+1 706 389 4721
ISpectra Technologies
Knowledge Hub · 48 Expert Guides · India-Focused

The Complete DPDP Act Compliance Hub

Everything Indian and India-facing businesses need to understand and comply with the Digital Personal Data Protection Act, 2023 and the 2025 Rules — scope, roles, consent, rights, security safeguards, breach notification, cross-border transfers, and penalties. Practical guides, checklists, and templates, organised by where you are in the journey.

Free DPDP Readiness Assessment Explore the Library
0
Expert Guides
0
Topic Clusters
0
Max Penalty
0
Breach Notice
Library Journey Key Roles Consent & Uses Safeguards Penalties FAQ
Quick Answer

What is the DPDP Act?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive law dedicated to protecting digital personal data. It governs how an organisation that decides why and how data is processed — a data fiduciary — collects, uses, stores and shares the personal data of individuals, called data principals. Processing is built on clear notice and consent (with limited "legitimate uses"), and individuals gain rights to access, correct and erase their data. The Act is enforced by the Data Protection Board of India, with penalties up to ₹250 crore. The operational detail lives in the DPDP Rules, 2025 (notified 13 November 2025), which set a phased compliance window of roughly 18 months. This hub brings together everything you need to understand and achieve dpdp compliance.

The Library

Find any DPDP answer in seconds

Search the full hub, or filter by experience level. Every guide is written for Indian and India-facing teams getting ready for the DPDP Act and the 2025 Rules.

I'm… tap one and we'll tailor the guides for you

Or jump to a topic

No guides match your search. Try a different term.

1

DPDP Foundations

— what it is, why it matters
Beginner

What Is the DPDP Act, 2023?

A plain-English introduction to India’s data protection law.

 Beginner

DPDP Rules 2025 Explained

What the November 2025 Rules added and changed.

 Beginner

DPDP Act Timeline

Key dates and the 18-month phased compliance window.

 Beginner

Why the DPDP Act Matters

The commercial and legal stakes of getting DPDP right.

 Beginner

Background & History

How India’s privacy law evolved from Puttaswamy to the DPDP Act.
2

Scope & Applicability

— who the law covers
Beginner

Who Does It Apply To?

Territorial and material scope, including foreign businesses.

 Beginner

What Is Personal Data?

How the Act defines personal and digital personal data.

 Intermediate

DPDP Act Exemptions

Where the Act does not apply, and the limits of each carve-out.
3

Key Roles & Definitions

— who is who under the Act
Beginner

What Is a Data Fiduciary?

The entity that decides why and how data is processed.

 Beginner

Data Principal

The individual whose personal data is being processed.

 Intermediate

Data Processor

Who processes data on a fiduciary’s behalf, and the contract that binds them.

 Intermediate

Significant Data Fiduciary

The high-volume class with audits, DPIAs and a DPO.

 Intermediate

Consent Managers

The registered intermediary that lets people manage consent.

 Intermediate

Data Protection Officer

When a DPO is required and what the role involves.
4

Consent, Notice & Rights

— the lawful basis to process
Beginner

DPDP Consent Requirements

Free, specific, informed, unconditional and revocable consent.

 Beginner

Notice Requirements

What every notice must say, plus a usable template.

 Intermediate

Legitimate Uses

When you may process personal data without consent.

 Beginner

Data Principal Rights

Access, correction, erasure, grievance and nomination.

 Intermediate

Grievance Redressal

Building the complaint channel the Act requires.
5

Obligations & Compliance

— what you must actually do
Intermediate

Data Fiduciary Obligations

Every duty the Act places on the data fiduciary.

 Intermediate

Compliance Requirements

The full set of obligations in one overview.

 Intermediate

How to Become Compliant

A practical, sequenced path to DPDP readiness.

 Beginner

Compliance Checklist

A free, downloadable DPDP readiness checklist.

 Intermediate

Reasonable Security Safeguards

Encryption, access control, logging and the Rule 6 baseline.

 Intermediate

Data Breach Notification

The two-tier 72-hour reporting duty to the Board.

 Advanced

DPIA & Data Protection Audit

What significant data fiduciaries must assess and audit.

