Academy

Module 1 · DPDP Act Foundations 🔒

Manish Garg
Manish Garg Associate CISSP · RingSafe
April 19, 2026
12 min read

You’ve heard the name. “DPDP Act.” Somebody in your organisation has mentioned it in a meeting. Maybe legal sent a memo. Maybe your startup accelerator flagged it. This module is where you go from “I’ve heard of it” to “I can explain it and act on it.”

The Digital Personal Data Protection Act, 2023 is India’s first comprehensive data-protection law. It was passed by Parliament on 11 August 2023. It is modelled loosely on the EU’s GDPR but is significantly simpler — and in some ways, stricter. Penalties go up to ₹250 crore per violation category. If you process the personal data of even one person in India, this applies to you.

This module is the starting point of the DPDP Compliance Practitioner learning path. We will not cover every clause — we will cover what a practitioner needs to operationalise. By the end, you will be able to:

  • Explain what the DPDP Act actually says (without the legal jargon)
  • Identify whether your organisation is a Data Fiduciary or a Data Processor
  • Name the seven rights of a Data Principal and the processes your product needs to respect them
  • Recognise when your organisation is a Significant Data Fiduciary (SDF) and what extra obligations kick in
  • Understand penalty exposure under Section 33 — and what drives it up or down

Why this Act exists

Until 2023, India had no dedicated data-protection law. The only statute that vaguely covered personal data was Section 43A of the Information Technology Act, 2000 — which only required “reasonable security practices” and applied only to “body corporates” handling “sensitive personal data.” That framework was widely considered toothless.

Three events drove the DPDP Act forward:

  1. Puttaswamy judgment (2017) — the Supreme Court of India unanimously ruled that the right to privacy is a fundamental right under the Constitution (Article 21). Suddenly, the government had a constitutional duty to legislate protection.
  2. GDPR (2018) — the EU’s General Data Protection Regulation raised the global bar. Indian SaaS companies serving European customers already had to comply. Indian citizens started asking why they didn’t have similar rights at home.
  3. Breach fatigue — repeated large-scale breaches (Aadhaar data sales on dark-web forums, telco leaks, fintech KYC dumps) made privacy a political priority.

Four successive drafts came and went between 2018 and 2022. The final DPDP Act, 2023 is shorter and less prescriptive than GDPR — it trusts the government to fill in details through subordinate Rules. As of early 2026, most of those Rules are still in draft. But the Act itself is binding.

Who is covered

The DPDP Act applies to:

  • Processing of digital personal data within India — whether the data was collected digitally or collected on paper and later digitised.
  • Processing of digital personal data outside India if it is in connection with offering goods or services to Data Principals in India.

Key exclusions:

  • Personal or domestic purposes (your WhatsApp contacts are not covered)
  • Publicly available personal data that the Data Principal has themselves made public (e.g. a LinkedIn profile)
  • Data processed for research, archiving, or statistical purposes subject to specific safeguards notified by the Central Government

So — if your startup, SaaS, clinic, school, fintech, media outlet, or consulting firm handles the email, name, phone, address, Aadhaar, PAN, health records, financial details, or any other identifying data of any person in India, you are covered. The threshold is not “I have 10,000 users” — it is “I handle data of even one Data Principal in India.” Startup-stage applies the same as an enterprise.

The vocabulary you must know

Every discussion of DPDP will use these terms. Memorise them — you cannot operationalise what you cannot name.

Term Meaning Rough GDPR equivalent
Personal Data Any data about an individual who is identifiable by or in relation to such data Personal Data
Data Principal The person whose data is being processed (the user/customer) Data Subject
Data Fiduciary The entity that decides why & how personal data is processed Data Controller
Data Processor A third party that processes data on behalf of a Data Fiduciary Data Processor
Consent Manager A registered intermediary that helps Data Principals manage consents across Fiduciaries No direct equivalent
Significant Data Fiduciary (SDF) A Data Fiduciary notified by the Central Government with enhanced obligations No direct equivalent (roughly, a large Controller)
Data Protection Board The regulator; adjudicates violations and issues penalties Supervisory Authority / DPA

Where most practitioners get confused: the distinction between Data Fiduciary and Data Processor. A simple test: Who decides the purpose?

If you decide why and how the data is processed, you are the Data Fiduciary. If you merely execute what another entity tells you to do with that data, you are a Data Processor. A SaaS email provider (like Mailchimp or SendGrid) is a Processor for the business that uses it. But the same SaaS, for its own marketing database, is a Fiduciary. You can be both simultaneously for different data flows — and most SaaS companies are.

The six grounds for processing

Under Section 7, a Data Fiduciary may process personal data only on one of six legal bases:

  1. Consent — free, specific, informed, unconditional, unambiguous, clear affirmative action. This is the default.
  2. Legitimate use — voluntary provision — where a Data Principal voluntarily provides data for a specific purpose (e.g. you give your email to get a coupon).
  3. Legitimate use — state functions — for providing or issuing subsidies, licences, benefits, permits, or services by the State.
  4. Legitimate use — medical emergency — to respond to an imminent threat to life or health.
  5. Legitimate use — employment — for purposes related to employment, including preventing misconduct or providing benefits.
  6. Legitimate use — disaster management — to respond to a disaster or public-order incident.

