India’s Digital Personal Data Protection Act (DPDP Act) 2023 is now law. If your business collects, stores, or processes personal data of Indian residents — regardless of where your company is incorporated — this applies to you.
This guide cuts through the legal language and gives you a practical breakdown: what the Act requires, what the penalties are, and what you need to do right now.
What Is the DPDP Act?
The Digital Personal Data Protection Act 2023 is India’s first comprehensive data protection law. It governs how organisations — called Data Fiduciaries — collect and process the personal data of individuals — called Data Principals. Enforcement is overseen by the Data Protection Board of India.
Who Does It Apply To?
- Indian companies collecting user data online
- Foreign companies offering services to Indian residents
- Startups, SMEs, and enterprises — size does not exempt you
- SaaS products with Indian users
- Fintech, healthtech, and e-commerce platforms
If you have Indian users and collect any personal data — names, emails, phone numbers, location, or financial data — this law applies to you.
Key Requirements
Consent Is Central
You must obtain clear, informed, and specific consent before collecting personal data. No buried checkboxes, no pre-ticked fields, no bundled terms. Users can withdraw consent at any time, and withdrawal must be as easy as giving it.
Purpose Limitation
Data collected for one purpose cannot be used for another. If a user gives you their phone number for delivery updates, you cannot use it for marketing without separate consent.
Data Minimisation
Collect only what you actually need. Excess data increases breach risk and compliance liability.
Data Principal Rights
Indian users have the right to: access data you hold on them, correct inaccurate data, erase their data, nominate a representative, and raise grievances. You need a process to respond to these requests.
Breach Notification
In the event of a personal data breach, you must notify the Data Protection Board and affected users. Non-compliance carries penalties even if the breach itself was unintentional.
Penalties for Non-Compliance
Penalties reach up to Rs 250 crore for individual violations and up to Rs 500 crore for failure to implement adequate security safeguards. These are not theoretical — enforcement is expected to accelerate as implementing rules are finalised.
Your DPDP Readiness Checklist
- Map your data: Document what personal data you collect, where it is stored, who has access, and how long you retain it
- Audit consent mechanisms: Every form, pop-up, and sign-up flow must be specific, informed, and recorded
- Update your Privacy Policy: Clearly explain what you collect, why, how it is used, and how users exercise their rights
- Build a rights fulfilment process: Workflow for access, correction, and erasure requests
- Implement security controls: Encryption, access controls, and breach detection are the baseline
- Prepare a breach response plan: Know who to notify, when, and how
The Security Connection
DPDP compliance is fundamentally a security exercise. The requirement to protect personal data with appropriate technical and organisational measures means your security posture directly determines your compliance posture.
Organisations that have invested in access controls, encryption, vulnerability management, and incident response will find DPDP compliance significantly easier.
Related reading
- DPDP Act 2023 — full text explained
- DPDP compliance — complete guide
- DPDP penalties — Rs 250 crore structure
- DPDP breach notification — 72-hour playbook
- DPDP compliance checklist — download
Unsure where your organisation stands? Book a free DPDP readiness consultation with RingSafe — we will walk through your data handling practices, identify gaps, and give you a realistic compliance roadmap.