Data Protection & Cybersecurity Compliance (DPDP Act, CERT-In, GDPR comparisons)

 

Table of Contents

Introduction
The Digital Personal Data Protection Act (DPDP Act), 2023
CERT-In Guidelines & Cybersecurity Framework
Compliance Requirements for Businesses
Comparisons with GDPR & International Standards
Penalties & Enforcement Mechanisms
Best Practices for Foreign and Indian Companies
Sector-Specific Obligations
Indian Case Law & Judicial Developments
Future Trends in Data Protection & Cybersecurity
Conclusion

Introduction

In an era of cross-border digital trade and rising cyber threats, India has strengthened its legal and regulatory landscape with the Digital Personal Data Protection Act (DPDP Act), 2023 and the Computer Emergency Response Team (CERT-In) guidelines. These frameworks aim to protect individuals’ data, enforce accountability on businesses, and ensure cybersecurity resilience. For foreign companies operating in India, understanding these obligations is vital to avoid penalties and ensure smooth operations.

Internationally, India’s DPDP Act is often compared with the European Union’s General Data Protection Regulation (GDPR), the world’s most comprehensive data protection law. While there are similarities, India’s approach also reflects unique domestic considerations and economic priorities.

This article provides a detailed overview of India’s data protection and cybersecurity framework, compliance requirements, sector-specific obligations, key case law, and how it compares with global standards.

Back to Top

The Digital Personal Data Protection Act (DPDP Act), 2023

Background & Objectives of the DPDP Act

The DPDP Act was enacted in 2023 to establish a rights-based framework for the collection, processing, and storage of personal data. It replaces earlier draft versions and aligns with the Supreme Court’s recognition of Right to Privacy as a Fundamental Right in Justice K.S. Puttaswamy v. Union of India (2017).

Key Definitions: Data Fiduciary, Data Principal, Sensitive Data

• Data Principal: The individual whose personal data is collected.
• Data Fiduciary: The entity (Indian or foreign) deciding how and why data is processed.
• Significant Data Fiduciaries: Entities with large-scale or sensitive data obligations, subject to stricter compliance such as Data Protection Impact Assessments (DPIAs).

Obligations on Indian and Foreign Companies

The DPDP Act has extra-territorial application. Foreign businesses processing data of individuals in India must comply, even if they have no physical presence in the country.

• Clear, informed consent before processing.
• Transparency in data use.
• Purpose limitation and storage limitation.
• Children’s data processing restrictions.

Data Protection Board of India (DPBI)

The Act establishes the Data Protection Board of India (DPBI) as an independent regulator with powers to investigate breaches, impose penalties, and monitor compliance.

Back to Top

CERT-In Guidelines & Cybersecurity Framework

Role of CERT-In as National Nodal Agency

Established under the Information Technology (IT) Act, 2000, the Computer Emergency Response Team – India (CERT-In) is the national nodal agency responsible for handling cybersecurity incidents.

Cyber Incident Reporting Requirements (6-hour Rule)

As per the CERT-In Directions (2022), all service providers, intermediaries, data centres, and government organizations must report cybersecurity incidents within 6 hours of detection. Non-compliance can attract penalties under the IT Act.

Security Practices & Standards under IT Act, 2000

Organizations must implement reasonable security practices under Section 43A of the IT Act. This includes ISO/IEC 27001 or equivalent industry standards for data protection.

Back to Top

Compliance Requirements for Businesses

Data Privacy Notices & Consent Management

Businesses must provide privacy notices in clear language, enabling users to give or withdraw consent freely.

Cross-Border Data Transfer Restrictions

The DPDP Act empowers the Government of India to restrict transfers of personal data to certain countries. Companies must ensure that international data flows comply with official notifications.

Data Retention & Deletion Obligations

Data must not be stored beyond its intended purpose. Organizations are obligated to implement deletion protocols once the purpose is fulfilled or consent is withdrawn.

Appointment of Data Protection Officer (DPO)

Significant Data Fiduciaries must appoint a DPO responsible for grievance redressal and compliance oversight.

Back to Top

Comparisons with GDPR & International Standards

Key Similarities

• Requirement for consent-based processing.
• Recognition of rights of data principals (similar to EU’s data subjects).
• Accountability obligations on data fiduciaries/controllers.

Key Differences

• Scope: GDPR applies globally if targeting EU residents. DPDP focuses on India-linked processing.
• Penalties: GDPR fines up to 4% of global turnover. DPDP fines capped at Rs. 250 crore per violation.
• Data Localization: India may impose stricter transfer restrictions.