Practitioners should notice: “legitimate interest” as a broad catch-all (which GDPR allows) is not a ground under DPDP. You cannot hand-wave with “it’s in our legitimate business interest” the way GDPR controllers sometimes do. Either you have specific consent, or you fit one of the five narrow legitimate-use categories. This is stricter than GDPR on paper — though in practice, “voluntary provision” has become the catch-all Indian startups lean on.

Rights of the Data Principal

The Act grants seven rights. Your product must support each of them. If you cannot demonstrate compliance for even one, you are exposed.

  1. Right to access information (Section 11) — the Data Principal can ask what data you hold about them, for what purpose, and whom you’ve shared it with.
  2. Right to correction (Section 12) — inaccurate or incomplete data must be correctable.
  3. Right to erasure (Section 12) — data no longer necessary for the purpose must be deletable on request, subject to legal retention requirements.
  4. Right to grievance redressal (Section 13) — the Data Principal must have a mechanism to complain, with escalation to the Data Protection Board if unsatisfied.
  5. Right to nominate (Section 14) — the Data Principal can nominate someone to exercise these rights in case of death or incapacity.
  6. Right to withdraw consent — and withdrawal must be as easy as giving consent in the first place. Think: the “Unsubscribe” link in every marketing email.
  7. Right to not be subject to automated decisions — in practice read this with the Rules; the clearest operational ask is transparency when a user is subject to automated decisioning.

Each of these rights requires a process, a responder, and a SLA. The Act says you must respond in a “reasonable time” — the draft Rules lean toward 14 days as the operational answer.

Notice and consent — the public-facing contract

Section 5 requires that when you collect personal data, you provide a Notice that includes:

  • The purposes of processing
  • How the Data Principal can withdraw consent
  • How the Data Principal can file a grievance with you
  • How to complain to the Data Protection Board of India

The Notice must be available in English and any of the 22 languages in the Eighth Schedule to the Constitution. For a product aimed at Tier-2 and Tier-3 India, English alone is a compliance gap.

Consent must be:

  • Free — no coercion, no bundling of consent with irrelevant terms
  • Specific — each purpose must be separately consented to (no “I agree to everything” umbrella)
  • Informed — the Data Principal must understand what they’re agreeing to
  • Unconditional — you cannot make provision of a service dependent on consent for processing that is not strictly needed for that service
  • Unambiguous — clear affirmative action; no pre-ticked boxes, no “implied consent via continued use of the site”

Withdrawal must be as easy as giving consent. If signing up took one click, unsubscribing must take one click. If adding a data type needed an in-app toggle, removing it needs the same toggle — not a 10-step process hidden in a sub-menu.

Children’s data — the red line

Section 9 treats children (under 18 in Indian law) separately. Before processing the personal data of a child, a Data Fiduciary must obtain verifiable parental consent. Behavioural monitoring, targeted advertising, and tracking of children are also prohibited.

The practical challenges are significant: how do you verify parental consent at scale without collecting even more sensitive data from the parent? The draft Rules point toward Digilocker-based verification or consent through a registered Consent Manager. In the interim, most Indian consumer tech products aimed at under-18s are operating in a grey zone — which is why the biggest players (ed-tech, gaming, social) are under active scrutiny.

For a startup: if your product could plausibly attract users under 18, you need either an age-gate at signup or a compliance plan for parental consent. Do not assume “we didn’t know” will be a defence.

Significant Data Fiduciaries (SDFs)

Section 10 empowers the Central Government to notify certain Data Fiduciaries as Significant. The criteria include the volume and sensitivity of data processed, risk to Data Principals’ rights, risk to electoral democracy, risk to state security, and risk to public order.

Once designated, an SDF must:

  • Appoint a Data Protection Officer (DPO) based in India
  • Appoint an independent Data Auditor
  • Conduct periodic Data Protection Impact Assessments (DPIAs)
  • Conduct periodic audits and comply with other obligations as the Board prescribes

As of early 2026, specific SDF notifications have been limited. Expect large banks, telcos, e-commerce marketplaces, consumer tech platforms with hundreds of millions of users, and insurers to be in the first waves of designation. If your organisation is regulated by RBI, SEBI, IRDAI or processes more than a few million Data Principals’ worth of data, start preparing as if SDF status is inevitable.

