Data Protection & Privacy Law

Data Protection & Privacy Law
DPDPA, GDPR & Global Privacy Compliance by Qualified Lawyers

India’s Digital Personal Data Protection Act, 2023 imposes comprehensive obligations on every organisation that processes personal data — with penalties reaching ₹250 crore for serious violations. SIRI Law LLP provides legal-led data protection advisory: compliance programmes, breach response, DPIA conduct, and regulatory representation before the Data Protection Board of India.

Request Consultation

📞 +91 7981912046

Overview

The DPDPA 2023: What Every Organisation Needs to Know

The DPDPA 2023 establishes a consent-based framework for personal data processing in India — imposing obligations on Data Fiduciaries (organisations that determine the purpose and means of processing) and Data Processors (those who process on behalf of Fiduciaries). Penalties of up to ₹250 crore for the most serious violations — including failure to implement adequate security safeguards — make compliance a board-level priority.

The Act also establishes the Data Protection Board of India — an adjudicatory body that will hear complaints, investigate violations, and impose penalties. The Board’s operational rules are developing; organisations that build compliant frameworks now will be significantly better positioned when enforcement begins.

GDPR adds an additional layer for organisations processing EU personal data — with extraterritorial application meaning Indian businesses with EU customers must comply with both frameworks. SIRI Law LLP provides integrated DPDPA and GDPR compliance — avoiding the duplication of running two separate programmes.

DPDPA Penalty Structure

Penalties Up to ₹250 Crore

Failure to implement security safeguardsUp to ₹250 crore
Failure to notify breachUp to ₹200 crore
Violation of children’s data obligationsUp to ₹200 crore
Non-fulfilment of additional obligationsUp to ₹150 crore
Breach of voluntary undertakingUp to ₹10,000 crore

Services Offered

Data Protection & Privacy Services

  • DPDPA 2023 compliance gap assessment and roadmap
  • GDPR gap assessment and multi-jurisdiction programme design
  • Data Fiduciary obligation advisory — consent, notice, purpose limitation
  • Consent architecture design — layered consent, withdrawal mechanisms
  • Privacy notice drafting — website, app, employee, vendor
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Records of Processing Activities (RoPA) development
  • Data subject rights procedures — access, correction, erasure, portability
  • Cross-border data transfer mechanisms — standard contractual clauses
  • Data Processing Agreement (DPA) drafting for vendor relationships
  • AI data governance — training data, inference, DPDPA/GDPR obligations
  • Children's personal data obligations advisory (DPDPA Section 9)
  • Significant Data Fiduciary obligations (Schedule II DPDPA)
  • Breach notification — DPDPA, CERT-In, GDPR simultaneous management
  • Data Protection Board representation
  • Privacy by design advisory for product development

Why SIRI Law LLP

Our Approach & Advantage

Qualified Privacy Lawyers

Our data protection advisory is led by qualified lawyers — not consultants. Legal professional privilege applies to our advice, and our compliance programmes are built to withstand regulatory and legal scrutiny.

DPDPA + GDPR Integration

Single integrated compliance programme for organisations subject to both DPDPA and GDPR — avoiding the duplication of two separate frameworks and ensuring consistency across all jurisdictions.

AI-Ready Privacy Compliance

AI data governance is increasingly central to privacy compliance — training data consent, inference data use, automated decision-making, and the right to erasure from AI systems. We specifically advise on these emerging obligations.

Regulatory Representation

When the Data Protection Board becomes operational, we will provide representation in complaint proceedings and investigations — bringing the same legal rigour that our clients rely on for compliance advisory.

Representative Matters

Typical Engagements

All matters described generically to protect client confidentiality.

Fintech — DPDPA Compliance Programme

Built a comprehensive DPDPA compliance programme for a fintech company — including consent architecture for financial data processing, DPIAs for credit scoring, CERT-In compliant breach response, and vendor DPA templates.

Healthcare — GDPR + DPDPA Integration

Designed an integrated GDPR and DPDPA compliance programme for a healthcare technology company with EU and Indian patients — single data governance framework satisfying both frameworks.

E-Commerce — Breach Notification

Advised an e-commerce company on breach notification obligations following exfiltration of customer data — managing CERT-In, DPDPA, and GDPR notification requirements with a consistent factual narrative across all frameworks.

AI Company — Training Data Governance

Advised a generative AI company on DPDPA and GDPR obligations for personal data used in training — including consent framework for training data collection, data subject rights handling for training data, and contractual protections for data obtained from third-party datasets.

Frequently Asked Questions

When does the DPDPA 2023 become enforceable?

The DPDPA 2023 received Presidential assent in August 2023 but requires subordinate legislation (Rules) to operationalise most provisions. The Rules are under development. The Data Protection Board will become operational after the Rules are notified. Organisations should build compliance programmes now — the framework is clear even if some operational details await the Rules. Early compliance also demonstrates good faith to the future Board.

Does GDPR apply to Indian companies?

GDPR applies extraterritorially — it applies to any organisation that processes personal data of EU data subjects in connection with offering goods or services to them, or monitoring their behaviour, regardless of where the organisation is based. If your product or service is accessible to EU users, if you market to EU residents, or if you process data of EU employees, GDPR likely applies. Indian businesses operating SaaS platforms, e-commerce sites, or any digital product accessible to EU users should assess their GDPR obligations.

What is a DPIA and when is it required?

A Data Protection Impact Assessment (DPIA) is a systematic assessment of the privacy risks of a particular processing activity — identifying and mitigating risks before the processing begins. Under GDPR, DPIAs are mandatory for processing that is ‘likely to result in a high risk’ to individuals. Under the DPDPA, DPIAs are required for Significant Data Fiduciaries and advisable for any high-risk processing. They are also a valuable compliance tool in demonstrating accountability — a core principle of both frameworks.

What are children’s data obligations under the DPDPA?

DPDPA Section 9 imposes strict obligations for processing children’s personal data (under 18): verifiable parental consent is required before processing; processing harmful to children’s wellbeing is prohibited; behavioural tracking and targeted advertising directed at children are prohibited. Organisations with child-accessible products face significant compliance investment to meet these requirements — and significant enforcement risk if they do not.

Build Your DPDPA Compliance Programme Before Enforcement Begins

Legal-led privacy compliance protects you before the Data Protection Board becomes active.

Book a Consultation

Also see: Privacy GRC Services · Breach Response

Disclaimer: Information on this page is general in nature. DPDPA Rules are not yet fully notified — advice reflects current Act provisions and expected Rules. Seek current advice before making compliance decisions.
Request Appointment
Request Appointment
Scroll to Top