What Is the DPDP Act, 2023? A Complete Guide

The DPDP Act in one minute

The DPDP Act establishes a consent-based framework for processing the digital personal data of individuals in India. An organisation that decides why and how personal data is processed is called a data fiduciary; the individual whose data is processed is the data principal. Before processing data on the basis of consent, a fiduciary must give the person a clear notice and obtain consent that is free, specific, informed and revocable.

In return, individuals gain enforceable rights — to access their data, to have it corrected or erased, to nominate someone to act for them, and to a grievance-redressal channel. A new regulator, the Data Protection Board of India, investigates complaints and breaches and can impose financial penalties that run as high as ₹250 crore. The law is principles-based and deliberately simpler than many of its global counterparts, but its reach is broad and its penalties are serious.

Why India needed a dedicated data protection law

India is one of the largest digital markets on earth, with hundreds of millions of people transacting, banking, learning and socialising online. Until recently, the only meaningful statutory protection for their personal data came from Section 43A of the IT Act and the 2011 SPDI Rules, which covered a narrow set of “sensitive personal data” and were widely seen as inadequate for a data-driven economy.

The constitutional turning point came in 2017, when the Supreme Court held in the Puttaswamy judgment that privacy is a fundamental right under the Indian Constitution. That ruling created a clear obligation on the State to protect informational privacy through law, and set in motion years of expert committee work, draft bills and public consultation that eventually produced the DPDP Act.

The result is a law designed for scale and clarity. It tries to balance two goals that are often in tension: the individual’s right to protect their personal data, and the legitimate need of businesses and the State to process that data for lawful purposes. Understanding that balance is the key to reading the Act sensibly.

When the law was passed — and when the Rules arrived

The DPDP Act received presidential assent on 11 August 2023. But like much Indian legislation, the Act is a framework: it states principles and obligations, while the operational detail — timelines, formats, thresholds and procedures — is left to subordinate rules. Until those rules were notified, the Act could not be meaningfully enforced.

That changed on 13 November 2025, when the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025. The Rules flesh out how notices must be worded, how consent managers register and operate, what “reasonable security safeguards” look like in practice, how breaches must be reported, and how children’s data and significant data fiduciaries are treated.

Crucially, the Rules introduced a phased transition of roughly 18 months. Some provisions — such as those establishing the Data Protection Board — apply almost immediately, while the substantive operational obligations have a compliance deadline around May 2027. In other words, organisations have a finite, fixed window to get ready, and that window is already running.

Who the DPDP Act applies to

The Act has both a territorial and a material scope. Territorially, it applies to the processing of digital personal data within India. It also applies to processing that happens outside India if that processing is connected to offering goods or services to people located in India. A company headquartered abroad with Indian customers can therefore fall squarely within scope, even without any physical presence in the country.

Materially, the Act covers personal data in digital form — data collected digitally, or collected on paper and later digitised. Purely personal or domestic processing by an individual is excluded, as is data that a person has voluntarily made publicly available, or that someone is required by law to make public.

The Act does not distinguish between large enterprises and small businesses in its core obligations: if you process the digital personal data of individuals in India, the duties around notice, consent, security and rights apply to you. Some lighter treatment is available for startups and certain classes of fiduciary through notified exemptions, but the baseline expectation is broad.

The key players: principals, fiduciaries and processors

Three roles sit at the centre of the Act. The data principal is the individual to whom the personal data relates — and, in the case of a child, includes the parent or lawful guardian. The data fiduciary is any person or organisation that, alone or with others, determines the purpose and means of processing personal data. The fiduciary carries the bulk of the legal responsibility.

A data processor processes personal data on behalf of a fiduciary — a cloud host, a payroll vendor or an analytics provider, for example. Processors act only under a valid contract with the fiduciary, and the fiduciary remains accountable to the data principal for what its processors do.

The Act also creates a special class called the Significant Data Fiduciary (SDF). The government can designate an organisation as an SDF based on the volume and sensitivity of the data it handles, the risk to data principals, and factors such as impact on sovereignty or public order. SDFs carry heavier obligations: appointing a Data Protection Officer based in India, commissioning independent data protection audits, and conducting Data Protection Impact Assessments. A further role, the Consent Manager — a registered intermediary through which individuals can give, manage and withdraw consent — rounds out the cast.

How lawful processing works: notice, consent and legitimate uses

Under the DPDP Act, the default lawful basis for processing personal data is consent. That consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action, and limited to the data necessary for the stated purpose. Just as importantly, withdrawing consent must be as easy as giving it, and the request for consent must be available in English or any of the languages listed in the Eighth Schedule of the Constitution.

Consent cannot be obtained in a vacuum. It must be preceded by a notice that tells the person, in clear and plain language, what personal data will be collected, the purpose of processing, how they can exercise their rights, and how they can complain to the Data Protection Board. The 2025 Rules require this notice to be itemised and standalone, so people can actually understand what they are agreeing to.

