What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent on 11 August 2023. It is India's first comprehensive data protection law, replacing the older patchwork of privacy rules under the IT Act 2000. The Act creates a framework for how businesses collect, process, store, and share personal data of Indian citizens (called "Data Principals").
The DPDP Act applies to:
- Processing of digital personal data within India
- Processing of digital personal data outside India if it relates to offering goods or services to Data Principals in India
- All types of entities — companies, LLPs, partnerships, proprietorships, government bodies, NGOs — that process personal data
"Personal data" means any data about an identifiable individual — name, email, phone number, Aadhaar number, IP address, location data, biometric data, health data, financial data, etc.
Key Concepts Under the DPDP Act
| Term | Definition | Who It Applies To |
|---|---|---|
| Data Principal | The individual whose personal data is being processed | Your customers, employees, website visitors |
| Data Fiduciary | The entity that determines the purpose and means of processing personal data | Your business — if you collect or use personal data |
| Data Processor | An entity that processes personal data on behalf of a Data Fiduciary | Your IT vendor, cloud provider, marketing agency that processes your customer data |
| Significant Data Fiduciary (SDF) | Data Fiduciaries designated by the Central Government based on volume of data, sensitivity, risk to national security, etc. | Large platforms, social media companies, certain categories to be notified — higher obligations apply |
| Data Protection Board (DPB) | Regulatory body established under the Act to adjudicate complaints and impose penalties | Complaint authority for Data Principals; enforcement authority against Data Fiduciaries |
Core Obligations for Data Fiduciaries
Consent — the foundation of lawful processing
You can process personal data only with the free, specific, informed, unconditional, and unambiguous consent of the Data Principal. The consent request must: be in plain, simple language (in English and any language from the 8th Schedule); clearly state what data is being collected and for what purpose; not be bundled with other consents as a condition for service; be preceded by a notice explaining the data being collected and purpose. You must provide a consent manager interface or mechanism through which the Data Principal can give, withdraw, or review consent at any time.
Notice — what to tell Data Principals
Before collecting personal data, provide a notice stating: what personal data is being collected; the purpose for which it will be used; how the Data Principal can exercise their rights; how to contact the Data Protection Officer or grievance mechanism. For data already collected before the Act's effective date, notice must be given at the earliest opportunity.
Purpose Limitation — use only what you stated
Personal data can only be processed for the specific purpose for which consent was obtained or for a lawful use under the Act. You cannot repurpose data for new uses without obtaining fresh consent. This means your CRM data collected for order processing cannot be used for marketing profiling without separate consent.
Data Minimisation — collect only what you need
Collect only the personal data that is necessary for the stated purpose. If you don't need date of birth to send a newsletter, don't collect it. Unnecessary data collection creates both compliance risk (if there is a breach) and penalty exposure.
Data Accuracy and Storage Limitation
Take reasonable steps to ensure accuracy and completeness of personal data. Erase (or anonymise) personal data when the purpose is fulfilled or when consent is withdrawn. Do not retain data indefinitely "just in case."
Security Safeguards — protect the data
Implement reasonable security safeguards to prevent data breach. The Act does not specify exact technical measures but expects risk-proportionate security. For healthcare data, financial data, or large volumes of consumer data, robust encryption, access controls, audit logs, and incident response procedures are expected.
Data Breach Notification
In the event of a personal data breach, notify the Data Protection Board and all affected Data Principals. The notification must be prompt — draft rules are expected to specify timelines (likely 72 hours, similar to GDPR). Early detection and reporting is important — delayed reporting after discovery can significantly increase penalty exposure.
Grievance Redressal Mechanism
Every Data Fiduciary must establish a mechanism for Data Principals to raise grievances. This can be a dedicated email, a portal, or a named contact. Grievances must be acknowledged and resolved within the prescribed timeframe (to be notified in rules).
Rights of Data Principals You Must Honour
- Right to access information: Data Principal can request what personal data is held about them and how it is being used
- Right to correction and erasure: Data Principal can request correction of inaccurate data and erasure of data that is no longer needed for the purpose
- Right to grievance redressal: Right to readily available means of grievance redressal
- Right to nominate: Data Principal can nominate another person to exercise rights on their behalf in the event of their death or incapacity
- Right to withdraw consent: Data Principal can withdraw consent at any time — and you must stop processing after withdrawal (subject to legal obligations)
You must have processes in place to receive, acknowledge, and fulfil these requests within the timeframes that will be specified in the rules.