India’s Alignment with OECD & APEC Frameworks

India’s law aligns with global best practices by emphasizing consent, accountability, and cross-border harmonisation, thereby supporting international trade and digital partnerships.

Back to Top

Penalties & Enforcement Mechanisms

Monetary Penalties under DPDP Act

Penalties can range from ₹50 crore to ₹250 crore depending on the severity of the violation.

Liability for Cybersecurity Failures

Under the IT Act, organizations may be liable for compensation if negligence in security practices leads to wrongful loss or gain.

Impact on Foreign Businesses

Foreign companies face significant financial and reputational risks if non-compliant. Many are aligning operations with both GDPR and DPDP to ensure global compliance.

Back to Top

Best Practices for Foreign and Indian Companies

Building an Effective Data Governance Framework

Establish clear policies for data collection, classification, access, and usage.

Technology & Cybersecurity Tools

Adopt encryption, firewalls, intrusion detection systems, and regular security audits.

Employee Training & Awareness Programs

Regular training ensures staff understand compliance obligations and cyber hygiene practices.

Back to Top

Sector-Specific Obligations

RBI Cybersecurity Guidelines for Banks

The Reserve Bank of India (RBI) mandates strict cybersecurity audits, incident reporting, and digital fraud management protocols for banks.

SEBI’s Cybersecurity Framework

Securities and Exchange Board of India (SEBI) requires stock brokers, depositories, and market intermediaries to implement comprehensive cyber risk management systems.

Healthcare Data & Telemedicine

Healthcare providers must comply with confidentiality obligations under medical ethics and IT rules, especially with growing telemedicine platforms.

E-commerce & Digital Platforms

E-commerce companies must protect customer data, payment details, and ensure secure online transactions under both DPDP and IT Act obligations.

Back to Top

Indian Case Law & Judicial Developments

Justice K.S. Puttaswamy v. Union of India

The 2017 landmark judgment upheld privacy as a fundamental right, laying the constitutional foundation for the DPDP Act.

Supreme Court & High Court Observations

Courts have directed stronger enforcement in cases of unauthorized surveillance, data breaches, and cybercrime investigations.

Cybercrime Prosecutions

Indian courts increasingly address cases involving identity theft, hacking, and misuse of personal information under Sections 66C, 66D of the IT Act.

Back to Top

Future Trends in Data Protection & Cybersecurity

Artificial Intelligence & Data Protection

AI-driven services raise concerns about algorithmic bias, profiling, and automated decision-making, requiring updated safeguards.

Cross-Border Data Sharing Treaties

India is expected to negotiate data transfer treaties with major jurisdictions to facilitate business while safeguarding national interests.

Expected Amendments & Global Harmonisation

The DPDP Act is likely to evolve further, incorporating lessons from GDPR, OECD, and domestic experience to balance innovation and privacy.

Back to Top

Conclusion

India’s DPDP Act, 2023 and CERT-In guidelines represent a significant leap in data protection and cybersecurity governance. For businesses—both Indian and foreign—compliance is not just a legal obligation but a strategic necessity. By adopting best practices, aligning with international standards, and staying alert to future trends, organizations can secure their digital operations while respecting individual rights.

Back to Top

Suggested Reading (Internal Links)

• Anti-Money Laundering (PMLA) & KYC Rules for Foreign Businesses in India
• Compliance Risk Management: Mitigating Regulatory, Labor & Banking Risks
• Banking, FEMA & Foreign Exchange Risk Management
• Environmental & Sectoral Licensing (FSSAI, Pollution Norms, Industry-Specific Permits)
• Foreign Lawyers & Legal Firms: Licensing, Permissions & Practice Rules in India
• Dispute Resolution & Arbitration in India for International Business Contracts
• Protecting Intellectual Property in India: Trademark, Patent & Copyright Rules for Foreign Investors
• Insurance & Labour Law Framework for Indian Operations

Authority References:
Reserve Bank of India (RBI)
Securities and Exchange Board of India (SEBI)
Insurance Regulatory and Development Authority of India (IRDAI)
Financial Intelligence Unit - India (FIU-IND)
Enforcement Directorate (ED)
Computer Emergency Response Team - India (CERT-In)
Ministry of Electronics and Information Technology (MeitY)
Financial Action Task Force (FATF)
Organisation for Economic Co-operation and Development (OECD)