What is the DPDP Act?
The Digital Personal Data Protection Act 2023, DPDP, is India's first comprehensive horizontal data protection law. It was passed by Parliament in August 2023 and is being brought into force through Central Government notifications and implementing rules drafted by MeitY. The Act creates the legal framework for processing personal data of Indian residents.
DPDP draws conceptual inspiration from GDPR (consent, purpose limitation, rights of data subjects) but adapts these to Indian conditions: simpler structure, fewer process-heavy obligations, different penalty structure, and India-specific provisions for children's data and significant data fiduciaries. The Act establishes a Data Protection Board to handle complaints and enforcement.
Two principal roles exist under DPDP. The data fiduciary (the equivalent of GDPR data controller) determines purposes and means of processing; the data processor processes on behalf. The data principal is the individual whose personal data is processed. Solar EPCs are data fiduciaries for their customer data.
Why DPDP matters for solar EPCs
Solar EPCs sit at the intersection of multiple personal data streams. Customer onboarding collects Aadhaar (for PM Surya Ghar), PAN, bank details (for subsidy DBT), property documents, electricity bills (revealing consumption patterns), site photographs, and GPS coordinates. Lead capture collects phone numbers, names, addresses, sometimes income proxies. Each stream is personal data under DPDP.
Non-compliance carries serious penalty exposure. The Act provides for monetary penalties up to INR 250 crore for failure to take reasonable security safeguards, INR 200 crore for breach notification failure, and INR 150 crore for other obligations. Penalties are imposed by the Data Protection Board after inquiry.
Beyond penalties, customer trust depends on data handling discipline. A residential solar buyer who shares Aadhaar and bank details with an EPC expects responsible handling. Reputation damage from a data breach can be more costly than the fine.
How DPDP compliance is structured
- Data mapping. Identify what personal data is collected, where stored.
- Consent flow design. Clear notice, explicit consent capture.
- Purpose limitation. Use data only for stated purposes.
- Data minimisation. Collect only what is needed.
- Storage limitation. Retain only as long as needed.
- Security safeguards. Encryption, access controls, backups.
- Breach response plan. Detect, notify, mitigate.
- Data principal rights handling. Access, correction, erasure.
- Grievance redressal. Internal officer and process.
- Vendor diligence. CRM, hosting, analytics vendors' compliance.
Benefits of DPDP compliance
- Penalty avoidance. Up to INR 250 crore at stake.
- Customer trust. Responsible data handling.
- Tender eligibility. Government and PSU procurement increasingly requires compliance.
- Investor confidence. Compliance signals operational maturity.
- Data hygiene. Cleaner records, better analytics.
- Risk reduction. Breach exposure controlled.
- Vendor alignment. Forces evaluation of tool partners.
Limitations and challenges
Rules still emerging. Detailed compliance specifics phased in.
Small EPC burden. Compliance overhead disproportionate.
Vendor compliance gaps. Tool vendors may not be fully compliant.
Cross-border data transfers. Rules under finalisation.
Legacy data audit. Old records may not have consent trail.
DPDP impact across solar EPC operations
| Activity | DPDP compliance focus |
|---|---|
| Lead capture (website, WhatsApp) | Consent flow, purpose specification |
| Aadhaar handling (PM Surya Ghar) | Storage encryption, retention limits, consent |
| Site photographs | Consent for capture and use |
| WhatsApp marketing | Opt-in, opt-out mechanism |
| Customer data export from CRM | Access logs, audit trail |
| Subcontractor sharing | Data processor agreement |
Quick facts
| Full name | Digital Personal Data Protection Act 2023 |
|---|---|
| Authority | Data Protection Board, MeitY |
| Roles | Data fiduciary, processor, principal |
| Top penalty | INR 250 crore |
| Consent standard | Free, specific, informed, unambiguous |
| Comparable | GDPR (EU) with India-specific adaptations |
| Implementation | Rules being notified through 2025-26 |
Common mistakes about DPDP
- Treating it as future problem. Effective compliance starts now.
- Bundled consent in forms. Not valid.
- Excel files for customer data. Inadequate security.
- No breach response plan. Notification timelines missed.
- Sharing without processor agreement. Liability transfer fails.
- Indefinite data retention. Violates storage limitation.
- Cold WhatsApp outreach. Without consent.
- Ignoring vendor compliance. Liability extends through chain.
Key takeaways
- DPDP is India's data protection law, passed August 2023.
