The Act establishes India's first modern, enforceable framework governing the collection, processing, storage, and transfer of digital personal data. It imposes real obligations, carries real penalties up to ₹250 crore, and is enforced by a fully digital regulator designed to be easy for anyone to approach. This guide explains what the Act requires, who it applies to, and what Indian businesses need to do before the compliance window closes.
What Is the DPDP Act?
The Digital Personal Data Protection Act, 2023 is the primary legislation governing how digital personal data about individuals, called Data Principals, is collected and used by organisations, called Data Fiduciaries. Its stated objectives are to protect individuals' rights while ensuring data can flow freely for legitimate purposes.
The Act applies to personal data collected in digital form, whether originally digital or later converted. It has extra-territorial reach: it applies to processing within India, and to processing outside India if it involves offering goods or services to Data Principals in India. Multinationals with Indian customers are covered, regardless of where they are incorporated.
Who Does It Apply To?
Any entity that determines the purpose and means of processing personal data is a Data Fiduciary. In practice, this covers virtually every organisation that interacts with Indian customers, employees, patients, or users. The Act distinguishes between:
- Data Fiduciaries: the primary obligated party, responsible for consent, purpose, security, and grievance redressal
- Data Processors: entities processing data on behalf of a Fiduciary, bound primarily by contract with the Fiduciary
- Significant Data Fiduciaries (SDFs): designated by the Central Government based on volume, sensitivity, risk to sovereignty, and impact on democratic processes. SDFs face additional obligations.
Exemptions exist for state instrumentalities performing sovereign functions, data processed for personal and domestic purposes, and data already made publicly available by the Data Principal themselves.
Core Obligations for Data Fiduciaries
1. Consent
Processing personal data requires free, specific, informed, unconditional, and unambiguous consent, signified by a clear affirmative act. Consent must be sought in plain language (in English or a scheduled Indian language) and must be as easy to withdraw as to give. Pre-ticked boxes, bundled consents, and consent buried in terms-of-service clauses will not pass muster.
2. Purpose Limitation
Data collected for one purpose cannot be used for another. Organisations that want to use personal data beyond its originally stated purpose must seek fresh consent. This directly affects data monetisation strategies, cross-selling programmes, and AI training pipelines built on customer data.
3. Data Minimisation and Storage Limitation
Only the data necessary for the stated purpose may be collected and retained. Once the purpose is fulfilled, or the Data Principal withdraws consent, the data must be erased. Unlimited-retention data warehouses require fundamental redesign.
4. Security Safeguards
Reasonable security safeguards must prevent personal data breaches. A breach must be notified to the Data Protection Board promptly upon discovery, and to affected individuals within 72 hours. "We didn't know" is not a defence if adequate monitoring systems were absent.
5. Children's Data
No personal data of a child (under 18) may be processed without verifiable parental consent. Behavioural monitoring and targeted advertising directed at children are prohibited outright. This affects educational platforms, gaming companies, and any consumer service with underage users.
The Rights of Data Principals
The DPDP Act grants individuals significant rights that they can enforce directly through the Data Protection Board:
- Right to know what personal data is held and how it is being processed
- Right to correct or update inaccurate or outdated data
- Right to have data erased once the processing purpose is fulfilled
- Right to grievance redressal through the Fiduciary's internal mechanism
- Right to nominate another individual to exercise rights on their behalf (particularly relevant for elderly or incapacitated Data Principals)
These rights are not passive. The fully digital Data Protection Board makes it straightforward for any aggrieved customer, employee, or partner to file a complaint. The Board can award compensation and impose penalties in the same proceeding.
Significant Data Fiduciaries: Extra Obligations
Entities designated as SDFs, expected to include major e-commerce platforms, social media intermediaries, large telecom operators, and significant financial service providers, must additionally:
- Appoint a Data Protection Officer (DPO) based in India, accountable to the Board of Directors
- Engage an independent Data Auditor for periodic audits of compliance
- Conduct Data Protection Impact Assessments (DPIAs) before implementing new high-risk processing activities
- Comply with additional restrictions on algorithmic processing and cross-border data transfers
The Central Government has not yet published the final list and criteria for SDF designation, but MeitY's consultation documents indicate that organisations processing data of more than 10 million individuals at a systemic level are likely candidates.
Penalties: The Numbers That Matter
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards | ₹250 crore |
| Failure to notify the Board and affected individuals of a breach | ₹200 crore |
| Violation of obligations relating to children's data | ₹200 crore |
| Breach of additional SDF obligations | ₹150 crore |
| Breach of any other provision (including consent violations) | ₹50 crore |
These penalties are cumulative and can be imposed per violation. An organisation that suffered a breach, failed to notify, and had no security safeguards could face multiple simultaneous actions. The Board also considers the organisation's financial capacity, the nature and gravity of the breach, and whether mitigation measures were in place, making the absence of a policy an aggravating factor, not a neutral one.
Timeline: When Does This Become Mandatory?
Eighteen months is not generous once you map it against the actual work: auditing data flows, redesigning consent, renegotiating vendor contracts, training staff, and building breach protocols.
Seven Steps to DPDP Compliance
Map your data flows
Identify all personal data your organisation collects, what it is, where it comes from, how it is used, where it goes, and how long it is retained. A data flow map is the foundation of every subsequent compliance activity.
Classify Data Principals and purposes
Determine which relationships (customers, employees, vendors, users) are covered and what categories of data are involved in each. Children's data, health data, and financial data warrant the most urgent attention.
Audit and redesign consent mechanisms
Review every touchpoint where you currently collect personal data. Consumer-facing products almost certainly need updated consent flows, language, and withdrawal mechanisms. This is typically the largest engineering and UX effort.
Review all vendor and processor contracts
Every third party that processes personal data on your behalf needs a DPDP-compliant Data Processing Agreement. Audit all data-sharing arrangements and renegotiate where necessary. AI vendors require particular scrutiny given the risk of shadow AI disclosures.
Implement security controls
Conduct a gap assessment against CERT-In guidelines and the Act's security safeguard requirements. Prioritise encryption at rest and in transit, access controls, and monitoring systems that can detect and log potential breaches.
Establish grievance infrastructure
Appoint a Grievance Officer, publish their contact details on your platform, and build documented response workflows with the 15-day resolution obligation in view. For likely SDFs, begin DPO recruitment.
Build and test your breach protocol
Define who decides whether an incident is notifiable, who contacts the Board, and who notifies affected individuals. The DPDP Rules establish a two-stage notification: immediate notification to the Board, followed by notification to affected Data Principals within 72 hours. Both clocks start when the organisation becomes aware.
The DPDP Act is India's most consequential data regulation in a generation. The organisations that build genuine compliance programmes will be better positioned to earn customer trust, win enterprise contracts that require data governance disclosures, and avoid the reputational and financial cost of a Board enforcement action.
The window is open. The question is whether your organisation uses it.