built a free browser based explainer to make the roles and the basics easier to get right. Each of the nine above links to its own post. If you would like to review the explainer from a legal or practical perspective, I would genuinely value the feedback.

Which of these nine do you run into most often, and is there a tenth that belongs on the list?

#DPDP #DPDPAct2023 #DPDPRules2025 #DataProtection #PrivacyLaw #India #Compliance

A grid of nine DPDP misconceptions, each with a cross for the myth and a tick for the reality: too small to be a Data Fiduciary, consent for everything, a privacy policy equals compliance, the processor owns the problem, data must stay in India, parental consent handles children's data, two crore users makes a Significant Data Fiduciary, 72 hours to tell the regulator, and access means just a copy. A bridge from myths to real compliance reads: read the Act, not the assumption.
Read the Act, not the assumption. Tap to enlarge.

Be DPDP ready before the deadline

We are preparing more than a dozen ready to use templates, including the Privacy Notice, Consent Notice, Data Retention and Erasure Policy, Security Safeguards Policy, Breach Response Procedure, Children's Data Policy, and the Data Processing Agreement. Drop your email and we will notify you when the assessment and templates go live.