DPDP

What is DPDP (India's Digital Personal Data Protection Act)?

DPDP stands for the Digital Personal Data Protection Act, India's first comprehensive personal data protection law, enacted in August 2023. It governs how organisations collect, store, process, and transfer personal data belonging to Indian citizens. It applies to any organisation worldwide that processes such data in connection with offering goods or services to Indian residents.

That last part is what organisations outside India consistently underestimate. A US SaaS company with Indian users, a global bank processing payroll for its Indian workforce, a European analytics firm receiving Indian customer data from a local partner: all of them are in scope.

DPDP Rules were notified in early 2025 with phased implementation through November 2026. The security safeguard and breach notification obligations are active now. The ₹250 crore maximum penalty for inadequate security safeguards makes non-compliance a board-level financial risk, not a compliance department footnote.

The terminology you need to know first

DPDP uses India-specific terminology that doesn't map cleanly onto GDPR. Applying GDPR vocabulary to DPDP compliance is the most common mistake organisations make. Get the terms right before building the programme.

Data Principal is the individual whose personal data is being processed. Often called a "Nagarik" (Indian citizen) informally. Data Principals have five rights under the Act: information access, correction and erasure, grievance redressal, nomination of another person to exercise rights posthumously, and consent withdrawal at any time.

Data Fiduciary is the organisation that determines the purpose and means of processing. Equivalent to GDPR's data controller. The Data Fiduciary bears the primary obligations: providing notices, obtaining consent, implementing security safeguards, responding to rights requests, and notifying breaches. Government may designate certain Data Fiduciaries as "Significant Data Fiduciaries" based on processing volume or sensitivity, triggering additional compliance requirements.

Data Processor processes personal data on behalf of a Data Fiduciary. Same structural role as GDPR's processor, carrying obligations defined through agreements with the Fiduciary.

Consent Manager is a DPDP-specific concept with no GDPR equivalent. A regulated intermediary through which Data Principals can give, manage, review, and withdraw consent across multiple Data Fiduciaries. The Consent Manager infrastructure is India-native and reflects the scale of India's digital population.

What DPDP actually requires

Four obligation areas define the operational compliance programme.

Notice and consent

Before collecting personal data, a Data Fiduciary must provide a clear notice in English or any language specified in the Eighth Schedule of the Indian Constitution. That last point matters practically. Organisations cannot satisfy DPDP notice requirements with English-only documentation when serving populations that access services in Tamil, Telugu, Bengali, or any of the other 21 constitutionally recognised Indian languages.

Consent must be freely given, specific, informed, and unambiguous. The critical difference from GDPR: DPDP's primary lawful processing ground is consent. GDPR offers six lawful bases including legitimate interests, contract performance, and legal obligation. DPDP's exceptions to the consent requirement are narrower, covering compliance with law, medical emergencies, employment-related purposes, and public interest functions.

So an organisation that currently relies on "legitimate interests" under GDPR for customer analytics cannot automatically apply the same basis under DPDP. They need to re-examine whether consent is required for each processing activity in the Indian context.

Data Principal rights fulfilment

The right to erasure creates the hardest operational challenge. When a Data Principal exercises this right, the obligation applies across every copy of their data in every system. Not just the primary CRM or customer database. The analytics warehouse. The development environment seeded six months ago. The daily backup snapshot. The SaaS integration that synced records to a marketing platform.

Why does this matter? Because most organisations cannot find all of those copies. Their data inventory covers the systems they built and maintain. It doesn't cover the shadow data that accumulated through pipelines, developer workflows, and integrations they didn't track. DPDP erasure compliance requires finding everything first.

Security safeguards

DPDP requires "reasonable security safeguards" to prevent personal data breaches. Unlike HIPAA's prescriptive safeguard categories or GDPR's Article 32 requirements, DPDP's standard is principles-based. The question for compliance teams isn't "did we implement these specific controls?" It's "can we demonstrate to the Data Protection Board that our safeguards were reasonable given what we process?"

That's a demonstrable safeguards standard, not a checkbox standard. Continuous monitoring, audit trails, and documented security posture matter because they're the evidence base when the Board asks questions.

Breach notification

This is where DPDP departs most significantly from GDPR, and where organisations that treat DPDP as a GDPR subset get caught.

GDPR's breach notification threshold is risk-based. Breaches unlikely to result in risk to individuals don't require individual notification. Organisations can assess impact and decide whether to notify. DPDP has no such threshold. Universal Breach Notification means every personal data breach triggers notification obligations to the Data Protection Board and to affected Data Principals. Every breach. No risk assessment required to decide.

That changes the operational requirement fundamentally. Under GDPR, fast scope determination feeds a risk assessment that determines notification scope. Under DPDP, fast scope determination feeds mandatory notification. The question isn't "is this risky enough to notify?" It's "what happened and who needs to be told?"