- Solar EPCs are data fiduciaries handling significant personal data.
- Consent must be free, specific, informed, unambiguous.
- Penalties up to INR 250 crore per breach class.
- Compliance involves data mapping, consent, security, breach response.
- Implementation rules being phased in through 2025-26.
- Quality CRM tools bake compliance into workflows.
Frequently Asked Questions
What is the DPDP Act?
The Digital Personal Data Protection Act 2023 is India's comprehensive data protection law. Enacted in August 2023 and being rolled out through implementing rules, it governs how organisations collect, process, store, and share personal data of Indian residents. DPDP imposes obligations on data fiduciaries (the equivalent of GDPR data controllers) and grants rights to data principals (individuals).
Why does DPDP matter for solar EPCs?
Solar EPCs collect substantial personal data: customer Aadhaar (for PM Surya Ghar), PAN, bank details, electricity consumption, GPS locations, photographs of property. All of this is personal data under DPDP. Non-compliance carries penalties up to INR 250 crore per breach class.
What are the key obligations under DPDP?
Notice and consent before processing, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, breach notification, grievance redressal, and special protections for children's data. Significant data fiduciaries face additional requirements (Data Protection Officer, audits, impact assessments).
Is DPDP fully in force in 2026?
The Act was passed in August 2023, but specific provisions come into force as the Central Government notifies implementing rules. As of mid-2026, the rules are being phased in. Quality EPCs should treat DPDP as effectively in force and comply proactively.
What is consent under DPDP?
Consent must be free, specific, informed, and unambiguous, given by clear affirmative action. Consent must be granular (separate consents for separate purposes), revocable, and easy to withdraw. Pre-ticked boxes, bundled consent, and ambiguous language do not satisfy DPDP.
What is the difference between DPDP and GDPR?
DPDP is India's framework; GDPR is EU's. Both share core concepts (consent, purpose limitation, rights of data subjects) but differ in details: DPDP has different bases for processing, different penalty structures, different cross-border data transfer rules, and India-specific provisions for children and significant data fiduciaries.
What rights do data principals have?
Right to information about processing, right to access data, right to correction and erasure, right to grievance redressal, and right to nominate someone to exercise rights post-death. Indian residents can complain to the Data Protection Board if rights are violated.
Is WhatsApp marketing affected by DPDP?
Yes. Sending WhatsApp marketing to a phone number obtained without proper consent violates DPDP. Solar EPCs must obtain explicit consent before adding contacts to marketing lists. WhatsApp Business templates require opt-in flows.
What about purchased lead lists?
Risky under DPDP. Lead lists from third-party aggregators (JustDial, IndiaMART) should have consent flow that allows the EPC to contact, but the EPC must verify. Buying scraped or unverified lists exposes the EPC to DPDP violations.
Is Aadhaar data subject to DPDP?
Yes. Aadhaar is personal data under DPDP. EPCs handling Aadhaar for PM Surya Ghar applications must follow consent, purpose limitation, and security safeguards under DPDP plus the Aadhaar Act 2016 specific rules.
What is the penalty for DPDP non-compliance?
Up to INR 250 crore for failure to take reasonable security safeguards, INR 200 crore for personal data breach notification failure, INR 150 crore for other obligations, and smaller penalties for child data and SDF obligations. Penalties scale to severity.
Should small EPCs worry about DPDP?
Yes. Penalties apply regardless of size. Practical compliance for small EPCs involves: consent flows in lead capture, secure data storage (not Excel files on unprotected laptops), retention limits, breach response plan. CRM tools like QuickEstimate help bake compliance in.
Run your solar business on QuickEstimate
India's mobile-first solar CRM. Send subsidy-ready proposals on WhatsApp in 60 seconds. Free for 10 proposals a month, no card.
Start free →Sources
- Digital Personal Data Protection Act 2023. Full text. meity.gov.in
- MeitY notifications and rules. Implementation timelines.
- Data Protection Board orders. Enforcement decisions.
- SFLC.in DPDP analysis. Civil society interpretation.
- NASSCOM compliance guides. Industry-focused guidance.
- Aadhaar Act 2016 and UIDAI guidelines. Aadhaar-specific rules.
- Telecom Regulatory Authority advisories. Marketing communication consent.
Written by QuickEstimate Editorial, QuickEstimate Editorial (Surat).
Last updated: 4 June 2026.