DPDP Act 2023: A Complete, Plain-English Guide to India's Data Protection Law

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive law governing how organisations collect, use, store, and share the digital personal data of people in India. It gives individuals real control over their data, places clear duties on businesses, and creates a regulator — the Data Protection Board of India — that can impose penalties of up to ₹250 crore.

The Act received presidential assent in August 2023, but it stayed largely dormant until the operational detail arrived. That detail came on 14 November 2025, when the Ministry of Electronics and Information Technology (MeitY) notified the DPDP Rules, 2025 and a phased enforcement schedule running through 13 May 2027. The waiting period is over. The build period has begun.

This guide breaks the law down the way a privacy consultant would explain it to your leadership team — what it actually requires, who it covers, the dates you need to plan around, and the practical first steps — without the legalese.

Key Takeaways

• The DPDP Act 2023 is India's standalone data protection law, now operational in phases.

• It applies to any organisation — Indian or foreign — that processes the digital personal data of people in India.

• Core compliance obligations (notice, consent, rights, breach reporting) must be met by 13 May 2027.

• Penalties reach ₹250 crore for failing to maintain reasonable security safeguards.

• The DPDP Rules 2025 turn the Act's principles into concrete, mandatory requirements.

1. What Is the DPDP Act 2023?

The DPDP Act 2023 regulates the processing of digital personal data — any data about an identifiable individual that is collected in digital form, or collected offline and later digitised. It applies to almost every organisation that handles such data in connection with India, and it rests on a simple bargain: businesses may use personal data, but only lawfully, transparently, for stated purposes, and with accountability they can prove.

Unlike Europe's dense, prescriptive GDPR, the Act takes a principle-based, consent-centric approach. The government has framed its drafting philosophy as "SARAL" — Simple, Accessible, Rational, and Actionable. The result is a shorter, more readable statute that hands operational detail to the DPDP Rules, 2025.

In one line: the Act sets the principles and rights; the Rules tell you how to comply. You need both to understand your obligations.

2. The Business Problem: Why This Law Changes Everything

For most Indian businesses, personal data has been managed informally for years — consent buried in a checkbox, customer records scattered across spreadsheets and CRMs, no clear owner, no audit trail. That approach carried little legal risk because there was no serious law to enforce against it.

That era has ended. Three shifts make the DPDP Act a board-level concern:

• The financial exposure is real. A single security failure leading to a breach can attract a penalty of up to ₹250 crore — a figure large enough to threaten the survival of a mid-sized company.

• Responsibility cannot be outsourced. Even when a vendor processes your data, the legal accountability stays with you as the Data Fiduciary.

• The deadline is fixed, not flexible. Core obligations are enforceable from 13 May 2027, with no grace period afterward.

The businesses that struggle will be the ones that treat this as a last-minute paperwork exercise. Operational readiness — consent systems, data maps, breach workflows — takes months to build properly.

3. Why India Needed a Data Protection Law

For over two decades, India had no dedicated data protection statute. Personal data was governed loosely under the Information Technology Act, 2000, primarily Section 43A, and the SPDI Rules, 2011. That framework was narrow, omitted modern data types like location and browsing history, lacked an independent regulator, and was rarely enforced.

The turning point was constitutional. In 2017, a nine-judge bench of the Supreme Court in Justice K.S. Puttaswamy (Retd.) v. Union of India unanimously held that privacy is a fundamental right under Article 21 of the Constitution. That judgment made a comprehensive data protection framework a legal necessity, not just a policy choice. After several draft bills and years of consultation, the DPDP Act became that framework — and India joined the ranks of major economies with a standalone privacy law.

Related reading: For the full transition from the IT Act to today, see "DPDP Act vs the IT Act & SPDI Rules."

4. Is the DPDP Act in Force? The Enforcement Timeline

Yes — but in stages. The Act and Rules are being switched on in three phases, so different obligations become enforceable at different times. Understanding this rollout is the most practical thing you can take from this guide.

PHASE 1 — Effective from 14 November 2025

Establishment of the Data Protection Board of India; core definitions; administrative provisions; bar on civil court jurisdiction.

PHASE 2 — Effective from 14 November 2026

Consent Manager registration framework; the Board's powers relating to consent managers.

PHASE 3 — Effective from 14 May 2027

All substantive duties: notice and consent, data principal rights, breach reporting, children's data, security safeguards, SDF obligations, cross-border rules, exemptions.

A few points worth internalising:

• The Data Protection Board of India has been constituted in the National Capital Region with four members.

• During the transition, the IT Act and SPDI Rules remain in force until the relevant provisions are switched off in 2027 — so for now, treat both regimes as live and default to the higher standard.

• There is no cure period after 14 May 2027. You need to be ready before the deadline, not racing toward it.

