Skip to content
Data8X
Compliance Jun 2026 · 2 min read

DPDPA 2023: what it means for your AI programme

D8
Data8X Team
Govern. Protect. Accelerate AI.

India’s Digital Personal Data Protection Act, 2023 is now part of the operating reality for any organisation handling personal data, and AI programmes sit squarely in its scope. The law is principles-based rather than prescriptive, which gives flexibility but also shifts the burden onto you to show your controls are reasonable and documented.

What the law actually expects

At its core, the DPDPA asks for a clear lawful basis for processing personal data, meaningful consent or a recognised legitimate use, and a set of duties as a Data Fiduciary: protect the data, use it only for the stated purpose, and be able to honour the rights of the people it belongs to. None of this is unusual. What is new for many teams is being able to demonstrate it on demand.

Where AI adds friction

AI complicates three things in particular. Purpose limitation becomes harder when training data is reused across models. Data minimisation collides with the instinct to collect everything “just in case”. And the right to correction or erasure is awkward when personal data has already been baked into a model. Planning for these early is far cheaper than retrofitting them later.

Controls worth putting in place

  • A record of what personal data feeds each model, and the lawful basis for it.
  • Purpose tagging, so data collected for one use is not silently repurposed for training.
  • A documented process for access, correction, and erasure requests that accounts for model artefacts.
  • Retention limits and deletion that actually run, rather than living only in policy.
  • Vendor checks, since fiduciary duty does not disappear when you use a third-party tool.

A pragmatic sequence

Start with visibility: map which AI systems touch personal data at all. Most teams find the list is longer than expected once embedded and vendor tools are counted. Then attach a lawful basis and an owner to each. Only after that does it make sense to invest in tooling for rights requests and automated retention. Sequenced this way, compliance becomes a series of manageable steps rather than a single overwhelming project.

Key takeaways
  • The DPDPA is principles-based, so the burden is on you to show your controls are reasonable and documented.
  • AI strains purpose limitation, data minimisation, and the right to erasure in particular.
  • Map which systems touch personal data first, then attach lawful basis, ownership, and retention.
  • Fiduciary duty extends to third-party AI tools, so vendor diligence matters.
Back to all articles Talk to our team

More from Insights

Governance

Why AI governance is now a board-level priority

Regulation, risk, and reputation are converging fast. Here is how leadership teams are getting ahead of AI governance before it becomes a problem to…

Jun 2026 · 3 min read
Platform

Inside Neurava: observability you can act on

Monitoring usage, cost, and drift is only useful if it drives decisions. Here is how we think about it.

Jun 2026 · 2 min read
Industry

AI governance in the public sector

What we have learned helping government teams adopt AI safely, transparently, and at pace.

May 2026 · 2 min read