Data Protection Policy (India)

The Digital Personal Data Protection Act 2023 (DPDP Act 2023) imposes a general security obligation on Data Fiduciaries under Section 8(5): every Data Fiduciary shall protect personal data in its possession or under its control by implementing reasonable security safeguards to prevent a personal data breach. What constitutes 'reasonable security safeguards' will be defined in the DPDP Rules (yet to be notified as of the current date). However, guidance can be drawn from the existing IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules), which provide that a body corporate shall be considered to have complied with reasonable security practices if it implements a documented security programme and information security policies that contain managerial, technical, operational, and physical security controls commensurate with the information assets being protected, with a mandatory requirement to follow IS/ISO/IEC 27001 standard for information security management. Personal Data Breach Notification: Under Section 8(6) of the DPDP Act 2023, in the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board of India and each affected Data Principal in the manner and within the time period to be prescribed in the DPDP Rules. The obligation to notify affected individuals is a significant advance over the existing framework under the SPDI Rules 2011, which had no express notification obligation.

Cross-border transfer of personal data — the transfer of personal data from India to servers, processors, or entities located outside India — is addressed in the Digital Personal Data Protection Act 2023 (DPDP Act 2023) and under the existing IT framework. DPDP Act 2023 — Transfer Framework: Section 16 of the DPDP Act 2023 provides that the central government may notify countries or territories to which Data Fiduciaries may transfer personal data. Conversely, the central government may restrict transfer of personal data to specified countries. Until the central government notifies the permitted and restricted countries under the DPDP Rules, the practical position on cross-border transfers remains to be clarified. The DPDP Act 2023 does not mandate data localisation as a blanket requirement — unlike the earlier drafts of the Personal Data Protection Bill which required certain categories of sensitive personal data to be stored in India. The final DPDP Act 2023 takes a 'negative list' approach — transfers are permitted to all countries except those blacklisted by the central government. Existing position under SPDI Rules 2011: Rule 7 of the SPDI Rules 2011 currently permits transfer of sensitive personal data outside India only where: (a) the transfer is necessary for the performance of a lawful contract; or (b) the person whose SPDI is being transferred has consented to such transfer; provided the country to which the data is transferred ensures the same level of data protection as India.

A personal data breach response programme is a mandatory element of an organisation's data protection framework under the DPDP Act 2023 and the IT Act 2000. A 'personal data breach' is defined in Section 2(t) of the DPDP Act 2023 as any unauthorised processing of personal data, or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data that compromises the confidentiality, integrity, or availability of personal data. Step 1 — Containment: Upon discovery of a breach, the immediate priority is containment — stopping the ongoing breach (e.g., isolating compromised systems, revoking unauthorised access, patching the exploited vulnerability). The incident response team (comprising IT, legal, compliance, and senior management) should be activated immediately. Step 2 — Assessment: The organisation should assess the nature and scope of the breach: what data was affected (categories and volume), how many Data Principals are affected, the probable cause, and the likely impact on affected individuals (risk of identity theft, financial harm, discrimination, or other significant adverse effects). Step 3 — Notification to Data Protection Board: Under Section 8(6) of the DPDP Act 2023, the Data Fiduciary must notify the Data Protection Board of India of the breach in the manner and within the time period prescribed in the DPDP Rules (yet to be notified). Based on international best practice, organisations should be prepared to notify the Board within 72 hours of becoming aware of the breach.

A Data Protection Policy (India) does not legally require a lawyer in India, and individuals and businesses may draft and execute the document independently. The Digital Personal Data Protection Act, 2023 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified India lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Supreme Court of India has jurisdiction over disputes arising from this type of document, and Registrar of Companies (ROC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.

A Data Protection Policy (India) does not legally require a lawyer in India, though legal advice is recommended. Under Indian law, the Indian Contract Act 1872 governs agreements. The Companies Act 2013 and Registrar of Companies (ROC) regulate corporate documents. The Information Technology Act 2000 governs electronic contracts and data protection. The Consumer Protection Act 2019 provides consumer rights. The Income Tax Act 1961 requires tax compliance. Forms-legal.com provides this template as a starting point — always review with a qualified Indian advocate for significant transactions. Under India law, Digital Personal Data Protection Act, 2023, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). Forms-legal.com provides this template as a starting point for India-compliant documentation.