Treat 2026 as your build year. The organisations that begin now will be operational; those that wait will be improvising under penalty pressure.

Related reading: A section-by-section walkthrough lives in our "DPDP Rules 2025 guide."

5. Who Does the DPDP Act Apply To?

The Act applies broadly. You are very likely covered if any of these is true:

• You are an organisation in India that processes personal data in digital form.

• You are based outside India but offer goods or services to people in India — the Act has explicit extraterritorial reach.

• You process customer, employee, vendor, or website-visitor data digitally.

This catches B2C and B2B companies alike. A persistent myth is that the law only targets big tech. In reality, a startup with a signup form, an HR team holding employee records, and a clinic storing patient details all fall within scope. The Act does not apply to purely personal or domestic use of data, or to personal data kept entirely in non-digital form.

Related reading: Running a smaller organisation? See "DPDP Compliance for Startups" for a right-sized approach.

6. Key Roles: Data Principal, Data Fiduciary, Data Processor

Three roles sit at the centre of the Act, and getting them straight is essential because obligations attach to specific roles.

• Data Principal — the individual the personal data belongs to (the "data subject" in GDPR terms).

• Data Fiduciary — the organisation that decides why and how personal data is processed. The fiduciary carries primary responsibility for compliance.

• Data Processor — a third party that processes data on behalf of a fiduciary, under a contract.

The distinction has real consequences. A SaaS vendor handling data for a client is usually a processor; the client deciding the purpose is the fiduciary. Critically, the fiduciary stays accountable even when a processor does the actual work — which is why vendor contracts and oversight matter so much.

Related reading: "Who Is a Data Fiduciary Under the DPDP Act?" explains the role in depth.

7. The Core Principles Behind the Act

Strip away the detail and the DPDP Act rests on principles familiar to anyone who has worked with modern privacy law:

• Lawfulness and transparency — process data fairly and tell people what you're doing.

• Purpose limitation — use data only for the purpose you stated.

• Data minimisation — collect only what you genuinely need.

• Accuracy — keep data correct and current.

• Storage limitation — retain data only as long as the purpose requires.

• Security safeguards — take reasonable measures to prevent breaches.

• Accountability — be able to demonstrate compliance, not merely assert it.

The last principle deserves emphasis. Under the DPDP Act, saying you comply is not enough; you must hold the records, logs, and evidence to prove it if the Board asks.

8. How Consent Works Under the DPDP Act

Consent is the backbone of the Act. To be valid, it must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. Pre-ticked boxes, bundled permissions, and implied consent do not qualify.

Two requirements stand out in practice:

• A clear notice must come first. Before or at the point of collection, you must give the Data Principal a standalone, plain-language notice describing what data you collect, why, how they can exercise their rights, and how to complain to the Board. The DPDP Rules require this notice to be available in English and the languages listed in the Eighth Schedule of the Constitution.

• Withdrawal must be as easy as giving consent. Once consent is withdrawn, you must stop processing — subject to any legal retention duties.

The Act also recognises certain legitimate uses where consent isn't the basis — for example, when an individual voluntarily provides data for a service they requested, or where processing is needed to comply with a legal obligation. Unlike GDPR, though, the DPDP Act does not offer a broad "legitimate interests" ground, so many activities that relied on that basis abroad will need consent here.

Related reading: "DPDP Consent Management Explained" covers how to operationalise this end to end.

9. The Rights of a Data Principal

The Act gives individuals meaningful control over their data. A Data Principal has the right to:

1. Access — information about their personal data and how it's being processed.

2. Correction and updating — of inaccurate or incomplete data.

3. Erasure — of personal data that's no longer needed.

4. Nomination — to nominate another person to exercise their rights in the event of death or incapacity.

5. Grievance redressal — a readily available channel to raise complaints, with the right to escalate to the Board.

Businesses must build a way to receive, verify, and fulfil these requests. The Rules require grievances to be resolved within a reasonable period — no later than 90 days.

Related reading: "Data Principal Rights Under the DPDP Act" breaks down each right with examples.

10. What Businesses Must Do: Data Fiduciary Obligations

If you're a Data Fiduciary, the Act expects you to:

• Collect data only with valid consent or a recognised legitimate use.

• Provide a clear, itemised notice in the required languages.

• Honour data principal rights and run a working grievance mechanism.

• Keep data accurate, secure, and retained no longer than necessary.

• Implement reasonable security safeguards — the Rules specify measures like encryption, masking, access control, access logging, and backups.

• Retain logs of processing for at least one year, per the Seventh Schedule of the Rules.

• Bind processors to appropriate safeguards through contracts.

• Maintain records and be able to demonstrate compliance.

