| Topic | The Legal Rule (Act & Rules) | Jargon-Free English (What it means for you) |
| 1. Who the rules apply to | Scope & Applicability (Section 3): Applies to processing of “Digital Personal Data” within India, or outside India if offering goods/services to Data Principals in India. |
If you handle digital data of Indians, this applies. It doesn’t matter if you are based in Mumbai, London, or New York. If you are selling to or servicing people in India, or processing their digital data (even paper forms that you later scan/digitize), you must follow this law. |
| 2. Personal Data | Definition (Section 2(t)): Any data about an individual who is identifiable by or in relation to such data. |
Any data that points to a person. Unlike the old rules, there is no complex list of “Sensitive” vs “Non-Sensitive” data for general processing. Whether it’s a name, email, or biometric ID—it’s all “Personal Data” and needs protection. |
| 3. Proving Compliance | Obligations (Section 8, Rule 6): Data Fiduciaries must implement “Reasonable Security Safeguards” and be able to demonstrate valid consent. |
Show your work. You can’t just say you are compliant; you need evidence. This means keeping digital logs of who accessed data, proof that users actually clicked “I Agree” (Consent Artifacts), and documented security policies. If you can’t produce these logs during an audit, you have failed. |
| 4. Privacy Notices | Notice (Rule 3): A “Standalone Notice” must be presented independently of other T&Cs, containing an itemized list of data and purposes. |
No more hidden clauses. You cannot bury privacy terms in a 50-page “Terms & Conditions” document. You must show a separate, simple screen (the Notice) that lists exactly: “We collect [X] for [Y] purpose.” It must be as easy to read as a restaurant menu. |
| 5. Handling Failure (Breaches) | Breach Notification (Rule 7): Notify the Data Protection Board (DPB) and the affected Data Principal “without delay.” |
Tell the truth, fast. If you lose data (hack, leak, or accidental email), you cannot hide it. You must tell the Government (DPB) immediately and submit a full report within 72 hours. Crucially, you must also tell the people affected (users/employees) so they can protect themselves. |
| 6. The “Compliance Person” | Grievance Officer & DPO (Section 10): Every Fiduciary must appoint a Grievance Officer. “Significant” Fiduciaries must appoint a Data Protection Officer (DPO). |
You need a “Go-To” person. Every company needs a designated person (Grievance Officer) whose contact details are public, so people can complain. If you are a huge company (SDF), you need a senior “Data Protection Officer” based in India who reports to your Board. |
| 7. Being a Supplier | Data Processor (Section 8(2)): Processors act only on instructions from the Fiduciary under a valid contract. |
The Client is the boss, but the Vendor is on the hook. If you are a vendor (e.g., a Payroll provider), you must only do what the client tells you. However, you must implement the same strict security (encryption/logs) as the client. If you leak data, the Client gets fined, but they will sue you for damages. |
| 8. Citizens’ Rights | Rights of Data Principal (Section 11-14): Right to Access, Correct, Erase, and Nominate. |
Users are in control. People can ask you: “What data do you have on me?” and “Delete my data.” You must respond (usually within a prescribed time). They can also nominate someone to handle their data after their death (a digital heir). |
| 9. Children’s Data | Verifiable Parental Consent (Section 9, Rule 10): Processing data of minors (<18) requires verifiable parental consent. No tracking allowed. |
Leave the kids alone. You cannot track children online or show them targeted ads. To process their data, you must prove you got permission from their actual parent (using ID proof or digital tokens). |
| 10. If it goes wrong | Penalties (Schedule): Financial penalties up to ₹250 Crore per instance. No criminal imprisonment. |
It will cost you money, not jail time. Unlike the old IT Act, executives won’t go to prison. But the fines are massive—up to ₹250 Crore ($30 Million) for failing to secure data. The focus is on financial accountability. |
| 11. Sending Info Abroad | Cross-Border Transfer (Section 16): Permitted to any country unless specifically restricted by the Government. |
Global flow is okay (mostly). You can send data to the US, Europe, or Singapore freely, unlessthe Government puts a specific country on a “Negative List.” This is much simpler than the GDPR’s complex “Adequacy” requirements. |
