If your business collects customer data in India, India's Digital Personal Data Protection Act 2023 makes you responsible for how that data is handled — how you ask for it, secure it, report a breach, and delete it when you're done. Those responsibilities live in Chapter II (Sections 4 to 10) of the Act and the DPDP Rules 2025. This is the complete, plain-English list of what your business must do, with the exact section and rule numbers you can cite. (In the law's own terms, your business is a "Data Fiduciary" — see the box below.)
In plain English
- Your business (you decide why/how data is used) = a "Data Fiduciary"
- Your customer / the user = a "Data Principal"
- A vendor that processes data for you (Razorpay, a courier, an email tool) = a "Data Processor"
- Your core responsibilities = Sections 4–10 of the DPDP Act
- The regulator that can fine you = the Data Protection Board (DPB)
Quick Answer: What Are a Business's Main Responsibilities?
A business must: process personal data only on a lawful basis — consent or a legitimate use (Section 4); give a clear notice before collecting data (Section 5); obtain valid consent (Section 6); keep data accurate, secure it with reasonable safeguards, report breaches, and erase data when no longer needed (Section 8); obtain verifiable parental consent for children's data (Section 9); and, if designated a Significant Data Fiduciary, appoint a Data Protection Officer in India and conduct audits and impact assessments (Section 10). The DPDP Rules 2025 add specific security measures (Rule 6) and retention limits (Rule 8).
Does This Apply to Your Business?
If you alone or with others determine the purpose and means of processing personal data, your business is a Data Fiduciary — the definition in Section 2(i). It doesn't matter whether you're a sole proprietor, a private limited company, or an individual running a home business. If you decide to collect customer names, phone numbers, or addresses and decide what to do with them, the obligations below apply to you. (For the difference between a Fiduciary and a Processor, see our Data Fiduciary explainer.)
The Obligations, Section by Section (Chapter II)
| Section | Obligation | What it requires |
|---|---|---|
| Section 4 | Lawful basis | Process personal data only for a lawful purpose, with consent or for a certain legitimate use |
| Section 5 | Notice | Give a clear notice of what data, what purpose, how to exercise rights, and how to complain — before or when consent is sought |
| Section 6 | Consent | Obtain free, specific, informed, unconditional, unambiguous consent by a clear affirmative action; allow easy withdrawal |
| Section 7 | Legitimate uses | The narrow, listed situations where processing without consent is allowed |
| Section 8 | General obligations | Accuracy, security safeguards, breach intimation, erasure, a published contact, and grievance redressal |
| Section 9 | Children's data | Verifiable parental consent; no tracking, behavioural monitoring, or targeted ads directed at children |
| Section 10 | Significant Data Fiduciary | Extra duties — India-based DPO, independent auditor, DPIA and periodic audit |
Section 4 — Process Only on a Lawful Basis
You may process personal data only for a lawful purpose for which the Data Principal has given consent, or for a certain legitimate use under Section 7. There is no broad "we have a legitimate interest" catch-all like the GDPR — for ordinary commercial processing, consent is your basis.
Section 5 — Give a Proper Notice
When you request consent, it must be accompanied or preceded by a notice that states the personal data to be collected and the purpose, the manner in which the Data Principal can exercise their rights (under Sections 6(4) and 13), and how they can complain to the Board. The notice must be available in English or any language listed in the Eighth Schedule to the Constitution. (See our privacy notice guide with template.)
Section 6 — Obtain Valid Consent
Consent must be "free, specific, informed, unconditional and unambiguous with a clear affirmative action." A pre-ticked box or buried terms don't count. Under Section 6(4) the Data Principal can withdraw consent at any time, and 6(5) confirms that the ease of withdrawal must be comparable to the ease of giving it. Section 6 also introduces the Consent Manager — a registered, individual-facing intermediary (not a vendor you hire to collect consent for yourself). (See our full consent requirements guide.)
Section 7 — Know the Legitimate Uses
Section 7 lists the specific situations where you may process without consent — including data a person voluntarily provided for a purpose they didn't object to, provision of a State subsidy/benefit/service, compliance with a legal obligation or court order, a medical emergency, an epidemic or public-health measure, a disaster, and certain employment purposes. For a typical SMB, almost nothing commercial falls here — treat consent as your default.