 Intermediate

Children’s Data

Verifiable parental consent and the ban on harmful tracking.

 Intermediate

Data Retention & Erasure

Purpose limitation, retention limits and deletion duties.
6

Cross-Border Transfers

— moving data outside India
Advanced

Cross-Border Transfers

How the Act’s negative-list model governs transfers abroad.

 Advanced

Data Localization

What the Act does—and does not—require on localization.
7

Enforcement & Penalties

— what happens if you fail
Beginner

Penalties & Fines

The tiered penalty schedule and how fines are decided.

 Intermediate

Data Protection Board

The regulator that investigates breaches and imposes penalties.

 Advanced

Enforcement & Adjudication

The complaint, inquiry and appeal process end to end.
8

Comparisons

— DPDP next to other regimes
Intermediate

DPDP Act vs GDPR

Where India’s law converges with and diverges from the GDPR.

 Intermediate

DPDP vs IT Act & SPDI

How the DPDP Act supersedes the old SPDI regime.

 Advanced

DPDP & ISO 27001/27701

Using ISO certifications to evidence DPDP safeguards.
9

By Industry / Use Case

— DPDP for your sector
Beginner

DPDP for Startups & MSMEs

A right-sized path for small and growing companies.

 Intermediate

DPDP for SaaS

Processor duties, DPAs and multi-tenant data handling.

 Intermediate

DPDP for E-commerce

Consent, marketing and customer data for online retail.

 Advanced

DPDP for Fintech & BFSI

Overlapping RBI, sectoral and DPDP obligations.

 Intermediate

DPDP for HR Teams

Handling employee and candidate data lawfully.

 Intermediate

DPDP for Marketing

Consent-first outreach, tracking and ad targeting.

 Advanced

DPDP for Healthcare

Patient data, consent and sensitive-data handling.
10

Templates, Tools & Automation

— ship faster with the right kit
Intermediate

Data Processing Agreement

The fiduciary–processor contract, with a template.

 Beginner

DPDP Policy Templates

Privacy policy and core DPDP documents, free.

 Intermediate

Consent Form & Management

Designing compliant consent capture and records.

 Intermediate

Choosing Compliance Software

What to look for in a DPDP tooling platform.

 Advanced

Compliance Automation

Automating consent, DSRs, evidence and monitoring.
The Journey

Your path to DPDP compliance

Six phases from a blank slate to demonstrable, audit-ready compliance. Tap a phase to see what happens and what you walk away with.

Your progress Phase 1 / 6

You walk away with

A data inventory & processing map

Phase 1 of 6
Key Roles & Definitions

The key roles, decoded

The DPDP Act builds everything on a handful of defined roles. Hover or tap a panel to expand it — swipe on mobile. A Data Protection Officer rounds out the cast for significant data fiduciaries.

Core

Data Principal

The individual the personal data is about. The data principal holds the rights the Act creates — access, correction, erasure, grievance and nomination — and, for a child, the role includes the parent or lawful guardian.

Core

Data Fiduciary

The person or organisation that decides why and how personal data is processed. The fiduciary carries most of the Act's duties: notice, consent, security safeguards, breach reporting and honouring data principal rights.

Acts for fiduciary

Data Processor

Anyone who processes personal data on a fiduciary's behalf — a cloud host, payroll vendor or analytics tool. A processor acts only under a valid contract, and the fiduciary stays accountable for what it does.

Higher obligations

Significant Data Fiduciary

A class the Government designates based on the volume and sensitivity of data and the risk it poses. SDFs must appoint a DPO in India, run independent audits and conduct Data Protection Impact Assessments.

Intermediary

Consent Manager

A registered intermediary, accountable to the Data Protection Board, through which a person can give, review and withdraw consent across multiple fiduciaries from a single, interoperable platform.

Lawful Basis

Two ways to process data lawfully

Under the DPDP Act, almost all processing rests on one of two bases: the data principal's consent, or a defined "legitimate use." Here's how they compare.

Default basis

Consent

Permission, freely given.

  • Must be free, specific, informed, unconditional & unambiguous
  • Preceded by a clear, itemised notice
  • As easy to withdraw as it was to give
  • Can be managed through a registered Consent Manager
  • Best for: most commercial and marketing processing

Legitimate Uses

Defined, consent-free situations.

