What is India's Digital Personal Data Protection (DPDP) Act and how does it affect web hosting?
India's Digital Personal Data Protection (DPDP) Act 2023 establishes rules for processing digital personal data of Indian citizens. For web hosting, it requires data principals (website owners) to obtain consent before collecting personal data, maintain security standards, enable data deletion on request, and report breaches. Connect Quest's India-based data centers help satisfy data localization aspects.
DETAILED EXPLANATION:
DPDP Act key concepts:
Data Principal: The person whose personal data is collected (your website user)
Data Fiduciary: You (the website/business collecting data)
Data Processor: Connect Quest (processing data on your behalf)
Personal Data: Any data that identifies a person (name, email, phone, IP address)
Key obligations for Data Fiduciaries (website owners):
1. Consent requirement:
Before collecting personal data, obtain free, specific, informed, and unambiguous consent.
Cookie banners in India now legally required (not just courtesy).
Cannot bundle consent with terms of service.
2. Purpose limitation:
Collect only data needed for stated purpose.
Cannot use email collected for newsletter to send marketing (separate consent needed).
3. Data minimization:
Collect minimum necessary data.
If only email needed for order confirmation, do not collect date of birth.
4. Storage limitation:
Retain data only as long as purpose requires.
Delete personal data after relationship ends (former customers).
5. Security safeguards:
Appropriate technical and organizational measures.
Encryption of personal data at rest and in transit.
Access controls: Minimum necessary access.
6. Breach notification:
Notify Data Protection Board and affected individuals "as soon as possible."
No specific timeframe defined yet (awaiting rules).
For significant fiduciaries: Within 72 hours (expected, similar to GDPR).
7. Data Principal rights:
Right to access: User can request what data you hold about them.
Right to correction: User can correct inaccurate data.
Right to erasure: User can request deletion ("Right to be forgotten").
Right to grievance redressal: Complaint mechanism required.
STEP-BY-STEP - DPDP compliance for website on Connect Quest:
1. Conduct data audit:
List every personal data collection point:
- Contact forms (name, email, phone)
- User registration (full PII)
- Payment (card data → use payment gateway, never store yourself)
- Analytics (IP addresses → anonymize)
- Cookies (advertising cookies are personal data)
2. Update privacy policy:
Include: What data collected, why, how long kept, who shared with, user rights.
DPDP requirement: Privacy notice in English and the language the user communicates in.
If site serves Assamese users: Privacy notice in Assamese also recommended.
3. Implement consent management:
Install consent management platform (CMP):
Free options: CookieYes, Osano
Configure for India: "By using this site, you consent to personal data processing for [specific purposes]"
Make opt-out as easy as opt-in.
4. Enable data deletion workflow:
Create: [email protected] for data requests
Define: Process for responding to deletion requests within 30 days
Implement: Mechanism to delete user data across all systems (CRM, email, backups)
5. Assess data processors:
Connect Quest as data processor: Request their Data Processing Agreement (DPA)
Google Analytics: Sign DPA, enable data anonymization, use GA4
Email providers (Mailchimp, Brevo): Sign DPA, confirm India data residency options
6. Data localization for significant fiduciaries:
Significant fiduciary criteria: TBD in rules (expected: large user base or sensitive data)
If significant fiduciary: "Critical" personal data may require India storage.
Connect Quest India data centers (NE India) support data localization.
Regular hosting: No current mandatory localization requirement for all businesses.
7. Data breach response plan:
Create incident response document:
- Who to notify: CERT-In (within 6 hours), Data Protection Board
- What constitutes breach: Unauthorized access, ransomware, data exposure
- How to notify users: Template email ready to deploy
- Evidence preservation: System logs, access records
REAL EXAMPLES:
E-commerce site DPDP compliance checklist:
Registration form: Consent checkbox for marketing (separate from order processing)
Order processing: No consent needed (legitimate interest for contract performance)
Google Analytics: Anonymize IPs, honor Do Not Track, update privacy policy
Payment: Never store card data (use Razorpay tokenization)
Customer support: Tickets retained 2 years, then deleted
Newsletter: Separate consent, unsubscribe mechanism, delete on unsubscribe request
Healthcare website (higher obligations):
Health data = sensitive personal data under DPDP
Enhanced consent requirement
Must name Data Protection Officer (DPO)
Strict access controls and audit logs
FLOW:
User visits site -> Cookie consent banner (DPDP requirement) -> User accepts specific purposes
-> Data collected with consent -> Processed by Connect Quest (as data processor) in Indian data center
-> User requests deletion -> All systems delete within 30 days -> Confirmation sent
KEY POINTS:
- DPDP Act 2023 passed, rules awaited from government (enforcement will follow rules)
- Connect Quest India-based servers help with data residency requirements
- GDPR compliance (if you have EU users) does not automatically mean DPDP compliance
- Data Protection Board of India: Fines up to Rs 250 crore for serious violations
COMMON MISTAKES:
- Bundling data collection consent with website terms of service (invalid consent under DPDP)
- Not having data deletion mechanism (most overlooked requirement)
- Ignoring cookies as personal data (browser tracking data = personal data)
- Assuming no compliance needed until rules finalized (courts can still penalize based on Act)
QUICK FIX:
Quick wins: Add cookie consent banner + Update privacy policy + Create privacy@ email address.
These three changes put you ahead of 80% of Indian websites for DPDP readiness.
