AS | Ankit Sarawagi|Founder, CFOmatrix·June 2026·12 min read | Updated Jun 2026 |
- The DPDP Act 2023 has no size or turnover threshold: any company processing the digital personal data of people in India is a data fiduciary and needs a policy.
- Processing usually rests on free, informed, specific consent (or a defined “legitimate use”), and consent can be withdrawn as easily as it was given.
- Data principals have rights to access, correction, erasure, nomination and grievance redressal, and your policy must say how to exercise each.
- Every vendor that touches personal data is a data processor and needs a written data processing agreement; you stay accountable.
- A personal data breach must be notified to the Data Protection Board and to affected individuals; penalties run up to ₹250 crore for weak safeguards.
| No threshold The DPDP Act applies regardless of company size or turnover | 5 rights Access, correction, erasure, nomination and grievance redressal | ₹250 cr Top penalty slab for failing to take reasonable security safeguards |
What a Data Protection Policy Is (and Why You Need One)
A data protection policy is the internal document that sets out how your company handles personal data across its entire life: collection, use, storage, sharing, and deletion. It is your written answer to a simple question a customer, employee or regulator might ask: “What do you do with my data, and on what authority?”
Under the Digital Personal Data Protection (DPDP) Act 2023, you are a data fiduciary: the entity that decides why and how personal data is processed. The Act gives you real obligations, and a clear policy is how you discharge them consistently rather than case by case.
Do not confuse the two documents people often mix up. The data protection policy is internal, written for your team and your auditors. The privacy notice is external, written for users on your website or app. The internal policy is the source of truth; the public notice is the plain-language summary you present before collecting consent.
If you process the personal data of customers in the EU or UK, your DPDP policy should map cleanly to GDPR concepts. The structure is similar (lawful basis, rights, processors, breach notice), so a single well-built policy can serve both, with India-specific terms like “data fiduciary” and “data principal” used correctly.
Who the DPDP Act 2023 Applies To
This is the part founders underestimate. The DPDP Act 2023 has no employee-count or turnover threshold. If you process the digital personal data of individuals in India, the Act applies. That covers a website with a contact form, an app with sign-ups, a payroll system, or a spreadsheet of leads.
It also has extra-territorial reach: a company outside India that processes the personal data of people in India in connection with offering goods or services to them is covered too.
- Data fiduciary: you, the organisation deciding why and how data is processed. Primary responsibility sits here.
- Data principal: the individual whose data you hold, a customer, employee, or vendor contact.
- Data processor: a vendor processing data on your behalf, such as a cloud host, payroll tool or email platform.
- Significant Data Fiduciary: a class the government may notify based on volume and sensitivity of data, with extra duties such as appointing a Data Protection Officer in India and conducting audits.
Fiduciary decides, processor does. If you choose the purpose, you are the fiduciary and you own the obligations, even when a vendor does the actual processing.
What a Data Protection Policy Must Cover Under the DPDP Act
A complete data protection policy under the DPDP Act 2023 should answer the regulator’s checklist in your own words. At a minimum, build these sections in.
| Section | What it answers |
|---|---|
| Scope & definitions | What data, whose data, and the DPDP terms you use |
| Lawful basis & purpose | Why you process: consent or a defined legitimate use |
| Consent management | How you obtain, record and let users withdraw consent |
| Data principal rights | How access, correction, erasure and grievances are handled |
| Retention & deletion | How long you keep data and when you erase it |
| Security safeguards | Technical and organisational controls (access, encryption, logs) |
| Processors & sharing | Vendor contracts and any disclosure to third parties |
| Breach response | Who acts, escalation, and notice to the Board and individuals |
| Children & ownership | Verifiable parental consent rules and the policy owner |
The free template below builds out every one of these sections with editable, plain-language clauses, so you adapt rather than draft from scratch.
