India finally has a comprehensive data privacy law, and every organisation that processes the personal data of Indian citizens needs to understand it, whether they are based in Mumbai or Manhattan.
The Digital Personal Data Protection Act, 2023 (DPDP Act, 2023) received Presidential assent on August 11, 2023, marking the culmination of a six-year legislative journey and India’s first standalone framework for governing digital personal data. With penalties reaching up to ₹250 crore per breach and a phased compliance deadline ending on 13 May 2027, the DPDP Act is not something enterprises can afford to approach reactively.
This guide breaks down every major provision of the DPDP Act, who it applies to, what it requires, how it will be enforced, and what your enterprise needs to do before the final compliance deadline.
1. What Is the DPDP Act? Background and Purpose
The DPDP Act is India’s first dedicated law for the protection of digital personal data. Before it was passed, India’s data protection framework rested on Section 43A and Section 72A of the Information Technology Act, 2000 (IT Act) and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The road to the DPDP Act was long. After the Supreme Court of India unanimously held in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) that privacy is a fundamental right under Article 21 of the Constitution, the government commissioned a data protection framework. Draft bills were released in 2018, 2019, and 2022, each withdrawn or revised after stakeholder feedback before the final version was tabled in Parliament in August 2023.
The Act’s stated purpose, set out in its preamble, is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.
2. Who Does the DPDP Act Apply To?
Territorial Scope
The DPDP Act applies in two scenarios:
- Within India: Any processing of digital personal data collected within the territory of India, whether collected online or collected offline and subsequently digitised.
- Outside India (extra-territorial application): Processing of digital personal data outside India, if it relates to the offering of goods or services to Data Principals (individuals) located within India.
This means a US-based SaaS company with Indian users processing their data on servers abroad falls squarely within the DPDP Act’s reach.
What Data Is Covered?
The Act covers digital personal data, any data about an individual who is identifiable by or in relation to such data, in digital form. This includes data that was originally collected in non-digital form but has been digitised. Data in purely non-digital form is not covered.
Importantly, unlike the EU’s GDPR, the DPDP Act does not create a separate category of ‘sensitive personal data.’ All personal data is treated under a single framework, although the government retains the power to impose additional obligations on Significant Data Fiduciaries who process large volumes of sensitive data.
Who Is Exempt?
The DPDP Act carves out several exemptions. Processing is permitted without the usual obligations in cases involving:
- Prevention, detection, or investigation of offences
- Processing by courts and tribunals
- Processing related to national security or sovereignty
- Research, archiving, or statistical purposes (subject to applicable standards)
- Personal or domestic purposes
- Data that the Data Principal has voluntarily made publicly available
3. Key Definitions: Data Fiduciary, Data Principal, Data Processor
Understanding the DPDP Act starts with its three core roles:
| Term | Definition | Equivalent in GDPR |
|---|---|---|
| Data Fiduciary | Any person who, alone or in conjunction with others, determines the purpose and means of processing of personal data. | Data Controller |
| Data Principal | The individual to whom the personal data relates. In the case of a child, includes the parent or lawful guardian. | Data Subject |
| Data Processor | Any person who processes personal data on behalf of a Data Fiduciary. | Data Processor |
A critical practical note: Data Processors under the DPDP Act are liable only to the extent of their contractual obligations with the Data Fiduciary. The primary regulatory responsibility and penalty exposure sits with the Data Fiduciary.
4. Obligations of Data Fiduciaries
Chapter 2 of the DPDP Act sets out the core obligations for all Data Fiduciaries. These are the requirements your organisation must meet.
Consent: The Foundation of DPDP Compliance
Under the DPDP Act, personal data may only be processed for a lawful purpose and the primary lawful basis is consent. Consent must be:
- Free, specific, informed, unconditional, and unambiguous
- Signified by a clear affirmative action
- Limited to the specified purpose for which it was obtained
- As easy to withdraw as to give
The DPDP Rules 2025 add operational detail: consent requests must be accompanied by a standalone notice in plain language, available in all 22 scheduled languages of India, clearly describing what data is collected, why, and how the Data Principal can exercise their rights.
A second lawful basis exists for legitimate use which allows processing without consent in specific situations such as the provision of government subsidies, compliance with court orders, or employment-related processing.