Penalties under Section 33

The Schedule to Section 33 sets maximum penalties per category of violation:

  • ₹250 crore — failure to take reasonable security safeguards to prevent personal data breach
  • ₹200 crore — failure to notify the Board and affected Data Principals of a breach
  • ₹200 crore — non-compliance with obligations relating to children’s personal data
  • ₹150 crore — non-compliance with additional obligations of a Significant Data Fiduciary
  • ₹50 crore — breach of any other provision of the Act or Rules
  • ₹10,000 — breach of a Data Principal’s own duties (Section 15)

These are maximums per violation category, not per Data Principal. The Board determines the actual penalty based on: the nature, gravity, and duration of the breach; the kind of personal data affected; the number of Data Principals affected; whether the Data Fiduciary has a history of violations; whether the Fiduciary cooperated; and what remedial action was taken.

An SME that experiences a small breach, notifies within 72 hours, has documented controls, and cooperates with the Board will see far smaller penalties than the stated maximums. A repeat offender who fails to notify and obstructs investigation can plausibly face penalties in the tens of crores. If you want to model your own exposure, use the DPDP Penalty Calculator.

Breach notification — the 72-hour rule

Section 8(6) requires that when a personal data breach occurs, the Data Fiduciary must notify the Data Protection Board and each affected Data Principal. The draft Rules are tightening this to a 72-hour Board notification window with a specific notification format.

What counts as a “breach”? Unauthorised processing, disclosure, acquisition, or loss of personal data which compromises its confidentiality, integrity, or availability. This includes:

  • A successful external attack that exfiltrates data
  • An insider taking a database export without authorisation
  • A misconfigured S3 bucket exposing data to the public internet
  • A lost or stolen laptop with unencrypted personal data
  • Accidental disclosure (sending an email to the wrong list)
  • Ransomware encryption of personal data (even without exfiltration, because availability is compromised)

The practical implication: you need an incident-response plan that is ready to execute within hours. If your team only finds out about the breach three weeks later, every minute after that is a ticking clock for regulatory exposure.

The Data Protection Board of India

The DPDP Act establishes the Data Protection Board of India — an independent adjudicatory body that investigates complaints, conducts inquiries, and imposes penalties. The Board operates as a digital-first body; submissions and hearings are expected to be entirely online for most matters.

Data Principals can complain directly to the Board if their grievance was not resolved by the Data Fiduciary. The Board has powers to summon, require the production of documents, examine on oath, and issue binding orders. Appeals from the Board go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

What changes when the Rules are notified

The Act is the skeleton. The Rules (subordinate legislation) are the flesh. Expect the final Rules to clarify:

  • The exact time windows for responding to Data Principal rights requests
  • Breach notification format, timing, and content
  • How verifiable parental consent must work operationally
  • Registration and conduct of Consent Managers
  • Thresholds for SDF designation
  • The format and frequency of DPIAs and audits

As a practitioner, keep one browser tab on the MeitY website and another on the Gazette of India. When the Rules are finalised, you will have a transition window to comply — typically 6 to 18 months. Organisations that have been quietly preparing will sail through; those that waited will scramble.

Quick reference summary

  • DPDP Act — India’s first comprehensive data-protection law, passed 2023
  • Applies to — any digital processing of personal data of Indian persons
  • Data Fiduciary = decides purpose · Data Processor = executes on behalf of Fiduciary
  • Six grounds for processing: Consent, Voluntary provision, State functions, Medical emergency, Employment, Disaster
  • Consent must be free, specific, informed, unconditional, unambiguous
  • Seven rights: Access, Correction, Erasure, Grievance, Nominate, Withdraw consent, Automated-decision transparency
  • Children (<18) — verifiable parental consent required; no tracking or targeted ads
  • SDFs — appoint DPO, Auditor, conduct DPIAs, audits
  • Penalties — up to ₹250 crore per violation category
  • Breach notification — to Board and affected Principals, 72-hour window (per draft Rules)
  • Regulator — Data Protection Board of India

Take the quiz below to confirm you’ve absorbed the foundations. Pass with 70%+ to mark this module complete and unlock the next one — Data Mapping Workshop, where we go from the theory into a 90-minute practical exercise of mapping every personal-data flow in a sample Indian SaaS.

🧠
Check your understanding

Module Quiz · 20 questions

Pass with 70%+ to mark this module complete. Unlimited retries. Each question shows an explanation.

Up next
Module 2 · Data Mapping Workshop

Continue →

Start of track
Next · Module 2 →
Module 2 · Data Mapping Workshop <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>
← Back to Academy Hub

Other modules in this track

Module 4 · Advanced

Module 4 · Breach Response Tabletop <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

It’s 2:47 AM on a Tuesday. Your PagerDuty wakes you up. A customer has…

Apr 19, 2026 · 14 min
Module 3 · Intermediate

Module 3 · Designing Consent UX <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Most DPDP compliance failures don’t happen at the database layer or the security layer…

Apr 19, 2026 · 11 min
Module 2 · Intermediate

Module 2 · Data Mapping Workshop <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson — sign in for full access">🔒</span>

Every DPDP compliance failure begins with the same sentence: “We didn’t know we had…

Apr 19, 2026 · 11 min