Navigating the
Digital Personal
Data Protection Act:
A comprehensive guide for
compliance with ManageEngine solutions
�Table of contents
Introduction to the Digital Personal Data Protection Act, 2023 1
Summary 1
Why a data protection act is needed in India 1
Overview of the DPDP Act and its objectives 1
Brief history of data privacy laws in India 2
Status, applicability, and scope of the DPDP Act 2
Exclusions from the DPDP Act 2
Demystifying the Digital Personal Data Protection Act, 2023 3
Key principles and definitions 3
A. Key principles of the DPDP Act 3
B. Key definitions of the DPDP Act 4
Obligations of Data Fiduciaries under the DPDP Act 5
Rights of Data Principals under the DPDP Act 7
A CXO's guide to achieving DPDP compliance 9
A. Essential steps for DPDP compliance 9
B. Developing a DPDP compliance checklist 9
Table 1� DPDP compliance checklist for businesses 9
C. Understanding the role of Data Protection Impact Assessments (DPIAs) 11
D. Managing consent and Data Principal rights 12
Leveraging ManageEngine AD360 for DPDP compliance 13
Leveraging ManageEngine Log360 for DPDP compliance 15
Conclusion and recommendations 19
www.manageengine.com/active-directory-360/
�Introduction to the Digital Personal
Data Protection Act, 2023
Summary
The Digital Personal Data Protection (DPDP) Act, 2023 marks India’s formal entry into the global
landscape of modern data governance. Unlike previous regulations, it shifts the focus from mere
compliance to accountability, placing clear obligations on businesses while empowering individuals with
enforceable rights over their digital footprint. Understanding and adhering to the DPDP Act is crucial for
all entities that handle personal data within India or process the data of Indian citizens, regardless of their
geographical location.
This e-book provides an in-depth analysis of the DPDP Act, explains its key requirements, and explores
how ManageEngine AD360 and Log360 can assist organizations in meeting their compliance
obligations. By leveraging AD360 and Log360, businesses can enhance their data protection posture,
streamline compliance efforts, and build trust with their stakeholders.
Why a data protection act is needed in India
With the rapid growth of digital technologies and online services, the collection and processing of
personal data has become increasingly prevalent. Prior to the DPDP Act, India lacked a comprehensive
privacy law. While the Supreme Court of India recognized the right to privacy as a constitutionally
protected right in 2017, the existing Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) had limitations.
The DPDP Act aims to fill this crucial gap by providing a comprehensive legal framework for data
protection in India. Furthermore, there was a lack of clarity regarding individuals' legal rights regarding
their personal data and a lack of accountability for organizations processing this data. The DPDP Act
establishes the Data Protection Board of India (DPB) to enforce the law and hold organizations
accountable, thereby empowering individuals with greater control over their personal data.
Overview of the DPDP Act and its objectives
The DPDP Act is aims to establish a robust framework for data protection, ensuring accountability,
transparency, and consent-based data handling practices across various sectors. It establishes a balance
between the need for lawful data processing and an individual’s right to safeguard their personal data.
Under this law, entities handling personal data (referred to as Data Fiduciaries) are assigned specific
responsibilities to ensure proper data management. At the same time, individuals whose data is being
processed (known as Data Principals) are granted defined rights and obligations to maintain control over
their personal information. Additionally, it enforces accountability by imposing monetary penalties on
organizations that violate its regulations.
www.manageengine.com/active-directory-360/ 1
�Brief history of data privacy laws in India
Prior to 2023, India did not have a standalone law on data protection; the use of personal data was
regulated under the Information Technology (IT) Act, 2000 and the SPDI Rules.
In 2017, the Supreme Court of India's Puttaswamy judgment recognized the right to privacy as a
fundamental right. Following this, the government developed draft legislation to protect the privacy of
Indians. This included the Personal Data Protection Bill, 2019, which was based on the recommendations
of a Committee of Experts on Data Protection chaired by Justice B. N. Srikrishna. This bill was referred to
a Joint Parliamentary Committee but was eventually withdrawn in August 2022.
Subsequently, the Ministry of Electronics and Information Technology proposed the Digital Personal
Data Protection Bill, 2022 in November 2022. After further deliberation and amendments, the Digital
Personal Data Protection Act, 2023 was passed by the Indian Parliament in August 2023 and received
presidential assent.
Status, applicability, and scope of the DPDP Act
The DPDP Act applies to the processing of digital personal data within India where the data is collected
online or offline and is subsequently digitized. It also has extraterritorial application, extending to the
processing of digital personal data outside of India if such processing is related to offering goods or
services to individuals within India. This means organizations based outside India but targeting the
Indian market will also need to comply with the DPDP Act.
Exclusions from the DPDP Act
While the scope of the DPDP Act is broad, it also outlines certain exclusions. It does not apply to personal
data processed for personal or domestic purposes by individuals. It also excludes non-automated
personal data, meaning data processed manually and not digitized, as well as offline personal data that
remains in physical form and is not converted into a digital format. Personal data that has been made
publicly available by the Data Principal themselves or by any other person under a legal obligation to do
so is also generally outside the purview of the Act. Additionally, data processed for law enforcement or
national security purposes may be exempt. Data processed for journalistic or artistic expression is also
exempt. Understanding these exclusions is crucial for organizations to accurately determine which of
their data processing activities are governed by the DPDP Act.
www.manageengine.com/active-directory-360/ 2