Notice Requirements
Before processing, or for data already being processed when the Rules come into force, a Data Fiduciary must issue a notice containing:
- An itemised description of personal data to be processed
- The specific purpose of processing
- A communication link for the Data Principal to withdraw consent, exercise rights, or lodge a complaint with the Data Protection Board
Purpose: Limitation and Data Minimisation
Data Fiduciaries must use personal data only for the stated purpose of collection. Once that purpose is achieved or if the Data Principal withdraws consent the data must be erased. The Act does not permit secondary use or repurposing of data without fresh consent.
Data minimisation applies: only data that is necessary for the stated purpose may be collected.
Data Accuracy
Data Fiduciaries are required to take reasonable steps to ensure that personal data is accurate and complete, particularly where decisions affecting Data Principals will be made based on that data or where personal data will be shared with other Data Fiduciaries.
Security Safeguards
Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches. The DPDP Rules 2025 specify that these safeguards must cover all stages of processing, and that access logs, traffic data, and processing logs must be retained for a minimum of one year.
Breach Notification
In the event of a personal data breach, a Data Fiduciary must:
- Notify the Data Protection Board of India without delay, and provide a detailed breach report within 72 hours
- Notify each affected Data Principal without delay, describing the breach, its potential consequences, and the mitigation steps being taken
All breaches must be reported; the Act contains no de minimis threshold. There is no distinction between minor and significant breaches for notification purposes.
Grievance Redressal
Data Fiduciaries must publish contact details for a designated point of contact to handle Data Principal requests and complaints. All grievances must be addressed within 90 days of receipt.
5. Rights of Data Principals
The DPDP Act gives individuals six enforceable rights over their personal data:
| Right | What It Means for Your Organisation |
|---|---|
| Right to Access Information | Data Principals can ask what personal data has been collected, how it is being used, and obtain a summary of all processing activities. Must be provided in clear, accessible form. |
| Right to Correction and Erasure | Data Principals can request correction of inaccurate or misleading data, and erasure of data no longer needed for its original purpose. Data Fiduciaries must comply within 90 days. |
| Right to Grievance Redressal | Data Principals can raise complaints with the Data Fiduciary’s designated contact. If unresolved, they can escalate to the Data Protection Board. |
| Right to Nominate | Data Principals may nominate another individual to exercise their rights in the event of their death or incapacity. This is a distinctive feature not found in GDPR. |
| Right to Withdraw Consent | Data Principals may withdraw consent at any time, with the same ease as it was given. Withdrawal does not retroactively invalidate prior processing. |
| Right Not to be Subject to Harm | Processing that is detrimental to the well-being of the Data Principal particularly children is prohibited. |
6. Special Provisions: Children’s Data and Significant Data Fiduciaries
Children’s Data
The DPDP Act contains some of its strictest provisions around the processing of children’s data (any Data Principal under 18). Before processing a child’s personal data, a Data Fiduciary must obtain verifiable parental or guardian consent.
The Act also prohibits:
- Behavioural monitoring of children
- Targeted advertising directed at children
- Any processing that could be detrimental to the well-being of a child
The DPDP Rules 2025 clarify that certain processing is exempt from parental consent requirements, including processing by healthcare providers for emergency treatment, educational institutions for student administration, and government bodies for welfare services.
Significant Data Fiduciaries (SDFs)
The Central Government may designate certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data processed, their potential national security implications, and the risk of harm to Data Principals. SDFs face additional obligations:
- Annual Data Protection Impact Assessments (DPIAs)
- Annual independent compliance audits
- Appointment of a Data Protection Officer (DPO) based in India
- Appointment of an independent data auditor
- Algorithmic transparency obligations
- Potential data localisation obligations for specified categories of data
As of February 2026, the government has not yet published the official list of SDFs.
