Understanding Recent Amendments to the DPDP Act 2023

The DPDP Act amendments introduced in June 2026 include critical changes to the consent framework and rights of individuals concerning their data. Under Section 8(1), organizations must now ensure that consent is explicitly obtained, leaving no room for implied consent. This shift emphasizes the importance of transparency and clarity in data processing activities, requiring businesses to re-evaluate their consent mechanisms. Another significant change is the establishment of the Data Protection Board as outlined in Section 15. This Board will play a crucial role in adjudicating data-related disputes and overseeing compliance with the DPDP Act. Organizations must be prepared to engage with this body, whether it’s for seeking clarifications or addressing grievances raised by individuals.

To align with the new DPDP rules, organizations should first conduct a comprehensive data audit. Identify what personal data is collected, processed, and stored, and ensure that there is a clear legal basis for each processing activity. This will not only help in adhering to Section 8(1) concerning consent but also strengthen your overall data governance framework. Following this, organizations must implement robust data protection measures. This includes encryption, access controls, and regular training for employees on data privacy obligations. Additionally, appointing a Data Protection Officer (DPO) as mandated by the amendments is vital for maintaining ongoing compliance and acting as a point of contact for all data-related queries.

One of the most pressing compliance requirements under the amended DPDP Act is the 72-hour breach reporting requirement as specified in Rule 7(2)(b). This rule mandates organizations to report any data breach to the Data Protection Board within 72 hours of becoming aware of it. Failure to adhere to this timeline could result in substantial penalties. To effectively manage this requirement, businesses should establish an incident response plan that includes immediate notification procedures. This plan should delineate roles and responsibilities for team members and incorporate tools such as CompliYUG's BreachBlitz, which can streamline the reporting process and ensure timely compliance.

Consider a mid-sized e-commerce company that collects extensive personal data from its customers, including payment details and shipping addresses. Following the recent amendments to the DPDP Act, the company realizes that its current consent mechanisms do not meet the explicit consent requirement of Section 8(1). To remedy this, the company conducts a data inventory, revises its privacy policy, and implements a clear consent form on its website. They also train their customer service team to handle inquiries about data processing transparently. Additionally, they set up a system to monitor for potential data breaches, ensuring they can comply with the 72-hour breach reporting requirement under Rule 7(2)(b). By taking these proactive steps, the company not only mitigates compliance risks but also builds trust with its customers.

With the amendments to the DPDP Act 2023, businesses are urged to stay vigilant regarding ongoing developments in data privacy regulations in India. The evolving landscape means that compliance is not a one-time effort but a continuous process of adaptation and improvement. Regular training, audits, and updates to data handling practices will be essential in navigating this new regulatory environment. Organizations should also keep an eye on further updates and guidance from the Data Protection Board to ensure they remain compliant with best practices and emerging requirements. Engaging with industry bodies and leveraging technology solutions for compliance management can provide additional support in this journey.