top of page

Legal Obligations for Businesses under the Digital Personal Data Protection Act, 2023


The Digital Personal Data Protection Act, 2023 (the Act or DPDPA), establishes a robust framework for safeguarding personal data in an increasingly digitised world. Businesses must navigate a complex landscape of legal obligations to ensure compliance with this legislation. This legislation not only aims to safeguard individual privacy but also to foster a culture of accountability and transparency with and within the organizations. Understanding the legal obligations imposed by the Act is crucial for businesses to maintain compliance, avoid substantial penalties, and build trust with their customers and in an increasingly data driven world.


a. Lawfulness, Fairness and Transparency- Businesses can only process personal data in a lawful, fair and transparent manner.

b. Purpose Limitation- Data should be collected for specified and legitimate purposes and not processed in a manner that is incompatible with those purposes.

c. Data Minimisation- Data should be collected for the specified purpose only.

d. Accuracy- Data should be accurate and reasonable steps to erase or rectify the inaccurate data without any delay.

e. Consent- Consent must be obtained from individuals before processing their personal data unless the processing is required by law. Consent given must be free, specific and informed in nature.


a. Data Collection and Processing Principles

Lawful Basis for Processing: Businesses must ensure that the collection and processing of personal data are conducted on a lawful basis. These lawful bases include obtaining explicit consent from the data principal, processing necessary for the performance of a contract, compliance with a legal obligation, protecting vital interests, performing tasks in the public interest, or pursuing legitimate interests that do not override the rights and freedoms of the data principals. This requirement ensures that data processing is justified and accountable.

b. Purpose Limitation:

The Act mandates that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This reduces the risk of excessive data accumulation, which can lead to data breaches and privacy violations. By limiting data collection to what is strictly necessary, businesses can manage data more effectively and mitigate potential risks.

c. Consent management:

Informed consent: Obtaining informed consent from individuals before collecting their data is a fundamental obligation. Businesses must provide clear, comprehensive information about the purposes of data collection, the types of data being collected, and how the data will be used. This ensures that individuals are     fully aware of and agree to the data processing activities.

d. Easy withdrawal of consent:

The act stipulates that individuals must have the ability to withdraw their consent easily at any time. Businesses must provide simple and accessible mechanisms for consent withdrawal and must cease data processing activities upon withdrawal of consent. This requirement upholds the autonomy and control of individuals over their personal data. 

e. Respecting Data Principal Rights:

Right to access: Individuals have the right to access their personal data held by businesses. This includes the right to obtain a copy of the data and information about how it is being processed. Businesses must be prepared to respond to access requests promptly and transparently.

f. Privacy Notice: A clear and accessible privacy notice must be provided, outlining the categories of personal data collected, the purpose of processing, and how users can exercise their rights. 

g. Appointment of Data Protection Officer (DPO): Certain categories of businesses may be required to appoint a DPO responsible for overseeing data protection compliance within the organisation.


a. Conduct a data audit- identify what personal data you collect, store and use.

b. Review data collection practices: ensure data collected is limited to what is required and necessary and with a valid user consent.

c. Define data retention periods: categorize data and align retention periods with requirements.

d. Invest in data security: implement robust security measures to protect personal data.

e. Train employees: educate staff on data protection principles and best practices.


The Digital Personal Data Protection Act, 2023 imposes significant legal obligations on businesses, emphasizing the importance of safeguarding personal data in today’s digital age. Companies must adhere to stringent principles of data processing, ensure transparency and accountability, and respect individual’s right concerning their personal information. By understanding their legal obligations and taking proactive steps towards compliance, businesses can not only avoid penalties but also build trust with their customers. In today’s data driven world, prioritizing data protection is not just a legal requirement, but a strategic imperative for businesses to operate responsibly and thrive in the digital age.


7 views0 comments


bottom of page