Digital Personal Data Protection law

ABBREVIATION 

MEANING 

Anonymisation 

Process through which a set of personal data is manipulated or altered to render it permanently unidentifiable, i.e. it can no longer identify or link to an individual to whom the data had pertained

CERT-In 

Indian Computer Emergency Response Team — the national agency for cyber security. CERT-In is a Central Government agency in the MeitY ministry, whose key objectives include issuing cyber security guidelines, responding to cyber security incidents, and promoting cyber security awareness in the country

Consent Manager 

An entity that runs a platform to enable individuals to provide, manage or withdraw their consent (to use of their personal data) in a transparent manner.

The Consent Manager has to be registered with the Central Government (MeitY).

The Consent Manager has a key role – when an individual gives consent for sharing personal data (like date of birth, Aadhaar etc) with a product or service provider, i.e. Data Fiduciary, the consent flows through the Consent Manager to the Data Fiduciary, and also to the sources from where the personal data will be drawn.

The consented personal data flows from the source through the Consent Manager to the product or service provider. E.g.: the PAN information will flow from the Income Tax data repository to the product or service provider via the consent manager.   The consent manager maintains a record of consent (giving, changing, withdrawing), but does not store personal data itself

Consent Notice 

A consent Notice is required to be given by a DF to an individual, who is availing their products or services.

A consent notice is a clear, specific document (or notice) from Data Fiduciary to the individual, seeking the Data Principal’s consent for processing their personal data.

Effectively, the CN will explain in detail what all personal data is required from the individual, and how such personal data will be used by the DF

Cross-border Transfer of Personal Data 

Transfer or sending of personal data outside India as permitted under Section 16 of the DPDP Act.

The Data Fiduciary may transfer personal data to a Data Processor outside India.

Refer Data Processor above

Data Minimisation 

Principle that only such amount of personal data be collected as is necessary for the purpose of processing, for providing the relevant products and services availed by the DP.

Also refer to Purpose Limitation

Data Processor 

A person (or entity or business) which processes the personal data of data principal. The processing is done by the Data Processor on behalf of a Data Fiduciary under a contract or legal arrangement.

Data processor could be an Indian service provider, or may also be a foreign entity, and further could be a group entity of Data Fiduciary or an external third party.

Also refer to the example in DF

De-identification 

Process by which the personal data is rendered unidentifiable to prevent attribution to an individual.

This means that the personal data is processed / altered (or even some fields of personal data removed) in a manner that the processed data can no longer identify an individual to which the data pertains.

DF 

Data Fiduciary — any person, company, or entity that collects personal data, and determines the purpose and means of processing such personal data.

Effectively, DF is the person / entity from which you are buying or availing products and services, and providing your personal data to them for that purpose of availing their products or services.

Example:  If an individual is buying a mutual fund investment, then the individual must share certain personal data of his/her so that mutual fund can issue the investment product to the individual and maintain the investment account over its life. In this example, the individual is the Data Principal; mutual fund is the Data Fiduciary.

When the individual buys the investment product, he must provide his personal data to the mutual fund – like name, address, PAN number, Aadhaar etc. He must consent to the mutual fund to use (also called process) his personal data so that the mutual fund can provide services to him.

If the mutual fund shares certain personal information with – let’s say a courier vendor – such vendor will be the Data Processor (as he will process / use the data for sending couriers to the investors). The Data Processor will be acting on behalf of the Data Fiduciary under a contract for (courier) services

DP 

Data Principal — the individual to whom the personal data relates

DPBI 

Data Protection Board of India — independent adjudicatory body established under the DPDP Act

DPD 

Digital Personal Data — personal data in digital form or personal data digitised from non-digital form.

The protections under the DPDP law extend only to the personal data that is in digital format, or if in physical format, is converted into the digital format.

Thus, data on paper (which will not be digitized) is not in scope of the DPDP law.

For example, if an individual hands over his or her Aadhar in a paper format to a service provider, then such Aadhar does not get the protection of DPDP law, if the service provider continues to hold the Aadhaar in paper form only

DPDP Act 

Digital Personal Data Protection Act, 2025 — India’s primary privacy and data protection law regulating collection, use, processing etc. of digital personal data; and consent management

DPIA or Data Protection Impact Assessment   

The DPDP legislation requires SDFs to undertake a DPIA. It is an assessment to evaluate privacy risks arising from data processing.

For example, if a DF outsources data processing to a Data Processor based overseas, one of the risks to consider is country risk for data that is sent overseas. Thus, DPIA is a risk assessment methodology to assess a range of risks and how they can be mitigated. Some risks may not be significant and may rather be accepted.

A DPIA may also be referred to as a Privacy Impact Assessment

DPO or Data Protection Officer 

An individual appointed to ensure compliance with Privacy law and act as a point of contact for grievances.

