DPDP Act VS DPDP vs IT Act 2000: What’s Changing for Your Business?
India's data privacy landscape is shifting from the outdated IT Act to the modern DPDP Act 2023. We break down the differences in simple terms for business owners.
DPDP vs IT Act 2000: Moving From the Stone Age to the Digital Age
If you’ve been running a business in India for a while, you’ve probably heard of the IT Act, 2000. For two decades, it was the only law we had to manage the wild west of the internet. But let’s be honest: in the year 2000, we were still using dial-up and floppy disks. The world has changed, and our laws finally have too.
The Digital Personal Data Protection (DPDP) Act, 2023 is a total reboot. While the IT Act was mostly about “cybercrimes” and “keeping computers safe,” the DPDP Act is about protecting people and their personal info.
Think of the IT Act as a basic padlock on a filing cabinet. The DPDP Act is a 24/7 security team, a surveillance system, and a strict set of rules about who is allowed to even touch the cabinet.
Side-by-Side Comparison
| Feature | IT Act, 2000 (SPDI Rules) | DPDP Act, 2023 |
|---|---|---|
| Primary Focus | Computer security and cybercrime | Protection of digital personal data |
| What Data is Covered? | Only “Sensitive” data (passwords, health, etc.) | All digital personal data (even your name/email) |
| Consent | Required, but usually buried in fine print | Must be clear, specific, and withdrawable |
| Children’s Data | No specific protection | Strict rules; requires parental consent |
| Data Fiduciary | Not a term used (called “Body Corporate”) | The business that decides “how” and “why” data is used |
| Max Penalties | Mostly compensation to the victim | Up to ₹250 Crore per instance |
| Right to Erasure | Limited / Not clearly defined | Explicit right to ask a business to delete your data |
| Breach Notification | Report to CERT-In (mostly for tech issues) | Must notify the Data Protection Board AND the user |
| Storage Limits | Not strictly enforced | Data must be deleted once the purpose is served |
| Data Protection Officer | Not required for most small businesses | Required for Significant Data Fiduciaries |
Key Philosophical Differences
To understand why this matters for your startup or SME, you need to see how the “vibe” of the law has changed. Here are the three biggest shifts:
1. From “Sensitive” to “Personal”
Under the old IT Act, you mostly had to worry if you were collecting “Sensitive Personal Data or Information” (SPDI), like bank details or medical records. If you just had names and phone numbers, the law was pretty chill.
Under the DPDP Act, that distinction is mostly gone. Personal Data is now anything that can identify a person. If you have a customer’s name, email, or even their GPS location, you are now a Data Fiduciary. This is a simple way of saying you are the “trustee” of that data and are legally responsible for keeping it safe.
2. Consent is No Longer a “Check-the-Box” Chore
We’ve all seen those 50-page privacy policies no one reads. Under the old rules, that was enough. Under the DPDP Act, you have to provide a Notice that is written in plain, easy-to-understand language. You even have to offer it in multiple Indian languages if the user wants.
The Data Principal (that’s the “smart person” term for your customer/user) must give their consent through an “affirmative action”—meaning they have to actually click “I agree” to a specific, clear statement.
3. Accountability vs. Just Compensation
The IT Act was mostly about making things right if someone got hurt (compensation). If you lost someone’s data, they could sue you for damages.
The DPDP Act is about accountability. It doesn’t matter if no one was “hurt” by a data leak; if you didn’t follow the rules or didn’t have the right security in place, the government can fine you. These fines aren’t meant to pay back the victim; they are meant to punish the business for being careless. You can find more on how to stay safe in our compliance checklist.
Practical Advice for Companies Navigating the Shift
If you are currently operating under the old IT Act rules, you have some work to do. Here is how to start moving toward India vs IT data protection standards:
- Audit Your Data Inventory: Stop thinking only about “sensitive” data. List every piece of info you collect—from employee attendance to customer marketing lists. If it identifies a human, it’s covered.
- Rewrite Your Privacy Policy: Take it out of “legalese.” If a 10th grader can’t understand how you are using their data, it probably won’t pass the DPDP test.
- Check Your Vendors: If you use a third-party tool to process data (a Data Processor), make sure you have a contract that says they have to follow the DPDP Act too. You are the one on the hook if they mess up.
- Appoint a Point Person: Even if you aren’t a “Significant Data Fiduciary” (a large company with massive amounts of data), you still need someone in your office who understands these rules. Start by understanding your role as a data owner.
- Prepare for Deletion Requests: Start building a system where, if a customer says “delete my data,” you can actually find it and wipe it from all your servers.
The transition from the IT Act 2000 to the DPDP Act 2023 is a big leap. It feels like a lot of homework, but it’s actually a great chance to build trust with your customers. In a world where everyone is worried about their privacy, being the business that handles data the “right” way is a huge competitive advantage.
For more deep dives into specific industries, check out our industry-specific guides.
Confused by the differences?
Dual compliance is tricky. Our experts can help you navigate both DPDP vs IT Act 2000: What’s Changing for Your Business? and DPDP requirements.
Book Strategy Call