DPDPA 2023

India's DPDPA carries
INR 500 crore
in aggregate penalties.

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection law. With the Data Protection Board being constituted and enforcement rules being finalized, the window to prepare is closing. FOCTTA is purpose-built for DPDPA from day one.

DPDPA Penalty Schedule (Section 33)

Failure to take reasonable security safeguards (data breach)

INR 250 crore ~$30M

Failure to notify Data Protection Board and affected persons of breach

INR 200 crore ~$24M

Non-fulfillment of obligations related to children's data

INR 200 crore ~$24M

Non-fulfillment of additional obligations by Significant Data Fiduciary

INR 150 crore ~$18M

Breach of any other provision of the Act

INR 50 crore ~$6M

Breach of terms/conditions of voluntary undertaking

INR 50 crore ~$6M
Maximum aggregate penalty per entity: INR 500 crore (~$60M)

How FOCTTA addresses every DPDPA requirement

Section 6 — Consent

Consent must be free, specific, informed, unconditional, and unambiguous with clear affirmative action.

FOCTTA: Purpose-based consent collection with lawful basis tracking, clear consent language, and granular purpose selection.

Section 5 — Notice

Data Fiduciary must give notice in clear, plain language describing data and purpose.

FOCTTA: Multi-language notice management (8 Indian languages) with version control and geo-aware serving.

Section 6(5) — Withdrawal

Data Principal may withdraw consent at any time with ease of withdrawal comparable to ease of giving.

FOCTTA: One-click consent withdrawal via preference centre, API, or SDK with instant cache invalidation.

Section 8(5) — Security

Reasonable security safeguards to protect personal data.

FOCTTA: AES-256-GCM encryption, RLS tenant isolation, SHA-256 hash-chained audit trail, and S3 WORM archival.

Section 11 — Grievance

Data Principal has the right to grievance redressal.

FOCTTA: Full DSAR lifecycle: intake, identity verification, SLA tracking (90 days), task orchestration, and DPB escalation.

Section 12 — Erasure

Data must be erased when consent is withdrawn or purpose is fulfilled.

FOCTTA: Multi-system erasure orchestration with legal hold checks, per-system tracking, and signed erasure certificates.

Section 9 — Children

Verifiable consent from parent/guardian for processing children's data.

FOCTTA: Age verification hooks, parental consent workflows, and dedicated children's data processing controls.

Section 10 — SDF Obligations

Significant Data Fiduciaries must appoint DPO and conduct DPIAs.

FOCTTA: DPO role with full platform access, DPIA wizard with templates, and compliance health scoring.

DPDPA

DPDPA enforcement is here.
Are you ready?

Don't wait for the Data Protection Board to come knocking. Start your DPDPA compliance journey today.

Get DPDPA Ready