DPDP law requires all SDFs to compulsorily appoint a DPO. Many other entities are also likely to have a DPO, considering their size and complexity of operations, governance needs, or as best practice

GDPR 

General Data Protection Regulation is a European Union (EU) regulation on information and data privacy in the European Union and the European Economic Area.

Like DPDP, GDPR is a similar data protection regime implemented by the EU and is considered one of the highest global reference frameworks for privacy practices

Grievance Redressal 

A process available to the Data Principals to raise and resolve concerns with Data Fiduciaries or the Board, in case of their grievances in regard to use (or misuse) of their personal data.

The grievance redressal process of a particular data fiduciary will be available on its website

Individual (in reference to owner of personal data) 

Same as Data Principal

IT Act 

Information Technology Act, 2000 — India’s overarching cyber law framework.

At the date of this article, the DPDP law has been enacted, but is not yet effective.

Until the DPDP law becomes effective, the privacy regime prescribed under the IT Act and its relevant IT Rules 2011 continue to apply

IT Rules 2011 

Refers to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.

These Rules operate under the IT Act and prescribe the privacy regime that is currently in force until the DPDP law becomes effective.

MeitY 

Ministry of Electronics and Information Technology — the nodal ministry administering the DPDP Act.

This ministry is also the owner ministry of Cert-In agency

National Critical Information Infrastructure Protection Centre (NCIIPC) 

Central Government Agency responsible for protecting India’s critical information infrastructure.

It is a unit of the National Technical Research Organisation (NTRO) and comes under the Prime Minister’s Office (PMO)

Notice and Consent Framework 

Mechanism under the DPDP Act governing lawful collection and use of personal data. The collection and use are the basis for a Consent Notice provided to the DF, consent given by the DF, such consent managed by the Consent Manager.

Also refer to the Consent, Consent Manager

PD Breach or Personal Data Breach 

Personal Data Breach is any unauthorised or accidental disclosure, alteration, loss, or access of personal data.

In effect, where the personal data is accessed or disclosed by Data Fiduciary or a Data processor for any reason other than authorised purpose, it is likely a data breach.

When a data breach takes place, the DF is required to undertake a range of actions that can include assessing the breach, informing relevant customers, and informing the breach to the DPB

PD or Personal Data 

Any personal data pertaining to an individual that identifies an individual.

Thus, name, date of birth, Aadhaar, PAN, are all personal data that alone or in combination can identify an individual. Information like bank details, financial information, biometric information etc are also personal data if they can identify an individual.

Also refer to the example in DF

PII 

Personally Identifiable Information — any information that can identify an individual, used interchangeably with “Personal Data”. This term is from the IT Rules 2011 and will not be relevant once DPDP becomes effective

Privacy by Design 

Embedding privacy considerations into the design and operation of systems and processes.

This essentially means that when a data fiduciary is launching a new product or service, or is implementing new process or technology, that uses, processes or has an impact on personal data, it shall assess all the privacy risks and embed the controls into the operational process and data flows such that – for instance – personal data is collected and used for authorized purposes only, only required personal data is collected and prevents personal data breach

Processing 

Entire cycle of operations performed on personal data — collection, storage, retrieval, sharing, erasure, etc.

Effectively, any utilization or accessing personal data will be processing

Pseudonymisation 

Replacing identifiers in the personal data with artificial identifiers to limit direct identification of a DP

Purpose Limitation 

Principle that personal data must be processed only for the specific lawful purpose consented to by the Data Principal. This conversely means that the Personal Data must be collected only to the extent it is necessary to provide the relevant products and services.

Also see Data Minimisation

Right to Data 

A bundle of Data Principals’ rights under the DPDP Act, including the right to access, correction, and erasure of the personal data, and right of grievance redressal where there is an issue in regard to the personal data with a DF

RTI 

Right to Information Act, 2005 — a separate legislation that provides citizens’ right to government information, ensuring transparency in government functions. It is a set of rights distinct from privacy rights

SDP or Significant Data Fiduciary  

DPDP law provides that certain Data Fiduciaries, who handle large volumes of personal data, may be categorized as an SDF. This essentially is to have a higher level of governance, oversight, and protection.

It is the Central Government that will designate a DF as an SDF. In designating an SDF, the Central Government will consider factors based on volume or sensitivity of data processed, risk of harm, etc

SPDI – Sensitive Personal Data or Information 

A concept from the IT Rules 2011, under the predecessor regime to DPDP. SPDI includes financial, health, biometric, sexual orientation information, etc and entities are required to have a higher level of protection for such SPDI.

The DPDP law does not make a distinction of types of personal data – it has a horizontal coverage of and protection for all ‘personal data’ uniformly

Standard Operating Procedure (SOP) 

Detailed documented process to ensure consistent handling of various processes related to data protection obligations

Unique Identification Authority of India (UIDAI) 

A statutory authority responsible for managing and administering Aadhaar framework and database in India.

The Unique Identification Authority of India (UIDAI) was established under the provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act 2016”), and operates under MeitY