Related reading: Turn these duties into a working plan with our "DPDP Compliance Checklist."

11. Significant Data Fiduciaries: The Higher Tier

The government can designate certain organisations as Significant Data Fiduciaries (SDFs) based on factors like the volume and sensitivity of data they handle and the risk they pose to individuals. Large platforms — major social media and e-commerce companies, for example — are likely candidates.

SDFs carry extra duties:

• Appoint a Data Protection Officer (DPO) based in India.

• Appoint an independent data auditor.

• Conduct periodic Data Protection Impact Assessments (DPIAs).

• Share significant observations and gaps periodically with the Data Protection Board.

If you might fall into this tier, plan early. These obligations are operationally heavy and cannot be assembled overnight.

12. Personal Data Breaches and Reporting

The Act and Rules require fiduciaries to report personal data breaches to both the Data Protection Board and affected Data Principals. Two features make India's regime stricter than many others:

• There is no severity threshold. On a strict reading, any personal data breach must be reported, regardless of how minor it appears — unlike the EU or UK, which often require a likelihood of harm before notification kicks in.

• It's a two-tier process. You notify the Board and the affected individuals, following a structured timeline.

This makes a pre-built breach response capability essential. You cannot improvise detection, escalation, and notification under deadline pressure — you need workflows, owners, and templates ready before Phase 3 lands.

Related reading: "One Data Leak Can Cost Your Business Everything" explores the operational and reputational stakes.

13. Penalties Under the DPDP Act

Penalties are substantial and are decided by the Data Protection Board based on the nature, gravity, and duration of the violation. The Act's Schedule sets the upper limits:

• Failure to take reasonable security safeguards (leading to a breach): up to ₹250 crore

• Failure to notify a personal data breach: up to ₹200 crore

• Failure in obligations relating to children's data: up to ₹200 crore

• Breach of Significant Data Fiduciary obligations: up to ₹150 crore

• Other breaches of the Act or Rules: up to ₹50 crore

• Misuse of rights / frivolous complaints by an individual: up to ₹10,000

Beyond the rupee figures, the Board can publish details of violations — a reputational cost that often outweighs the fine, especially for consumer-facing brands. Appeals from the Board go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Related reading: "DPDP Act Penalties Explained" covers each category with worked examples.

14. DPDP Act vs GDPR: A Practical Comparison

For teams already familiar with the EU's GDPR, the DPDP Act will feel recognisable but not identical.

Drafting style

DPDP Act: Shorter, principle-based

GDPR: Longer, prescriptive

Lawful bases

DPDP Act: Mainly consent + limited legitimate uses

GDPR: Six lawful bases

Individual rights

DPDP Act: Narrower (access, correction, erasure, nomination, grievance)

GDPR: Broader (incl. portability, objection)

Regulator

DPDP Act: Data Protection Board of India

GDPR: National DPAs + EDPB

Cross-border transfers

DPDP Act: Blacklist model (restricts notified countries)

GDPR: Adequacy/whitelist model

Breach threshold

DPDP Act: No threshold — report all breaches

GDPR: Risk-based threshold

Government exemptions

DPDP Act: Broader

GDPR: Narrower

GDPR-ready organisations have a strong head start, but should not assume coverage. Notice formats, consent operations, breach thresholds, and vendor contracts often need rework to fit the Indian regime.

Related reading: "GDPR vs DPDP Act" offers a full side-by-side comparison.

15. Industry Examples: What Compliance Looks Like

The law lands differently across sectors. A few illustrations:

• BFSI (banks, NBFCs, fintech): High volumes of sensitive financial and KYC data, plus overlap with the consent manager and account aggregator ecosystem. Consent granularity and breach readiness are top priorities.

• Healthcare: Patient records are among the most sensitive data a business can hold. Hospitals and health-tech platforms need tight access controls, clear consent for each purpose, and strict retention discipline.

• SaaS companies: Usually Data Processors for their clients but Data Fiduciaries for their own employee and prospect data. They face dual obligations and heavy scrutiny on sub-processor contracts.

• E-commerce and D2C: Marketing consent, cookie banners, and the new erasure timelines for high-user-threshold platforms make consent hygiene critical.

• HR teams (all sectors): Employee data spans the entire lifecycle — recruitment, payroll, exit. Much of it relies on legitimate use rather than consent, which has to be mapped carefully.

The common thread: every business needs to know what data it holds, why, and on what legal basis — before it can claim compliance.

16. Benefits, Challenges, and Best Practices

The benefits of getting ahead

• Reduced regulatory and financial risk as the deadline approaches.

• Stronger customer trust — transparency is becoming a genuine differentiator.

• Cleaner data operations — the discipline of mapping and minimising data improves efficiency, not just compliance.

