Harun Raaj & AssociatesHarun Raaj & Associates
emerging

DPDPA 2023 Compliance for Businesses: Consent Managers, Data Fiduciary Obligations & Rs.250 Crore Penalties

The Digital Personal Data Protection Act, 2023 (DPDPA 2023) has fundamentally reshaped how Indian businesses handle personal data. Non-compliance exposes you to penalties up to Rs.250 crore under Section 33. This guide breaks down consent manager requirements and data fiduciary obligations that every business must master.

CH

CA Harun Raaj

Chartered Accountant · Harun Raaj & Associates

DPDPA 2023 Compliance for Businesses: The Complete Roadmap

The Digital Personal Data Protection Act, 2023 became effective on 4 December 2023. Unlike privacy laws in other jurisdictions that wrap around vague principles, DPDPA 2023 is surgical: it defines who does what with personal data, mandates explicit consent, and backs non-compliance with penalties scaling up to Rs.250 crore under Section 33. If you handle customer data--and you do--this post is non-negotiable reading.

What DPDPA 2023 Actually Does

DPDPA 2023 applies to organisations that collect, process, store, or share personal data of individuals in India. It does not apply to:

  • Non-personal or anonymised data
  • Data processed by individuals for personal/household purposes
  • Certain government agencies processing data for state security (though this exemption is narrowly construed)

For everyone else: you must comply.

The Three Core Obligations

1. Data Fiduciary Responsibilities

Your business is a data fiduciary if you decide why and how personal data is collected and processed. This is the primary obligation. As a data fiduciary, you must:

  • Collect only with explicit consent. Section 6 mandates informed, voluntary, specific, and clear consent before collecting personal data. Consent cannot be bundled, implied, or pre-ticked. Vague privacy policies will not hold up under audit.
  • Publish a clear, accessible notice detailing what data you collect, why, who else accesses it, how long you retain it, and the individual's rights. This is not optional disclosure--it is a compliance requirement under Section 5.
  • Implement data security practices. Section 8 requires "reasonable security practices and procedures" to prevent unauthorised access, disclosure, or damage. This means encryption, access controls, audit trails, and incident response protocols.
  • Retain data only as long as necessary. Section 10 prohibits indefinite retention. You must delete or anonymise data once the purpose is fulfilled unless law requires retention.
  • Honour individual rights. Every person has the right to:
- Confirm whether their data is being processed (Section 12) - Access their data in a portable, machine-readable format (Section 13) - Correct inaccurate data (Section 14) - Withdraw consent at any time (Section 15) - Grievance redressal (Section 16)

2. Consent Manager: The Gateway to Legitimacy

A consent manager is an independent entity that collects and manages consent on behalf of data fiduciaries. It sits between you and the individual, ensuring consent is genuine and documented.

Who must appoint a consent manager?

The DPDPA 2023 and its Rules (Rules 4 and 5 under the Rules published November 2024) do not mandate a consent manager for all businesses. However, it is strongly advisable if you:

  • Process large volumes of personal data
  • Collect data from multiple touchpoints (website, app, retail, partner channels)
  • Share data with third parties
  • Operate across multiple sectors or geographies

Using a consent manager demonstrates compliance with due diligence, provides independent documentation, and shields you from allegations of coercive or unclear consent.

What a consent manager must do:

  • Maintain a consent record (name, date, purpose, scope, consent given or withdrawn) without storing personal data itself
  • Ensure consent is granular--individuals consent separately for each purpose (marketing, analytics, third-party sharing, etc.)
  • Provide easy withdrawal mechanisms--consent withdrawal must be as simple as consent grant
  • Audit compliance periodically and report to the data fiduciary
  • Maintain high security and confidentiality standards

3. Data Processor Agreements

If you hire third parties to process data on your behalf (cloud providers, payment gateways, customer support vendors), you are the data fiduciary and they are data processors. Section 7 requires a written agreement specifying:

  • Purpose and scope of processing
  • Data security measures
  • Sub-processor authorisation rules
  • Deletion or return of data after engagement ends
  • Right of audit by the data fiduciary

Vague terms of service will not suffice. You need a formal Data Processing Agreement (DPA).

Section 33 Penalties: The Teeth of DPDPA 2023

Section 33 empowers the Data Protection Board of India (DPBI) to impose penalties for violations:

Violation CategoryPenalty Up To
Unauthorised processing without consentRs.250 crore or 6% of annual worldwide turnover (whichever is higher)
Failure to honour individual rightsRs.100 crore or 2% of annual worldwide turnover
Breach of security practicesRs.100 crore or 2% of annual worldwide turnover
Misuse by data processorRs.100 crore or 2% of annual worldwide turnover

For global companies with revenue in thousands of crores, 6% of turnover can dwarf Rs.250 crore in absolute terms. These are not theoretical penalties--they are calibrated to be material enough to command compliance.

Immediate Action Items for Your Business

  • Audit your consent mechanisms. Do you have explicit, documented, granular consent for all data collection? If not, you are exposed.
  • Map your data ecosystem. Who collects data? Who processes it? Who accesses it? Document the flow end-to-end.
  • Evaluate a consent manager. At minimum, assess whether your current consent collection mechanism meets DPDPA 2023 standards. If not, appoint one.
  • Review all vendor agreements. Ensure Data Processing Agreements are in place for all processors.
  • Publish compliant privacy notices aligned with Section 5 requirements.
  • Implement deletion/anonymisation timelines. No indefinite retention.

A Critical Note on Compliance Readiness

The DPBI has not yet issued detailed guidance on interpretation, and case law is sparse. However, this is not an excuse for inaction. Regulators globally have moved quickly once data protection laws take effect. Businesses that wait for judicial clarity often find themselves in the crosshairs.

Compliance is not a one-time exercise. DPDPA 2023 creates ongoing obligations: regular audits, consent renewal, incident response drills, and vendor reviews.

I'm CA Harun Raaj, Visakhapatnam. Reach out if you need a compliance audit, consent manager evaluation, or Data Processing Agreements tailored to your business model.

Topics:DPDPA 2023data protectionconsent managerdata fiduciarySection 33 penaltiescompliancepersonal databusiness law

Need help with this?

Our team handles the paperwork. You focus on your business.