  • Data voluntarily provided for a requested service
  • Specified State functions, subsidies & benefits
  • Compliance with a legal obligation or court order
  • Medical emergencies and disaster response
  • Best for: narrow, defined purposes — not a general escape from consent
Security & Safeguards

Reasonable security safeguards

The DPDP Rules give "reasonable security safeguards" real teeth. These are the measures the Board will expect to see — and the ones that keep a breach from becoming a ₹250 crore penalty.

Encryption

Encrypt or mask personal data

What good looks like

At rest & in transitKey managementTokenisation / masking
Access control

Restrict access by identity

What good looks like

Role-based accessMulti-factor authenticationLeast privilege
Logging

Keep logs for at least a year

What good looks like

Access & activity logsTamper resistanceSupports breach forensics
Breach response

Detect & report within 72 hours

What good looks like

Detection & triageTwo-tier Board noticeAffected-user notice
Retention & erasure

Delete data when its purpose ends

What good looks like

Purpose-based retentionErasure on withdrawalDefensible deletion logs
Processor contracts

Bind every processor by contract

What good looks like

Data processing agreementSub-processor controlsAudit & assist clauses
Enforcement & Penalties

Penalties at a glance

The Data Protection Board of India sets penalties by the type of failure, not the size of the company — weighing the gravity, duration and repetitiveness of the breach and the steps taken to mitigate it.

₹250 Cr Security failure

Failing to take reasonable security safeguards that results in a personal data breach.

₹200 Cr Breach & children

Failing to notify the Board of a breach, or breaching the extra obligations protecting children's data.

₹150 Cr SDF duties

A Significant Data Fiduciary failing its additional obligations — DPO, audits and impact assessments.

₹50 Cr Other duties

Breaching any other obligation under the Act or the Rules not covered by a higher tier.

Reduce your exposure

Because the highest penalties attach to security and breach-response failures, the safeguards above are the single highest-leverage area of DPDP compliance. A readiness assessment shows exactly where you stand.

Get a readiness check →

Penalty ceilings reflect the DPDP Act, 2023 and the DPDP Rules, 2025. The Board determines the actual amount case by case.

FAQ

DPDP Act questions, answered

The Digital Personal Data Protection Act, 2023 is India's first comprehensive law for protecting digital personal data. It sets out how data fiduciaries may process the personal data of individuals (data principals), gives those individuals enforceable rights, and is enforced by the Data Protection Board of India.
The Act was passed in August 2023 and the DPDP Rules, 2025 were notified on 13 November 2025. The Rules introduce a phased transition of roughly 18 months, so the compliance deadline for most operational obligations falls around May 2027 — the time to prepare is now.
Any data fiduciary processing digital personal data in India, and any organisation outside India that processes such data to offer goods or services to people in India. There is no blanket small-business exemption from the core notice, consent and security duties.
Penalties are tiered and set by the Data Protection Board — up to ₹250 crore for failing to take reasonable security safeguards, and up to ₹200 crore for failing to notify a breach or to protect children's data.
Consent is the primary lawful basis and must be free, specific, informed, unconditional and easy to withdraw. The Act also permits a defined set of "legitimate uses" — such as data voluntarily given for a requested service, or processing for legal and emergency purposes — without fresh consent.
No. The Act uses a negative-list model: personal data may be transferred to any country except those the Government specifically restricts. Sector regulators (such as the RBI) may still impose their own localization requirements separately.
Both are consent-centric and rights-based, but the DPDP Act is leaner. It has no separate "sensitive data" category, uses a negative list for cross-border transfers, centralises enforcement in one Data Protection Board, and omits some GDPR rights such as data portability.
An organisation the Government designates as significant based on the volume and sensitivity of the data it handles and the risks it poses. SDFs face extra duties: appointing a Data Protection Officer in India, commissioning independent audits, and conducting Data Protection Impact Assessments.
What Enterprise Clients Say