7. The Penalty Framework: What Non-Compliance Actually Costs
The DPDP Act’s enforcement is built on financial penalties imposed by the Data Protection Board of India. The penalty framework is tiered by violation type and capped at ₹250 crore per breach, significant in absolute terms, though structured differently from GDPR’s turnover-based model.
| Violation | Maximum Penalty | Section |
|---|---|---|
| Failure to implement reasonable security safeguards, resulting in a personal data breach | Up to ₹250 crore | Schedule, Item 1 |
| Failure to notify the Data Protection Board or affected Data Principals of a breach | Up to ₹200 crore | Schedule, Item 2 |
| Breach of obligations relating to children’s data processing | Up to ₹200 crore | Schedule, Item 3 |
| Breach of additional obligations of a Significant Data Fiduciary | Up to ₹150 crore | Schedule, Item 4 |
| Breach of any other provision of the Act or Rules | Up to ₹50 crore | Schedule, Item 5 |
| Breach of voluntary undertaking given to the Board | Up to ₹50 crore | Schedule, Item 6 |
| Data Principal misuse of rights or provision of false information | Up to ₹10,000 | Section 15 |
Critically, the DPDP Act does not provide for a cure period; organisations do not get a grace window to fix non-compliance before penalties are imposed. However, the Board must give entities an opportunity to be heard before imposing any penalty.
Decisions of the Data Protection Board may be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days, and further to the Supreme Court.
8. The Data Protection Board of India
The Data Protection Board of India (DPBI) is constituted under Chapter 5 of the DPDP Act (Section 18) as an independent corporate body. It operates as a fully digital, paperless office, a first for Indian regulatory bodies.
The Board’s core functions include:
- Receiving and investigating complaints from Data Principals
- Initiating suo motu action where significant breaches are identified
- Imposing penalties within the Schedule’s limits
- Accepting voluntary undertakings from Data Fiduciaries to remedy non-compliance
- Directing corrective action including data deletion or security remediation
The DPDP Rules 2025 specify that all inquiries initiated by the Board must be completed within six months, unless extended for specific reasons. This creates a defined enforcement timeline that enterprises can plan around.
The Board became operational on 13 November 2025, when its governance provisions came into force with the notification of the DPDP Rules 2025.
9. Cross-Border Data Transfers
One of the most debated provisions of the DPDP Act is cross-border data transfer. The Act takes a deliberately permissive approach unlike GDPR’s adequacy model or India’s earlier draft bills which proposed strict data localisation.
Personal data may be transferred outside India to any country, except those that the Central Government explicitly restricts by notification (a ‘negative list’ approach). As of February 2026, no countries have been added to this restricted list.
However, for Significant Data Fiduciaries, the government retains the power to mandate localisation of specific categories of personal data and traffic data, based on recommendations from a government-appointed committee.
10. DPDP Compliance Timeline What You Need to Know Now
The DPDP Rules 2025, notified on 13 November 2025, introduce a three-phase implementation timeline:
| Date | What Comes Into Force |
|---|---|
| 11 Aug 2023 | DPDP Act receives Presidential assent |
| 3 Jan 2025 | Draft DPDP Rules released for public consultation |
| 13 Nov 2025 | DPDP Rules notified. Data Protection Board operational. Rules 1, 2, 17–21 in force (Board constitution and governance). |
| 13 Nov 2026 | Rule 4 in force: Consent Manager registration and obligations begin. |
| 13 May 2027 | Rules 3, 5–16, 22–23 in force: ALL substantive compliance obligations active notice requirements, consent standards, breach reporting, data retention and erasure, data principal rights, security safeguards, SDF obligations, and cross-border transfer conditions. |
11. DPDP Act vs GDPR: Key Differences at a Glance
| Dimension | DPDP Act 2023 (India) | GDPR (EU) |
|---|---|---|
| Scope | Digital personal data only | All personal data (digital and non-digital) |
| Sensitive data | No separate category | Special categories with stricter rules |
| Lawful bases | Consent + legitimate use (limited categories) | 6 lawful bases including legitimate interests |
| Data transfer | Negative list (permissive by default) | Adequacy decisions, SCCs, BCRs |
| Penalty model | Up to ₹250 crore (~USD 30M) per breach | Up to 4% global annual turnover or €20M |
| Right to nominate | Yes (unique to DPDP) | Not explicitly provided |
| DPO requirement | Only for Significant Data Fiduciaries | Required for certain categories of processing |
| Languages | Must provide notices in 22 scheduled languages | No equivalent requirement |
| Cure period | None | Not mandated (varies by regulator) |
12. What Your Organisation Must Do Before May 2027
With the final compliance deadline set for 13 May 2027, here is a prioritised action plan for enterprise security and compliance teams:
Immediate (Now Q2 2026)
- Conduct a data audit: Map all personal data your organisation collects, stores, and processes across cloud, SaaS, on-premises, and endpoints.