• Smoother enterprise sales — buyers increasingly demand privacy assurances from vendors.

The challenges businesses face

• Fragmented data sitting across cloud, SaaS, on-premises, and endpoints with no single inventory.

• Legacy consent that doesn't meet the "free, specific, informed, unconditional, unambiguous" standard.

• Vendor sprawl with no record of who processes what.

• No breach playbook, leaving teams exposed to the zero-threshold reporting rule.

Best practices to start now

1. Map your data. Build an inventory of what you hold, where it lives, and why.

2. Fix consent and notices. Make them specific, layered, and easy to withdraw.

3. Stand up rights handling. Create a verified, time-bound process for requests.

4. Prepare for breaches. Define detection, escalation, and notification workflows.

5. Tighten vendor contracts. Bind processors to the required safeguards.

6. Document everything. Accountability means evidence you can produce on demand.

------------------------------------------------------------------

17. How ProtectComply Helps

The work above is exactly what a dedicated DPDP platform is built to absorb. ProtectComply, a comprehensive DPDP compliance platform developed by Exuverse, brings the moving parts of compliance into one place so teams aren't stitching together spreadsheets and one-off tools.

It supports the operational backbone of the Act, including:

• DPDP gap assessment to benchmark where you stand against the Act and Rules.

• Consent management with granular, per-purpose capture and easy withdrawal.

• Data mapping and discovery (RoPA) to build the inventory compliance depends on.

• Risk and impact assessments to surface and prioritise exposure.

• Vendor risk management to keep processor obligations under control.

• Breach and grievance workflows aligned to the Act's reporting expectations.

• A compliance dashboard, policy management, and evidence management for audit readiness.

• Workflow automation and ongoing compliance monitoring so readiness is continuous, not a one-time scramble.

Each module is anchored to the specific sections of the Act it addresses, which keeps the work grounded in the law rather than abstract checklists. If you want a quick read on your current position, a free readiness check scores you against the Act in about ten minutes.

Related reading: Comparing tools? Start with "DPDP Compliance Software: Features Every Business Should Look For."

18. Conclusion

The DPDP Act 2023 marks the moment India moved from informal data handling to a real, enforceable privacy regime. The law is now live and rolling out in phases, with the core obligations — notice, consent, rights, security, and breach reporting — enforceable from 14 May 2027. There is no grace period and no shortcut.

The good news is that compliance, approached early, is manageable and even advantageous. Mapping your data, fixing consent, preparing for breaches, and documenting your evidence are achievable steps that also make your business cleaner and more trustworthy. The organisations that start in this build window will meet the deadline comfortably; those that wait will pay for it in stress, cost, and risk.

Begin with clarity about where you stand — then close the gaps methodically. That's how a daunting law becomes a routine part of how you operate.

19. Frequently Asked Questions

What is the DPDP Act 2023 in simple terms?

It's India's data protection law. It lets people control how their digital personal data is used, requires businesses to obtain valid consent and protect that data, and creates a regulator that can fine violators up to ₹250 crore.

Is the DPDP Act in force now?

Partly. The Data Protection Board of India was established in November 2025, and the remaining obligations are being switched on in phases, with full enforcement of core duties from 14 May 2027.

Who needs to comply with the DPDP Act?

Any organisation — Indian or foreign — that processes the digital personal data of people in India, including businesses serving Indian customers from abroad. It covers customer, employee, and vendor data alike.

What are the penalties under the DPDP Act?

The Board can impose up to ₹250 crore for failing to maintain reasonable security safeguards, with other categories capped at ₹200, ₹150, or ₹50 crore depending on the violation.

What rights do individuals have under the DPDP Act?

The right to access their data, correct or update it, request erasure, nominate a representative, and seek grievance redressal — with escalation to the Data Protection Board if a complaint isn't resolved.

What's the difference between the DPDP Act and the DPDP Rules 2025?

The Act sets out the rights, roles, and penalties. The Rules, notified on 14 November 2025, provide the operational detail — how consent must be structured, what breach notifications must contain, and what Significant Data Fiduciaries must do.

How is the DPDP Act different from GDPR?

The DPDP Act is shorter and more principle-based, relies mainly on consent, grants a narrower set of rights, uses a blacklist model for cross-border transfers, requires reporting of all breaches without a severity threshold, and gives the government broader exemptions.

Does the DPDP Act apply to small businesses and startups?

Yes. Any business processing personal data is covered, although the government may notify lighter obligations for certain classes of fiduciaries. Startups should still map data, fix consent, and prepare rights handling early.

What should a business do first to prepare?

Start by mapping your data — what you hold, where it lives, and why. From there, fix consent and notices, build rights and breach workflows, tighten vendor contracts, and document your evidence.