Where DPDP differs from GDPR: four material distinctions

"DPDP is like GDPR for India" is a useful shorthand and a compliance trap. Four differences create gaps that retrofitting GDPR controls onto Indian operations won't close.

Consent as primary basis

GDPR's six lawful bases give organisations flexibility. DPDP's legitimate use exceptions are narrower. If your GDPR compliance is built on legitimate interests, you have mapping work to do before you can claim DPDP compliance.

Universal Breach Notification

No risk threshold. Every breach notifiable. This isn't a nuance, it's a structural difference in how breach response programmes need to be designed.

Language requirements

Notices must be available in Eighth Schedule languages. English-only privacy infrastructure fails this requirement for significant portions of the Indian market.

Consent Manager infrastructure

A regulated third-party consent management layer with no GDPR equivalent. Organisations operating at scale in India need to understand how Consent Manager fits into their consent architecture.

The operational problem most organisations are not ready for

Ask a compliance team whether they know where all Indian personal data lives across their environment. Cloud databases. SaaS platforms. Development environments. Analytics pipelines. Endpoint devices. Backup systems.

Most can't answer that with confidence.

That's the real DPDP readiness gap. Not policy documentation. Not consent management configuration. It's that most organisations have 70-80% coverage of their personal data estate through manual processes and periodic scans, and 20-30% is shadow data they haven't found. Under DPDP, that 20-30% gap is where erasure requests fail, where breach notifications are incomplete, and where the Data Protection Board finds violations.

Three capabilities close the gap operationally.

Continuous automated discovery that finds personal data across every environment as it appears, including copies created by pipelines, developer workflows, and integrations that nobody documented. Not quarterly scanning. Continuous.

Purpose limitation monitoring that tracks actual data usage patterns against documented processing purposes. Consent drift, where data collected for one purpose is being accessed in ways inconsistent with that purpose, is invisible without this. The Data Principal gave consent for Order Fulfillment. Their data is now in an analytics model they never consented to. That's a DPDP violation. Detecting it requires monitoring what's actually happening, not what the policy says should happen.

Cross-system erasure that propagates consent revocation and erasure requests to every copy in every system, not just the primary record. A workflow that deletes from the CRM and stops there doesn't fulfil the obligation.

Penalties and enforcement

The Data Protection Board of India enforces DPDP with a structured penalty framework.

Up to ₹250 crore for inadequate security safeguards resulting in a personal data breach. Up to ₹200 crore for failure to notify the Board of a breach. Up to ₹200 crore for violations involving children's personal data. Up to ₹150 crore for failure to fulfil Data Principal rights. Up to ₹50 crore for various other violations.

These apply per violation. An organisation that has a breach, fails to notify promptly, and is found to have inadequate safeguards faces exposure across three penalty categories from a single incident. At ₹250 crore per category, the financial exposure is material.

Frequently asked questions

What is DPDP?

DPDP is the Digital Personal Data Protection Act, India's first comprehensive personal data protection law enacted in August 2023. It governs how organisations process personal data of Indian citizens (Data Principals), creates obligations for Data Fiduciaries covering consent, security safeguards, Data Principal rights, and universal breach notification, and applies to any organisation worldwide that processes Indian personal data in connection with offering goods or services to Indian residents.

What is the difference between DPDP and GDPR?

Both require personal data inventories, consent management, breach notification, security safeguards, and data subject rights responses. Four material differences: DPDP relies primarily on consent with narrower legitimate use exceptions than GDPR's six lawful bases; DPDP has Universal Breach Notification with no risk threshold unlike GDPR's risk-based threshold; DPDP requires notices in Eighth Schedule languages not just English; and DPDP introduces a Consent Manager intermediary with no GDPR equivalent.

Who does DPDP apply to?

Any organisation that processes personal data of Indian citizens within India, and any organisation outside India processing such data in connection with offering goods or services to Indian residents. Indian subsidiaries of multinationals, foreign SaaS companies with Indian users, and global enterprises processing Indian employee data are all in scope.

What are the DPDP penalties?

Maximum penalties include ₹250 crore for inadequate security safeguards causing breaches, ₹200 crore for failure to notify the Board of a breach, ₹200 crore for violations involving children's data, and ₹150 crore for failure to fulfil Data Principal rights. Penalties apply per violation and can accumulate across multiple categories from a single incident.

What is a Data Fiduciary under DPDP?

A Data Fiduciary is an organisation that determines the purpose and means of processing personal data. Equivalent to GDPR's data controller. Data Fiduciaries bear DPDP's primary obligations: providing notices, obtaining consent, implementing reasonable security safeguards, responding to Data Principal rights requests, and notifying breaches to the Data Protection Board and affected individuals.