- Classify data by purpose: For each data set, identify the lawful basis for processing (consent or legitimate use) and verify that it matches your actual use.
- Assess your gap: Run a DPDP gap assessment against the requirements of the Act and Rules. Identify which obligations you already meet and which require remediation.
Medium-term (Q3 2026 Q1 2027)
- Update consent flows: Redesign consent mechanisms to meet DPDP’s free, specific, informed, unconditional, and unambiguous standard. Build withdrawal mechanisms of equal simplicity.
- Draft and deploy privacy notices: Prepare standalone, plain-language notices in compliance with Rule 3, available in applicable scheduled languages.
- Build breach response playbooks: Implement automated breach detection and a 72-hour Board notification workflow. Every breach must be reported with no de minimis threshold.
- Update vendor contracts: Ensure all Data Processor agreements contain DPDP-compliant clauses covering security obligations, breach notification support, and data deletion on termination.
Pre-deadline (Q1 Q2 2027)
- Full compliance validation: Conduct a full internal or third-party audit against the DPDP Act and Rules.
- Retrospective notices: Issue notices to Data Principals whose data was collected before the Rules came into effect, as mandated by the DPDP Rules 2025.
- Implement data retention and erasure: Activate automated data lifecycle policies delete data when its purpose is achieved or consent is withdrawn.
FAQs
Is the DPDP Act 2023 currently in force?
Partially. The Data Protection Board of India became operational on November 13, 2025 when the DPDP Rules 2025 were notified. However, the substantive compliance obligations including consent requirements, breach reporting, and data principal rights do not come into force until May 13, 2027.
Who is a Data Fiduciary under the DPDP Act?
A Data Fiduciary is any person, company, or government entity that determines the purpose and means of processing personal data. If your organisation decides what data to collect and why, you are a Data Fiduciary and the Act’s obligations apply to you.
What is the maximum penalty under the DPDP Act?
The maximum penalty under the DPDP Act is ₹250 crore per breach, applicable where a Data Fiduciary fails to implement reasonable security safeguards and a personal data breach occurs. Penalties for other violations range from ₹10,000 (Data Principal misuse) to ₹200 crore (breach notification failure, children’s data violations).
Does the DPDP Act apply to foreign companies?
Yes. The DPDP Act has extra-territorial application. Any entity regardless of where it is based that offers goods or services to individuals located in India and processes their personal data in connection with those activities must comply with the Act.
What is the difference between the DPDP Act 2023 and DPDP Rules 2025?
The DPDP Act 2023 sets out the overarching framework of who is covered, what rights Data Principals have, what obligations Data Fiduciaries carry, and what penalties apply. The DPDP Rules 2025, notified on 13 November 2025, provide the operational detail how consent must be structured, what breach notifications must contain, how Consent Managers must operate, and what Significant Data Fiduciaries must do annually.
When is the DPDP Act deadline?
The hard compliance deadline is 13 May 2027, eighteen months after the DPDP Rules were notified. All substantive obligations consent, breach reporting, data principal rights, security safeguards, and SDF requirements must be met by this date. No grace period is provided after the deadline.
How Matters.AI Helps You Achieve DPDP Compliance
Meeting the DPDP Act’s requirements data discovery, consent management, breach notification, and audit readiness demands more than spreadsheets and policy documents. Matters.AI is the only AI-native data security platform purpose-built for India’s DPDP compliance requirements, not retrofitted from GDPR.
- Automated data discovery: Build your complete personal data inventory across cloud, SaaS, endpoints, and on-premises systems in days, not months.
- Consent and purpose mapping: Map every data point to its consent basis and flag processing that has outrun its original purpose.
- Real-time breach detection: Detect personal data breaches the moment they occur with automated 72-hour Board notification workflows built in.
Audit-ready compliance reporting: One-click compliance reports for DPDP, GDPR, HIPAA, and PCI DSS so your compliance team spends days on audits, not weeks.
