What Is the Digital Personal Data Protection Act 2023 (DPDP Act)?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data privacy law, passed by Parliament in August 2023. It governs how businesses and individuals collect, process, store, and use the personal data of Indian citizens.
The Act establishes a framework that places individuals (called Data Principals) in control of their own personal data and places obligations on entities that process this data (called Data Fiduciaries). It also creates a Data Protection Board of India to hear complaints and impose penalties.
The DPDP Act applies to processing of digital personal data within India, as well as processing of personal data outside India where it is in connection with goods or services offered to individuals in India. This means even foreign companies targeting Indian customers must comply.
India's approach is broadly modelled on global frameworks like the EU's GDPR, but adapted to Indian legal and commercial realities. Businesses that have already prepared for GDPR or PDPA (Singapore) will find the DPDP Act familiar, but there are important differences in specific obligations and exemptions.
Who Is a "Data Fiduciary" — Does the DPDP Act Apply to Your Business?
Under the DPDP Act, a Data Fiduciary is any person, company, or entity that, alone or jointly with others, determines the purpose and means of processing personal data. In practical terms, if your business:
- Collects customer names, phone numbers, or email addresses — even on a paper form that is later digitised
- Maintains an employee database with attendance, salary, or HR records
- Operates a website or mobile app that collects user information
- Uses WhatsApp, email, or CRM software to communicate with customers
- Processes payment information or stores order histories
- Runs a loyalty programme, newsletter subscription, or referral programme
- Engages vendors who process data on your behalf (these vendors are called Data Processors)
...then you are a Data Fiduciary and the DPDP Act applies to you. The Act does not have a minimum size or turnover threshold — even a small retail business, clinic, coaching centre, or individual professional who processes digital personal data is covered.
Significant Data Fiduciaries are a special category of larger Data Fiduciaries that the central government will notify based on volume of data, sensitivity of data, national security implications, and risk to rights of Data Principals. Significant Data Fiduciaries have additional obligations including appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and periodic audits.
Key Obligations Under the DPDP Act
1. Notice
Before collecting personal data, or as soon as possible where data was collected earlier without notice, a Data Fiduciary must provide a clear notice to the Data Principal explaining: what personal data is being collected, the purpose for which it is collected, how the person can exercise their rights, and how to contact the grievance officer. The notice must be in plain language and available in scheduled languages if requested.
2. Consent
Personal data can be processed only with the free, specific, informed, unconditional, and unambiguous consent of the Data Principal — given through a clear affirmative act. Pre-ticked boxes, bundled consent, and consent obtained as a condition for unrelated services are not valid. Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent. The Act does recognise "legitimate uses" for which consent is not required — such as employment purposes, medical emergencies, and certain government functions.
3. Data Minimisation
A Data Fiduciary may collect only the personal data that is necessary for the specified purpose. Collecting data "in case it's useful later" is not permitted. This requires businesses to audit what they collect and remove unnecessary data collection from their processes.
4. Purpose Limitation and Storage Limitation
Personal data may be used only for the purpose for which it was collected. Once the purpose is fulfilled, the data must be erased unless retention is required by law. There is no indefinite right to hold personal data.
5. Data Accuracy
Data Fiduciaries must ensure that personal data they process is accurate and complete, especially where the data will be used to make decisions about the Data Principal or is likely to be disclosed to others.
6. Security Safeguards
Businesses must implement reasonable security measures to prevent personal data breaches. In the event of a breach, the Data Fiduciary must notify the Data Protection Board and affected Data Principals in the manner prescribed.
7. Grievance Officer
Every Data Fiduciary must publish the name and contact details of a Grievance Officer to whom Data Principals can address complaints about the handling of their personal data. The grievance officer must resolve complaints within the timeframe prescribed by rules.
Penalties Under the DPDP Act
The penalties for non-compliance are substantial and can be imposed by the Data Protection Board after conducting an inquiry:
Penalty up to Rs.250 crore per breach incident.
Penalty up to Rs.200 crore.
Penalty up to Rs.200 crore.
Penalty up to Rs.150 crore.
Penalty up to Rs.50 crore per violation.
Beyond monetary penalties, the Data Protection Board can direct businesses to stop processing personal data — which could mean shutting down a website, app, or data-dependent service. These are business-ending consequences for smaller companies.