The Act recognises that consent is not always practical, so it permits processing for certain legitimate uses without fresh consent. These include situations where a person voluntarily provides data for a service they have requested, processing for specified State functions and subsidies, compliance with legal obligations, responding to medical emergencies, and ensuring safety during disasters. These are narrow, defined gateways — not a general-purpose escape from consent.

The rights the law gives individuals

The DPDP Act gives data principals a compact but meaningful set of rights. The right to access lets a person obtain a summary of the personal data being processed and the identities of other fiduciaries and processors with whom it has been shared. The right to correction and erasure lets them fix inaccurate data and have data deleted once the purpose for which it was collected is over.

There is also a right to grievance redressal: every fiduciary must provide an accessible mechanism for complaints and respond within a defined period, and only after exhausting that channel can a person escalate to the Data Protection Board. A distinctive feature of the Indian law is the right to nominate — a data principal can nominate another individual to exercise their rights in the event of death or incapacity.

Rights come with responsibilities. The Act also places duties on data principals: not to file false or frivolous complaints, not to impersonate others, and to provide authentic information when exercising rights. This two-way framing is one of the ways the DPDP Act differs in tone from purely individual-centric regimes.

What businesses must actually do

Translated into operational terms, the Act asks every data fiduciary to do a recognisable set of things. You must map the personal data you hold and tie each processing activity to a lawful basis. You must rewrite notices and consent flows so they are clear, itemised and easy to withdraw. You must build a process to honour access, correction, erasure and grievance requests within the timelines the Rules set.

On the security side, the Act requires reasonable security safeguards to prevent breaches. The 2025 Rules give this teeth, pointing to measures such as encryption or masking of personal data, strong access controls and multi-factor authentication, and the retention of logs for at least a year to support investigation. You must also limit how long you keep data, deleting it when its purpose is served, and bind your processors through proper contracts.

If a breach does occur, you must notify both the Data Protection Board and affected individuals. The Rules set a two-tier, time-bound duty: an immediate notification describing the nature, scope and likely impact of the breach, followed by a fuller report within 72 hours covering the circumstances, the remedial measures taken and the findings on cause. Organisations that handle children’s data must additionally obtain verifiable parental consent and must not undertake tracking, behavioural monitoring or targeted advertising directed at children.

Penalties and the Data Protection Board

Enforcement under the DPDP Act runs through the Data Protection Board of India, a digital-first regulator that receives complaints, investigates breaches and imposes monetary penalties. The Board is designed to function largely online, and its decisions can be appealed to the Telecom Disputes Settlement and Appellate Tribunal.

The penalty schedule is tiered by the nature of the failure rather than the size of the company. The highest exposure — up to ₹250 crore — attaches to failing to take reasonable security safeguards that results in a personal data breach. Failing to notify a breach, or failing to meet the additional obligations around children’s data, can attract penalties up to ₹200 crore. Other breaches of the Act’s obligations carry their own ceilings, and the Board weighs factors such as the gravity and duration of the breach, whether it was repetitive, and the steps taken to mitigate it.

The practical takeaway is that penalties are large enough to matter to even the biggest organisations, and they are tied closely to security and breach-response failures. That makes the unglamorous work of safeguards, logging and incident readiness the single highest-leverage area of DPDP compliance.

DPDP vs GDPR — a quick orientation

Anyone who has worked with Europe’s General Data Protection Regulation will find the DPDP Act familiar in spirit: both are consent-centric, both give individuals strong rights, and both impose accountability on the organisations that control data. But there are real differences that matter when you design a single global programme.

The DPDP Act is deliberately leaner. It does not create a separate category of “sensitive personal data” with extra rules, where the GDPR does. It uses a negative-list model for cross-border transfers — data may flow to any country except those the government specifically restricts — rather than the GDPR’s adequacy-and-safeguards approach. It centralises enforcement in a single Data Protection Board rather than a network of supervisory authorities, and it lacks some GDPR rights such as data portability and a general right to object.

For multinationals, the good news is that a mature GDPR programme provides a strong foundation. The work is mostly about mapping existing controls to Indian definitions, adjusting notice and consent language, registering or appointing the India-specific roles where required, and aligning breach-reporting timelines.

What to do next — prepare before the deadline

Because the 2025 Rules set a fixed, roughly 18-month runway, the smartest posture is to treat DPDP readiness as a programme rather than a last-minute scramble. Start by building a defensible record of what personal data you hold, where it lives, why you process it and who you share it with. That data map is the foundation everything else rests on.

From there, prioritise the highest-penalty areas first: security safeguards, logging and a tested breach-response plan that can meet the 72-hour reporting duty. In parallel, redesign notices and consent capture, stand up your rights-and-grievance workflow, paper your processor relationships with proper contracts, and decide whether you are likely to be designated a significant data fiduciary and therefore need a DPO, audits and impact assessments.

None of this needs to be done alone. A specialist compliance partner can compress the timeline considerably — running a gap assessment against the Act and Rules, helping remediate the technical safeguards, and putting the documentation and governance in place so that when the deadline arrives, DPDP compliance is something you can demonstrate rather than something you are still chasing.