DPDP Act vs IT Act 2000: Key Differences for Indian Companies

The Predecessor: IT Act Section 43A

Before DPDP, Indian data protection was governed primarily by IT Act 2000 Section 43A and the Sensitive Personal Data or Information (SPDI) Rules 2011 under it. The SPDI Rules defined sensitive personal data (passwords, financial info, health, biometrics, sexual orientation), required reasonable security practices, and gave individuals the right to access and correct their data.

The regime was widely criticised as inadequate: no independent regulator, no meaningful penalties (compensation was the only remedy), no explicit consent framework, and no coverage of non-digital processing.

Key Changes Introduced by DPDP

Regulatory body: DPDP creates the Data Protection Board — an independent adjudicatory body with power to investigate, impose penalties, and award compensation. The IT Act had no equivalent. Penalties: DPDP Section 26 penalties go up to ₹250 crore per violation category, with a maximum of ₹550 crore per entity. The IT Act's Section 43A allowed compensation but rarely resulted in meaningful action. Consent: DPDP Section 6 creates a comprehensive consent framework with specific requirements. SPDI Rules had consent requirements but no granularity.

Scope: DPDP covers all personal data, not just SPDI categories. It applies to any entity processing personal data of Indian residents, even if the entity is outside India. IT Act Section 43A applied only to 'body corporates' in India handling SPDI.

Practical Updates Required

Your Privacy Policy must now reference DPDP rather than (or in addition to) IT Act Section 43A. Your consent mechanisms need to meet DPDP Section 6 standards. Your DSR workflows need to cover access, correction, and erasure as explicit rights. If you have a Grievance Officer appointed under IT Act, ensure their DPDP scope is explicitly defined and their contact is publicly listed.

The most significant gap for most companies: IT Act compliance typically didn't require AI-specific controls because AI was less prevalent. DPDP compliance in 2026 absolutely requires addressing AI systems — LLM logs, training data, AI-assisted decisions are all in scope.

Compliance operational checklist

DPDP Act vs IT Act 2000: Key Differences for Indian Companies should be reviewed as an operating control, not only as a reference article. The minimum checklist is a data inventory, a stated processing purpose, owner approval, PII detection at the AI boundary, redaction or tokenisation where possible, retention limits, vendor transfer records, and a tested user-rights workflow. This checklist gives engineering and compliance teams a shared language for deciding what must be blocked, what can be allowed in shadow mode, and what needs human review before production release.

For AI systems, the review should include prompts, retrieved context, tool call arguments, model responses, logs, traces, analytics events, exports, and support attachments. Many incidents happen because teams scan only the visible form field while sensitive data moves through background context or observability tooling. CrewCheck's recommended pattern is to place the scanner at the request boundary, record the policy version, and keep audit evidence that shows which identifiers were detected and what action was taken.

A practical rollout starts with representative samples from production-like traffic. Run a DPDP scan, sort findings by identifier sensitivity and blast radius, fix Aadhaar, PAN, financial, health, children's, and precise-location exposure first, then move to consent wording, retention, deletion, and vendor review. Use shadow mode when false positives could disrupt users, and promote to enforcement only after the exceptions have owners and expiry dates.

This page is educational and should be paired with legal review for final policy interpretation. The operational proof should still come from repeatable evidence: scanner results, audit exports, pull-request checks, policy configuration, and a documented owner for the workflow. That combination is what makes the content useful during buyer diligence, board review, regulatory questions, or an incident investigation.