Section 8 — The General Obligations (The Core of Day-to-Day Compliance)
Section 8 is where most operational duties sit:
- Accountability (8(1)–8(3)): you remain responsible for compliance even when a Data Processor acts on your behalf, and you must ensure data is complete, accurate and consistent where it's used to make a decision affecting the person or is disclosed to another Fiduciary.
- Security safeguards (8(5)): protect personal data in your possession or control by taking "reasonable security safeguards to prevent personal data breach."
- Breach intimation (8(6)): on a personal data breach, give intimation to the Board and each affected Data Principal in the prescribed manner. (See the 72-hour breach rule.)
- Erasure (8(7)): erase personal data on withdrawal of consent or as soon as the purpose is no longer served (and cause your processors to erase it too), unless a law requires retention.
- Published contact (8(9)): publish the business contact of a Data Protection Officer (if any) or of a person who can answer questions about your processing.
- Grievance redressal (8(10)): maintain an effective grievance redressal mechanism.
Section 9 — Children's Data
Before processing a child's personal data (under 18), you must obtain verifiable consent of a parent or lawful guardian (and of a lawful guardian for a person with a disability). The Act states you "shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children." (See our parental consent guide.)
Section 10 — Significant Data Fiduciaries
The government can designate a business as a Significant Data Fiduciary based on the volume and sensitivity of data it processes and the risks involved. An SDF has extra duties: appoint a Data Protection Officer based in India, appoint an independent data auditor, and carry out a periodic Data Protection Impact Assessment (DPIA) and audit. Most SMBs won't be SDFs initially, but watch for government notifications.
What the DPDP Rules 2025 Add
Rule 6 — Reasonable Security Safeguards (The Minimum Measures)
Rule 6 turns "reasonable security safeguards" into a concrete baseline. It requires at least:
- Securing data through encryption, obfuscation, masking, or virtual tokens mapped to the personal data
- Appropriate access control for the computer resources used
- Visibility over who accesses the data, through logs, monitoring and review, to detect and investigate unauthorised access
- Reasonable measures for continued processing if confidentiality, integrity or availability is compromised — such as data backups
- Retention of logs and personal data for one year, unless the law requires otherwise
- Contractual provisions obliging any Data Processor to take reasonable security safeguards
- Appropriate technical and organisational measures to make the safeguards effective
Rule 8 — Erase Data After the Retention Period
For certain classes of large Data Fiduciary listed in the Third Schedule (such as large e-commerce, online gaming and social media platforms above specified user thresholds), Rule 8 requires personal data to be erased once the specified retention period has passed and the Data Principal hasn't engaged or exercised rights — unless a law requires it to be kept. The Rule also requires the Fiduciary to tell the Data Principal at least 48 hours before that erasure, so they can log in or act to keep their account active. Even if your business is below these thresholds, "delete data you no longer need" is the direction of travel — build retention limits in now.
A One-Page Responsibility Checklist
- ☐ Process only with consent or a Section 7 legitimate use (Section 4)
- ☐ Show a clear notice before collecting data (Section 5)
- ☐ Capture valid, affirmative, withdrawable consent (Section 6)
- ☐ Keep data accurate where it drives decisions (Section 8)
- ☐ Apply Rule 6 security safeguards; keep logs for a year (Section 8(5), Rule 6)
- ☐ Have a breach intimation process for the Board and affected people (Section 8(6))
- ☐ Erase data on withdrawal or when the purpose ends (Section 8(7), Rule 8)
- ☐ Publish a contact point and a grievance mechanism (Sections 8(9), 8(10))
- ☐ Get verifiable parental consent for under-18s (Section 9)
- ☐ If designated an SDF: DPO in India, auditor, DPIA (Section 10)
Turning Responsibilities Into Routine: Train Your Team
Knowing your obligations is step one; the harder part is making sure everyone who touches customer data follows them every day. That's a training problem, not just a legal one. Our companion guide, How to Train Your Staff on DPDP Compliance, is a downloadable, print-ready session you can run with your team to put these responsibilities into practice.
References & Sources
- Ministry of Electronics & IT, Government of India — The Digital Personal Data Protection Act, 2023 (Chapter II, Sections 4–10; the Schedule).
- The Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E)) — Rule 6 (reasonable security safeguards) and Rule 8 with the Third Schedule (retention and erasure).
- India Code — Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), official consolidated text.
This article is general information about the DPDP Act 2023 and DPDP Rules 2025, not legal advice. Section and rule references are cited from the official text; verify the current notified version and consult a professional for your specific obligations.