Contact Connect Quest for data processing agreement if needed.
DIFFICULTY: Intermediate
RELATED: India Hosting, Cloud Hosting India, Data Security, Connect Quest Privacy
DETAILED EXPLANATION:
DPDP Act key concepts:
Data Principal: The person whose personal data is collected (your website user)
Data Fiduciary: You (the website/business collecting data)
Data Processor: Connect Quest (processing data on your behalf)
Personal Data: Any data that identifies a person (name, email, phone, IP address)
Key obligations for Data Fiduciaries (website owners):
1. Consent requirement:
Before collecting personal data, obtain free, specific, informed, and unambiguous consent.
Cookie banners in India now legally required (not just courtesy).
Cannot bundle consent with terms of service.
2. Purpose limitation:
Collect only data needed for stated purpose.
Cannot use email collected for newsletter to send marketing (separate consent needed).
3. Data minimization:
Collect minimum necessary data.
If only email needed for order confirmation, do not collect date of birth.
4. Storage limitation:
Retain data only as long as purpose requires.
Delete personal data after relationship ends (former customers).
5. Security safeguards:
Appropriate technical and organizational measures.
Encryption of personal data at rest and in transit.
Access controls: Minimum necessary access.
6. Breach notification:
Notify Data Protection Board and affected individuals "as soon as possible."
No specific timeframe defined yet (awaiting rules).
For significant fiduciaries: Within 72 hours (expected, similar to GDPR).
7. Data Principal rights:
Right to access: User can request what data you hold about them.
Right to correction: User can correct inaccurate data.
Right to erasure: User can request deletion ("Right to be forgotten").
Right to grievance redressal: Complaint mechanism required.
STEP-BY-STEP - DPDP compliance for website on Connect Quest:
1. Conduct data audit:
List every personal data collection point:
- Contact forms (name, email, phone)
- User registration (full PII)
- Payment (card data → use payment gateway, never store yourself)
- Analytics (IP addresses → anonymize)
- Cookies (advertising cookies are personal data)
2. Update privacy policy:
Include: What data collected, why, how long kept, who shared with, user rights.
DPDP requirement: Privacy notice in English and the language the user communicates in.
If site serves Assamese users: Privacy notice in Assamese also recommended.
3. Implement consent management:
Install consent management platform (CMP):
Free options: CookieYes, Osano
Configure for India: "By using this site, you consent to personal data processing for [specific purposes]"
Make opt-out as easy as opt-in.
4. Enable data deletion workflow:
Create: [email protected] for data requests
Define: Process for responding to deletion requests within 30 days
Implement: Mechanism to delete user data across all systems (CRM, email, backups)
5. Assess data processors:
Connect Quest as data processor: Request their Data Processing Agreement (DPA)
Google Analytics: Sign DPA, enable data anonymization, use GA4
Email providers (Mailchimp, Brevo): Sign DPA, confirm India data residency options
6. Data localization for significant fiduciaries:
Significant fiduciary criteria: TBD in rules (expected: large user base or sensitive data)
If significant fiduciary: "Critical" personal data may require India storage.
Connect Quest India data centers (NE India) support data localization.
Regular hosting: No current mandatory localization requirement for all businesses.
7. Data breach response plan:
Create incident response document:
- Who to notify: CERT-In (within 6 hours), Data Protection Board
- What constitutes breach: Unauthorized access, ransomware, data exposure
- How to notify users: Template email ready to deploy
- Evidence preservation: System logs, access records
REAL EXAMPLES:
E-commerce site DPDP compliance checklist:
Registration form: Consent checkbox for marketing (separate from order processing)
Order processing: No consent needed (legitimate interest for contract performance)
Google Analytics: Anonymize IPs, honor Do Not Track, update privacy policy
Payment: Never store card data (use Razorpay tokenization)
Customer support: Tickets retained 2 years, then deleted
Newsletter: Separate consent, unsubscribe mechanism, delete on unsubscribe request
Healthcare website (higher obligations):
Health data = sensitive personal data under DPDP
Enhanced consent requirement
Must name Data Protection Officer (DPO)
Strict access controls and audit logs
FLOW:
User visits site -> Cookie consent banner (DPDP requirement) -> User accepts specific purposes
-> Data collected with consent -> Processed by Connect Quest (as data processor) in Indian data center
-> User requests deletion -> All systems delete within 30 days -> Confirmation sent
KEY POINTS:
- DPDP Act 2023 passed, rules awaited from government (enforcement will follow rules)
- Connect Quest India-based servers help with data residency requirements
- GDPR compliance (if you have EU users) does not automatically mean DPDP compliance
- Data Protection Board of India: Fines up to Rs 250 crore for serious violations
COMMON MISTAKES:
- Bundling data collection consent with website terms of service (invalid consent under DPDP)
- Not having data deletion mechanism (most overlooked requirement)
- Ignoring cookies as personal data (browser tracking data = personal data)
- Assuming no compliance needed until rules finalized (courts can still penalize based on Act)
QUICK FIX:
Quick wins: Add cookie consent banner + Update privacy policy + Create privacy@ email address.
These three changes put you ahead of 80% of Indian websites for DPDP readiness.
Contact Connect Quest for data processing agreement if needed.
DIFFICULTY: Intermediate
RELATED: India Hosting, Cloud Hosting India, Data Security, Connect Quest Privacy