What Clients Say About Our Compliance & Security Services

“ISpectra expertly guided us through every step of the SOC 2 certification process, turning complex regulatory requirements into practical, actionable steps. Their partnership-centric approach and responsiveness made all the difference. Achieving SOC 2 certification with their help has significantly enhanced our credibility and trustworthiness in the market.”
IZ
Irina Zakharchenko
Chief Operations and People Officer
DocsDNA
SOC 2 Certified
“ISpectra Technologies brought deep expertise in cybersecurity and DevSecOps to our projects, playing a crucial role in our EDR Tool implementations and SOC 2 compliance. Their solutions were tailored to our business and their proactive approach improved both our agility and security posture. ISpectra felt more like an extension of our team than an external vendor.”
SK
Sam K
CEO
Office Hub Tech LLC
SOC 2 + EDR Implementation
“Our Accounts Receivables have started to plummet since implementing RCMEdge. It provides electronic AR follow-up and identifies claims needing extra attention so we don't exhaust valuable resources on claims processing as normal. As a result, we're much more productive and cash flow favorable. Highly recommended!”
BR
Brian Reese
Director of Business Development
24/7 Medical Billing Services
AR Significantly Reduced
“The VAPT report was presented in a structured and professional manner with clear categorization of vulnerabilities by severity. The depth of technical findings, along with practical remediation suggestions, provided our team with valuable insights. The clarity of documentation made it easy for our internal teams to translate recommendations into actionable steps.”
KV
Karthik Vadivel
Lead System Engineer
ICS Pvt Ltd
VAPT Security Strengthened
“The VAPT assessment was thorough and well-documented, providing a clear view of identified vulnerabilities with practical remediation guidance. The prioritization of risks and actionable recommendations enabled our teams to take corrective measures with clarity and confidence. We truly appreciate the expertise and professionalism your team brought to this engagement.”
KV
Kayden Vincent
Cybersecurity Lead
247 Medical Billing Services
VAPT Risk Mitigated
“We have successfully secured our ISO 27001 certification through GLOCERT, and ISpectra Technologies was pivotal throughout. Your team's contribution was exceptional, not only in navigating the audit process but in the structural refinement of our internal policies and the practical application of ISMS best practices. The attention to detail ensured that our procedures are not just compliant, but operationally sound. We value the high standard of consultancy ISpectra has maintained and look forward to a continued professional association.”
CP
Chandan P
Business Analyst
Infocruise Solutions Private Limited
ISO 27001 Certified

Trusted by 200+ Global Enterprise Clients

ISpectra enterprise client logo 1
ISpectra enterprise client logo 2
ISpectra enterprise client logo 3
ISpectra enterprise client logo 4
ISpectra enterprise client logo 5
ISpectra enterprise client logo 6
ISpectra enterprise client logo 7
ISpectra enterprise client logo 8
ISpectra enterprise client logo 9
ISpectra enterprise client logo 10
ISpectra enterprise client logo 11
ISpectra enterprise client logo 12
ISpectra enterprise client logo 13
ISpectra enterprise client logo 14
ISpectra enterprise client logo 15
ISpectra enterprise client logo 16
ISpectra enterprise client logo 17
ISpectra enterprise client logo 18
ISpectra enterprise client logo 19
ISpectra enterprise client logo 20
ISpectra enterprise client logo 21
ISpectra enterprise client logo 22
ISpectra enterprise client logo 23
Free DPDP Readiness Assessment

Ready to
Protect Your Enterprise?

What Your Business Gets

  • Free DPDP scope & gap workshop
  • Trust Services Criteria fit review
  • Audit timeline & cost benchmarks
  • Control & evidence readiness check
  • Remediation & policy roadmap
  • Clear path to demonstrable DPDP compliance

No obligation · Results in 48 hours · 100% confidential

Schedule a Call

Pick a time that works for you

Request Assessment

Our team responds within 24 hours

No spam. No obligations. We'll respond within 24 hours.

Encrypted & 100% confidential
DPDP · Readiness · Audit · Continuous Compliance

Get ahead of the DPDP deadline.

ISpectra guides SaaS and technology companies from first scoping to a clean Type II — readiness, remediation, evidence automation, and audit support, all in one program.

Get Free DPDP Readiness Assessment Explore the Library