Digital Personal Data Protection Act
Penalties up to INR 250 crore per violation make the India DPDP Act a material financial risk for any organisation processing data of India's 800 million internet users.
The Digital Personal Data Protection Act 2023 (DPDP Act) is India's comprehensive data protection legislation, applicable to the processing of digital personal data. The Act establishes a consent-based framework with obligations for Data Fiduciaries (controllers) and rights for Data Principals (data subjects).
Key features include: mandatory consent with clear, itemised notice; special provisions for children's data (requiring verifiable parental consent); cross-border data transfer restrictions to government-notified countries; and the establishment of the Data Protection Board of India as the adjudicating body.
For Microsoft 365 environments, the DPDP Act requires Purview sensitivity labels for personal data classification, DLP policies enforcing data protection obligations, Conditional Access geo-fencing for cross-border transfer restrictions, and eDiscovery for data principal access requests. StremarControl engineers and operates the Microsoft-native controls required for DPDP Act mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline for DPBI compliance.
Why This Matters Now
The India DPDP Act 2023 is India's first comprehensive data protection legislation, covering over 800 million internet users. It establishes consent management requirements, data fiduciary obligations, and cross-border transfer restrictions to non-notified countries. For M365 environments, compliance demands Purview data classification, DLP policies for data protection, and Conditional Access geo-fencing to enforce data transfer restrictions. As India is a major global outsourcing and IT services hub, DPDP compliance impacts multinationals worldwide.
Framework Metadata
Scope & Applicability
Applies to processing of digital personal data collected within India or for offering goods/services to data principals in India. The Act applies to both government and private sector. Exemptions for personal/domestic purposes, lawfully available public data, and certain government processing for national security. The government will notify countries where data transfers are restricted. M365 tenants processing Indian personal data must comply.
Core Obligations
Consent Management
Obtain free, specific, informed, and unambiguous consent from data principals. Provide clear notice of processing purposes. Allow consent withdrawal.
Data Fiduciary Obligations
Implement appropriate security safeguards, maintain data accuracy, delete data when purpose is fulfilled, and appoint a DPO (for Significant Data Fiduciaries).
Children's Data Protection
Obtain verifiable parental consent before processing children's data. Do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.
Cross-Border Transfers
Transfer personal data only to countries not restricted by the Central Government. Comply with any additional conditions imposed by government notification.
Breach Notification
Notify the Data Protection Board and affected data principals of any personal data breach as prescribed by the Board.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Data Fiduciary Security Safeguards
Conditional Access with MFA and risk-based policies. Defender XDR for threat protection. Intune compliance baselines. Purview sensitivity labels.
Conditional Access evaluation logs, Defender analytics, Intune reports, label usage reports.
Cross-Border Transfer Restrictions
Conditional Access geo-fencing restricting access from non-notified countries. Purview DLP policies blocking data transfers to restricted jurisdictions.
Conditional Access geo-restriction logs, DLP cross-border incident reports, data residency configuration.
Children's Data Protection
Purview sensitivity labels for children's data. DLP policies blocking external sharing of child-classified content. Conditional Access policies for child data systems.
Child data label usage reports, DLP incident logs, access restriction configuration exports.
Implementation Timeline
Related Frameworks
With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.
With penalties up to 10% of annual turnover and mandatory 3-day breach notification, the PDPA places direct commercial consequence on management for data protection failures.
Penalties up to AED 1 million per violation and potential service suspension make children's data protection a direct operational and reputational risk for management.
Ready to get India DPDP-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against India DPDP requirements, close gaps, and produce audit-ready evidence.