Our DPDP Act Compliance Services
We provide end-to-end DPDP Act compliance support for businesses in Pondicherry and across India. Our services are tailored to the actual size and complexity of your business — we do not provide cookie-cutter compliance templates.
Privacy Policy Drafting
We draft a custom Privacy Policy that reflects your actual data processing activities and meets DPDP Act requirements. A generic template copied from the internet does not adequately protect you. See our detailed Privacy Policy Drafting service page.
Data Protection Officer (DPO) Appointment
For Significant Data Fiduciaries, we advise on DPO appointment, draft the role description, and guide the reporting structure. We also offer DPO-as-a-service for businesses that need an external, qualified DPO. See our DPO Appointment service page.
Consent Management Framework
We design a legally compliant consent framework for your website, app, HR processes, and customer-facing operations — including consent notices, consent records, and withdrawal mechanisms. See our Consent Management Framework service page.
DPDP Compliance Audit
We conduct a structured audit of your current data processing activities against DPDP Act requirements, identify gaps, and provide a prioritised remediation plan. Ideal for businesses that have already started compliance and want an independent check. See our DPDP Compliance Audit service page.
Employee and Vendor Data Agreements
We update or draft employment agreements and vendor contracts to include DPDP-compliant data processing clauses, ensuring your employees and third-party processors (Data Processors) are contractually bound to protect personal data.
Data Breach Response
If a data breach occurs, we advise on notification requirements, help prepare the notification to the Data Protection Board, and guide your internal response to minimise legal exposure.
Frequently Asked Questions
Yes. The Digital Personal Data Protection Act 2023 applies to any person or business that processes digital personal data of individuals in India — there is no size or turnover threshold. Even a small retail shop, clinic, tuition centre, or freelancer who collects customers' phone numbers or emails on a digital medium is technically covered. The central government may notify specific exemptions or reduced obligations for certain categories, but until such notification is issued, the Act applies broadly. Small businesses should at minimum have a Privacy Policy, a Grievance Officer, and a basic consent mechanism in place.
The DPDP Act 2023 was enacted in August 2023. The DPDP Rules are being finalised by the Ministry of Electronics and Information Technology (MeitY) and are expected to be notified in 2025. Once the Rules are notified and the Data Protection Board is constituted, businesses will be given a transition period to achieve compliance — the exact timeline will be specified in the Rules. However, businesses should begin preparations now. Compliance involves updating policies, building consent mechanisms, training staff, and sometimes modifying software — none of which can be done overnight. Early preparation also demonstrates good faith to regulators.
Under the DPDP Act 2023, "personal data" means any data about an individual who is identifiable by or in relation to such data. This is a broad definition and covers: names, phone numbers, email addresses, Aadhaar numbers, PAN numbers, biometric data (fingerprints, face scans), financial information, health and medical records, location data, IP addresses, device identifiers, browsing history, CCTV footage, HR records, and any combination of data that can identify a person. Anonymised data — where the person cannot be re-identified — is generally outside the scope of the Act.
The mandatory requirement to appoint a Data Protection Officer applies only to "Significant Data Fiduciaries" — a category that the central government will notify. These are likely to be large platforms, tech companies, and businesses processing high volumes or highly sensitive personal data. For other businesses, appointing a DPO is not mandatorily required under the current law, but it is strongly advisable to designate a responsible person (internally or externally) who oversees data protection compliance, handles grievances, and manages data breach response. We can help you determine whether you fall into the Significant Data Fiduciary category and advise accordingly.
The DPDP Act prescribes severe financial penalties. The highest penalty is Rs.250 crore for failure to implement reasonable security safeguards to prevent a personal data breach. Other key penalties include Rs.200 crore for failure to notify a data breach, Rs.200 crore for non-compliance with obligations related to children's data, and Rs.150 crore for Significant Data Fiduciaries failing their additional obligations. Violations of other provisions carry penalties up to Rs.50 crore each. The Data Protection Board conducts inquiries and issues orders. Beyond fines, the Board can direct businesses to stop processing personal data entirely — which could be more damaging than any monetary penalty for a data-dependent business.
Start Your DPDP Act Compliance Journey Today
Whether you are a startup, an established business, or a professional in Pondicherry, we help you understand exactly what the DPDP Act requires of you and build a practical compliance programme that actually works — not just paperwork.