Penalties Under the DPDP Act
| Violation | Maximum Penalty |
|---|---|
| Breach of obligation to implement data security safeguards or notify breach | Rs.250 crore |
| Breach of obligations for processing of children's data | Rs.200 crore |
| Breach of obligations of Significant Data Fiduciary | Rs.150 crore |
| Breach of Data Fiduciary's other obligations (consent, notice, purpose limitation) | Rs.50 crore |
| Breach of Data Principal's obligations | Rs.10,000 |
| Breach of any other provision | Rs.50 crore |
These are maximum penalties — the Data Protection Board will consider the nature, gravity, and duration of breach; number of affected persons; repetition; and remedial actions taken. However, even 1/10th of the maximum for a significant data breach represents enormous financial risk for most businesses. Early compliance investment far outweighs potential penalty exposure.
DPDP Compliance Checklist for Businesses
Data Mapping and Inventory
Identify what personal data you collect, from whom, for what purpose, where it is stored, who has access, and how long you retain it. A data flow map is the foundation of all compliance work.
Privacy Notice / Policy
Update your website privacy policy and internal privacy notices to reflect DPDP Act requirements — what data, what purpose, what rights, who to contact. Notices must be in clear, plain language.
Consent Mechanism
Build or update consent collection mechanisms — cookie consent, sign-up forms, CRM data collection — to meet DPDP standards: specific, informed, unambiguous, easy to withdraw.
Data Processor Agreements
Review contracts with third-party vendors who process data on your behalf (cloud providers, marketing platforms, payroll processors). Add DPDP-compliant data processing clauses requiring them to maintain security and notify you of breaches.
Children's Data Compliance
If your platform or service is used by children (under 18), implement verifiable parental consent. The DPDP Act is particularly strict on children's data — no tracking, no behavioural targeting of children. Review all user-facing systems for age verification.
Data Breach Response Plan
Prepare an incident response plan covering detection, containment, assessment, notification to DPB and Data Principals, and post-incident review. Test the plan with a tabletop exercise.
DPO / Grievance Officer Appointment
Significant Data Fiduciaries must appoint a Data Protection Officer. All Data Fiduciaries must have a grievance redressal mechanism. Even if not classified as SDF, appointing a responsible person for data protection demonstrates accountability and is good practice.
Staff Training
Employees who handle personal data — customer service, HR, marketing, IT — must be trained on DPDP obligations, data handling procedures, and how to respond to Data Principal requests and breach events.
Frequently Asked Questions
Yes. The DPDP Act applies to all entities that process personal data of Indian citizens, regardless of size. However, the Government can exempt certain categories of Data Fiduciaries (likely small businesses below a threshold) through rules. The extent of exemptions has not yet been finalised in the Rules. Pending the Rules, it is prudent for all businesses — regardless of size — to begin basic compliance: update privacy policies, review consent mechanisms, and understand what personal data you process. The cost of basic compliance is low; the penalty for non-compliance can be severe.
The DPDP Act was influenced by GDPR but differs in several important ways: (1) The DPDP Act does not create a general right to data portability (GDPR has this); (2) DPDP has fewer "lawful bases" for processing — primarily consent and legitimate uses specified in law; (3) The DPDP Act is generally considered less prescriptive about technical standards, leaving more to Rules and codes of practice; (4) DPDP does not have the same broad extraterritorial reach as GDPR; (5) Penalties under DPDP (up to Rs.250 crore) are lower than GDPR's (up to 4% of global turnover or €20 million). If your business is subject to both GDPR (because you process EU citizen data) and DPDP (because you process Indian citizen data), you must comply with both — but GDPR compliance gives you a strong foundation for DPDP compliance as well.
The DPDP Act 2023 received Presidential assent on 11 August 2023 but most provisions require the Central Government to issue Rules before they become operational. The Rules specify detailed compliance requirements, exemptions, timelines for implementing rights, and Data Protection Board procedures. As of early 2025, the draft Rules have been circulated for public comment and final Rules are expected to be published in 2025. Enforcement begins after the Rules are notified and the Data Protection Board is established. Businesses should use this window to prepare — compliance built in advance is far less disruptive than emergency compliance after Rules are enforced.
Yes. Employee data — attendance records, salary information, Aadhaar/PAN collected for payroll, performance records, health data — is personal data under the DPDP Act. Employers processing employee data are Data Fiduciaries under the Act. Consent for employment-related processing may be implied in the employment contract (as a "deemed consent" scenario) but this will be specified more precisely in the Rules. HR departments need to review their data collection practices, retention policies, and employee-facing privacy notices as part of DPDP compliance.
Get DPDP Act Ready — Start Today
Our DPDP compliance team assists businesses in Pondicherry and across India with data mapping, privacy policy drafting, consent framework setup, DPO appointment, and breach response planning.