Consent and Data Principal Rights
Consent is the engine of the DPDP Act. It must be free, specific, informed, unconditional and unambiguous, given by a clear affirmative action, and tied to a defined purpose. You cannot bundle unrelated purposes into one tick box, and a data principal can withdraw consent as easily as it was given. When consent is withdrawn, you must stop processing and ensure your processors do too.
Alongside consent, the Act recognises certain legitimate uses where consent is not strictly required, such as a person voluntarily providing data for a purpose, or processing for employment-related purposes. Your policy should name which legitimate uses you rely on and where.
Every notice you show before or at the time of seeking consent must be available in English and the languages listed in the Eighth Schedule to the Constitution, on request.
The five rights your policy must enable
- Right to access: a summary of the personal data being processed and the processing activities.
- Right to correction and erasure: correct inaccurate data and erase data no longer needed.
- Right to nominate: appoint another person to exercise rights in case of death or incapacity.
- Right to grievance redressal: a readily available means to raise a complaint with you first.
- Right to approach the Board: escalate to the Data Protection Board if you do not resolve the grievance.
Publish a single contact point, a privacy email or a grievance officer, in your policy and your public notice. Most rights disputes escalate to the Board only because the company gave the data principal no easy way to reach a human.
Retention, Deletion and Managing Processors
The DPDP Act expects purpose limitation and storage limitation: keep personal data only as long as the purpose requires, or as another law requires, and then erase it. Your policy should set concrete retention periods by data category (for example, marketing leads, customer records, ex-employee files) rather than a vague “as long as necessary”.
On the vendor side, you may only engage a data processor under a valid contract. That data processing agreement should bind the processor to process data only on your instructions, apply security safeguards, assist with data principal requests, delete or return data at the end, and notify you of any breach. You remain the accountable party.
| Data category (example) | Illustrative retention |
|---|---|
| Website enquiry / lead | Until purpose ends, then a short defined window |
| Customer / transaction records | As required under tax, GST and Companies Act records rules |
| Employee records | Through employment plus statutory retention (PF, ESI, tax) |
| Marketing consent logs | Retain proof of consent for as long as you rely on it |
Free SaaS tools are still data processors. The email marketing platform, the form builder, the analytics tag and the cloud drive holding your customer list all process personal data on your behalf. If there is no data processing agreement in place, you have a gap, regardless of how small the vendor is.
Breach Notification to the Data Protection Board
A personal data breach is any unauthorised processing, accidental disclosure, loss, or destruction of personal data. On becoming aware of one, the DPDP Act 2023 requires a data fiduciary to notify both the Data Protection Board of India and each affected data principal.
The notice to individuals should be in clear terms: what happened, the likely consequences, the measures you are taking, and what they can do to protect themselves. Your policy should pre-define the internal mechanics so nobody improvises during a real incident.
DPDP Act: notify the Data Protection Board and affected data principals on becoming aware of a personal data breach.
CERT-In: separately, certain cyber security incidents must be reported to CERT-In within 6 hours of noticing them. Tech and digital companies should build both obligations into the same incident runbook.
Your breach section should name an incident owner, set internal escalation timelines, require a written incident log, and specify how you assess scope, contain the breach, and draft the dual notifications. Strong security safeguards, documented and actually used, are also your best defence against the heaviest penalty slab.
How to Write Your Data Protection Policy: 5 Steps
You do not need a law firm to get a workable first version in place. Follow these five steps, starting from the free template.
| Map your data first |
List what personal data you collect, where it lives, who can access it, and which vendors touch it. You cannot write an accurate policy without this inventory.
| State the lawful basis and purpose |
For each data flow, record whether you rely on consent or a legitimate use, and the specific purpose. This drives your consent screens and your privacy notice.
| Set retention and rights workflows |
Fix concrete retention periods by category, and write the actual steps your team follows when a data principal asks to access, correct or erase data.
| Close the vendor and breach gaps |
Put a data processing agreement in place with every processor, and write a breach runbook covering the Board and individual notifications plus the CERT-In 6-hour rule.
| Assign an owner and review yearly |
Name a policy owner or grievance officer, train the team, and set an annual review so the policy keeps pace with your operations and the DPDP Rules as they are notified.
