India's new DPDP Act introduces a transformative data privacy standard – this article explores its impact and how CockroachDB helps ensure compliance.
Disclaimer: The content provided in this blog post is for general informational purposes only and does not constitute legal advice. Cockroach Labs makes no representations or warranties regarding the accuracy, completeness, or timeliness of the information contained herein, and expressly disclaims any liability arising from reliance on such content.
India's digital scene is evolving rapidly, with an increased focus on individual privacy and data protection, as evidenced by global standards like Europe's GDPR. These standards have raised the bar for data protection globally.
India's answer, the Digital Personal Data Protection (DPDP) Act, 2023, is a robust legal framework covering privacy, data security, and responsible digital governance. With draft rules released in April 2025 and a phased rollout underway starting with the Data Protection Board, the new guardian of digital privacy for Indian citizens, the compliance clock is officially ticking.
Don’t let the phased approach lull you into inaction – the time to prepare is now: This is the moment to secure your data, protect your business, and turn India's new privacy standard into a competitive advantage.
At Cockroach Labs, we’re ideally positioned to support organizations navigating this shift. The resilient, distributed database architecture of CockroachDB supports data durability, security, and compliance at scale. We empower businesses to navigate the demands of modern data protection regulations, from GDPR to DORA to the DPDP Act, with confidence.
Demonstrating compliance with India’s DPDP Act can improve customer trust and your brand’s reputation, as well as protecting your business from significant financial penalties. Specific data management practices are required to meet the DPDP Act’s high standards – this article explains its core tenets, and how a distributed SQL database like CockroachDB can help you to be DPDP Act-ready.
Key definitions under the DPDP Act
Like many regulatory frameworks, the DPDP Act comes with its own terminology. Here are key terms for clarity and consistent enforcement of data protection rules:
Understanding the DPDP Act
The DPDP Act, effective as of August 11, 2023, highlights India's dedication to striking a balance between protecting individual data, while ensuring data can be processed efficiently and legally.
Who does the DPDP Act apply to?
The DPDP Act, applies broadly to entities handling personal digital data, including:
Businesses and Organizations: If you're a company or an individual in India (or serving customers in India) and you're collecting or managing personal digital data, this applies to you.
Government Bodies: Government offices and public bodies that handle digital personal data, with a few exceptions for national security or law enforcement.
Entities Outside India: Even if your organization is based outside India, you must comply with the DPDP Act if you're processing data about Indian residents (especially if you're offering them goods or services).
Core provisions and obligations
Consent and transparency
Under the DPDP Act, consent must be explicit, informed, and freely given. Data Fiduciaries must clearly communicate how and why data is processed.
Example: An e-commerce platform collecting user data for purchases must not use that data for unrelated purposes, e.g. sharing it with third-party advertisers, without separate, explicit consent.
Rights of Data Principals
The DPDP Act provides Data Principals with specific rights similar to other data privacy laws like GDPR, effectively extending international privacy practices into the Indian context.
Right to Access: Data Principals can request and review personal data collected by a Data Fiduciary.
Example: A user can request their order history from a food delivery app.
Right to Correction and Erasure: Data Principals can correct inaccurate data or request erasure once data is no longer required.
Example: A customer can request correction or removal of outdated address data from a ride-sharing app.
Right to Grievance Redressal and Nomination: Data Principals can lodge complaints for improper data handling and nominate representatives to manage their data rights.
Example: A banking customer may file a complaint regarding unauthorized sharing of financial data and designate a nominee to manage such issues on their behalf.
Special provisions for children
The DPDP Act imposes stricter consent rules for children’s data, including prohibitions on tracking, behavioral monitoring, or targeted advertising directed at minors.
Example: An educational gaming app targeted at minors cannot track browsing history or display personalized ads without explicit, verifiable parental consent.
An educational gaming app cannot track browsing behavior or display personalized ads to minors without explicit parental consent, necessitating robust age verification processes.
Obligations of Significant Data Fiduciaries
Organizations classified as Significant Data Fiduciaries must:
Appoint a Data Protection Officer (DPO) to ensure compliance, handle data subject inquiries, and liaise with regulatory authorities.
Conduct regular data protection audits and impact assessments to proactively identify and mitigate data risks.
Regulatory and enforcement framework
The Data Protection Board of India is responsible for DPDP Act enforcement, with powers including:
Mandating remedial actions
Investigating data breaches
Imposing penalties for each instance of non-compliance or breach
Penalty structure
Cross-border data transfers under the DPDP Act
The DPDP Act empowers the Indian government in several ways, including:
Government-Directed Restrictions: The Indian government may officially restrict data transfers to certain countries if it determines their data protection standards are inadequate or fall short of DPDP Act requirements.
Mandatory Compliance Checks: Organizations must evaluate foreign data protection measures to ensure they comply with DPDP Act standards before initiating cross-border transfers.
Data Localization Requirements: For sensitive or critical data categories, organizations may be mandated by the government to store and process such data exclusively within the Indian boundaries.
Exemptions and limitations of the DPDP Act
The DPDP Act, while comprehensive, does not encompass all data processing activities. Certain activities are explicitly exempt from its provisions, making them not subject to its regulatory obligations. Understanding these exemptions is crucial to discern the applicability of the DPDP Act's requirements for your specific scenario:
Personal/domestic data handling
Data voluntarily disclosed publicly by Data Principals
Processing related to national security and certain judicial and administrative activities
Illustrative Scenario: DPDP Act Compliance in Action
Let’s explore how meeting the requirements of the DPDP Act, using CockroachDB, might play out in a real-world scenario. Imagine a financial institution, operating across India, classified as a Significant Data Fiduciary. As part of its compliance journey, the institution faces critical challenges:
Data Residency: The need to securely store financial and personal information strictly within India.
Auditability: Regular audits mandated by law, requiring detailed transparency into all data-handling practices.
Data Security and Availability: Ensuring continuous availability and strong protection against breaches, which carry significant regulatory penalties.
To efficiently address these compliance challenges, the institution leverages CockroachDB to:
Guarantee Residency: CockroachDB seamlessly manages data localization, ensuring that all critical data remains stored in India.
Simplify Audit Processes: CockroachDB automatically generates detailed audit trails, enabling straightforward periodic assessments.
Enhance Security: CockroachDB implements advanced security mechanisms, including strong encryption and Role-Based Access Control (RBAC), to safeguard sensitive financial data.
This strategic adoption of CockroachDB allows the institution to confidently navigate the DPDP Act’s stringent compliance landscape, with operational excellence and secure data management.
How CockroachDB can help achieve DPDP Act compliance
To effectively comply with the DPDP Act, businesses need robust and reliable technological solutions. As seen in the example above, CockroachDB can provide the foundational technical capabilities required for DPDP Act compliance by offering the tools and infrastructure needed to manage personal data securely, resiliently, and in line with regulatory requirements.
The right database for the DPDP Act
India's DPDP Act marks a significant leap forward in this era of increased focus on customer data privacy.
Instead of seeing these regulations as a burden, businesses have an opportunity to make data privacy a competitive advantage. Enterprises can simplify DPDP Act compliance by leveraging the product capabilities of CockroachDB to enable proactive data protection, alleviate regulatory burdens, and confidently navigate India's evolving digital landscape.
Ready to learn more about how CockroachDB helps you to be DPDP Act-ready? Visit here to talk to an expert.
About the authors:
Mike Geehan is Head of Security for Cockroach Labs.
Ayog Mohanty is Senior Compliance Analyst for Cockroach Labs.
Biplav Saraf is Staff Product Manager for Cockroach Labs.