“Under the DPDP Act, the question is not whether you are big enough to need a data protection policy. If you hold anyone’s data, you already do. The only question is whether yours exists on paper or just in good intentions.”
Ankit Sarawagi, CFOmatrixFrequently Asked Questions
What is a data protection policy under the DPDP Act 2023?
A data protection policy is the internal document that sets out how your company collects, uses, stores, shares and deletes the personal data of its data principals, in line with the Digital Personal Data Protection Act 2023. It records the lawful basis for processing (usually consent or a legitimate use), the purposes, retention periods, the rights you grant data principals, how you handle processors and vendors, and how you respond to a personal data breach. It is the backbone for your customer-facing privacy notice.
Who must comply with the DPDP Act 2023 in India?
The DPDP Act applies to any organisation (a data fiduciary) that processes the digital personal data of individuals in India, whether collected online or digitised later. It also reaches companies outside India that process the personal data of people in India in connection with offering them goods or services. There is no employee-count or turnover threshold, so even an early-stage startup with a website, app or customer list is covered.
What rights do data principals have under the DPDP Act?
Under the DPDP Act 2023 a data principal has the right to access a summary of their personal data and how it is processed, the right to correction and erasure of their data, the right to nominate another person to exercise their rights in case of death or incapacity, and the right of grievance redressal through the fiduciary before approaching the Data Protection Board. Your data protection policy must explain how each right is exercised and the timeline for responding.
How must a personal data breach be reported under the DPDP Act?
On becoming aware of a personal data breach, a data fiduciary must notify both the Data Protection Board of India and each affected data principal. The notice to data principals should describe the breach, its likely consequences and the steps they can take to protect themselves. Companies in the IT space should also remember the separate CERT-In rule requiring certain cyber incidents to be reported within 6 hours. Your policy should name an owner, set internal escalation timelines and require an incident log.
What is the difference between a data fiduciary and a data processor?
A data fiduciary is the organisation that decides why and how personal data is processed, so it carries the primary obligations under the DPDP Act. A data processor is a vendor that processes personal data on the fiduciary’s behalf, such as a payroll provider, cloud host or email tool. The fiduciary may only engage processors under a valid contract, and remains accountable for the data. Your policy should require a written data processing agreement with every processor.
Is a privacy policy the same as a data protection policy?
They are related but not identical. A data protection policy is an internal governance document for your team that says how the company will comply with the DPDP Act 2023. A privacy policy (or privacy notice) is the external, public-facing statement on your website or app that tells users what data you collect and why. The internal policy is the source of truth; the public notice is the summary you show data principals before or at the time of collecting consent.
What penalties apply for breaching the DPDP Act 2023?
The DPDP Act 2023 allows the Data Protection Board to impose monetary penalties that are significant, with the highest slab being up to ₹250 crore for failing to take reasonable security safeguards that result in a personal data breach. Other failures, such as not notifying a breach or not meeting children’s data obligations, carry their own penalty slabs. A documented data protection policy and an incident response process are strong evidence that you took reasonable steps.
This article reflects the Digital Personal Data Protection Act 2023 and related rules as understood in 2026; supporting DPDP Rules continue to be notified and may change specific timelines and thresholds. This is general information, not legal advice. Verify the current law and consult a qualified adviser before adopting any policy.
- All 41 HR, Finance & Compliance Policy Templates for Indian CompaniesPolicies & Templates · CFOmatrix
- Information Security Policy: SOC 2 & ISO 27001 Aligned (Free Template)Policies & Templates · CFOmatrix
- POSH Policy under the POSH Act 2013 (Free Template, India)Policies & Templates · CFOmatrix
AS | Founder, CFOmatrix | Finance Strategy & Equity Compliance CFOmatrix is a knowledge platform focused on how finance actually works inside growing companies. Every insight is shaped by real operating experience across startups and growth-stage companies, including cross-border setups. |