DPDP Act 2023 · Complete walkthrough · Updated June 2026

Complete guide to DPDP Act 2023

India's Digital Personal Data Protection Act 2023, translated for practitioners. Obligations, rights, penalties, breach response, and what to actually build — without the legalese.

14
Sections
25 min
Read time
₹250cr
Max penalty
72h
Notification window

01Act overview

The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law. It received Presidential assent on 11 August 2023. Operational provisions roll out via the DPDP Rules (notified in stages from 2025–26).

The Act regulates how organisations process personal data of Indian residents. It establishes Data Principals (individuals), Data Fiduciaries (controllers), and Data Processors, and creates the Data Protection Board of India (DPBI) as the enforcement authority.

Plain English: If you process the personal data of even one Indian resident — citizen or not — DPDP applies to you, regardless of where your servers are.

02Who it applies to

DPDP applies to processing personal data:

  • Within India — collected digitally, or non-digitally then digitised.
  • Outside India — when offering goods or services to Data Principals in India.

Exemptions are narrow: domestic/personal use, certain employer-employee data, and data made publicly available by the Data Principal themselves or under any law.

03Key actors defined

  • Data Principal — the individual to whom the personal data relates (you, the user).
  • Data Fiduciary — the entity that determines purpose & means of processing (the company holding your data).
  • Data Processor — processes data on behalf of a Fiduciary (the SaaS, the cloud, the analytics vendor).
  • Significant Data Fiduciary (SDF) — designated based on volume, sensitivity, risk, electoral significance, or sovereignty impact (see §07).
  • Consent Manager — registered intermediary that helps Principals manage consent (rules in progress).

Consent under DPDP must be:

  • Free — no coercion, no bundled with unrelated services.
  • Specific — to a defined purpose.
  • Informed — Principal must understand what they're consenting to.
  • Unconditional — service must be available without consenting to non-essential processing.
  • Unambiguous — clear affirmative action, not pre-ticked boxes.

The Fiduciary must provide a privacy notice in plain language, separate from Terms of Service, covering: purpose, rights, withdrawal mechanism, complaint mechanism, and Board contact.

Consent must be withdrawable as easily as it was given (§6(4)). One-click signup → one-click withdrawal.

05Data Principal rights

The Act grants 5 rights:

  1. Right to information — what data is held, with whom shared.
  2. Right to correction & erasure — fix or delete incorrect data.
  3. Right of grievance redressal — escalate to a designated Grievance Officer; Board complaint follows.
  4. Right to nominate — designate someone to exercise rights if Principal dies or is incapacitated.
  5. Right to withdraw consent — at any time, with effect from withdrawal.

06Fiduciary obligations

If you're a Data Fiduciary, you must:

  • Ensure accuracy and completeness of personal data used for decisions affecting the Principal.
  • Implement reasonable security safeguards (§8(5)) — this is the costliest obligation.
  • Notify the Board and affected Principals of personal data breaches (§8(6) — see §10 below).
  • Erase personal data when purpose is no longer being served, unless retention is required by law.
  • Publish a Grievance Officer's contact details and respond within 14 days (timelines via Rules).
  • Sign a contract with each Data Processor binding them to DPDP-equivalent obligations.

07Significant Data Fiduciary

SDFs are designated by the central government based on:

  • Volume and sensitivity of personal data processed.
  • Risk to Data Principals.
  • Potential impact on India's sovereignty & integrity.
  • Electoral democracy risks.
  • Security of the State or public order.

SDF additional obligations:

  • Appoint a Data Protection Officer (DPO) based in India.
  • Appoint an independent data auditor.
  • Conduct periodic Data Protection Impact Assessments (DPIA).
  • Carry out periodic audits.

08Children's data

Processing children's data (under 18) requires verifiable parental consent. Self-declaration is not sufficient — you need a defensible verification mechanism. Behavioural monitoring, advertising targeting, and any processing causing harm to children is prohibited regardless of consent.

09Cross-border transfers

DPDP allows transfers except to countries notified as restricted by the central government. This is a "negative list" model — transfers are presumptively allowed, but sectoral regulations (RBI, IRDAI, ABDM) may impose stricter localisation. Map your data flows and check sectoral overlays.

10Breach notification

Under §8(6), Fiduciaries must notify both the Data Protection Board AND the affected Data Principals "in such form and manner as may be prescribed". The Rules clarify a 72-hour timeline for Board notification with the option of supplementing as the investigation progresses.

What to have ready before a breach

  • A documented breach response playbook with named roles.
  • Pre-drafted notification templates (Board, Principal, public).
  • Legal counsel on speed-dial.
  • Forensics partner (or in-house DFIR team).
  • An evidence-preservation procedure.
  • An internal escalation path with sign-off authority on disclosure decisions.

11Penalties

Penalties under §33 and the Schedule:

ContraventionMaximum penalty
Failure to take reasonable security safeguards (§8(5))₹250 crore
Failure to notify breach (§8(6)) or breach of children's data obligations₹200 crore
Failure of additional SDF obligations (§10)₹150 crore
Failure of Data Principal rights / Grievance redressal₹50 crore
Other contraventions₹50 crore

The Board considers nature, gravity, duration, repeat behaviour, and gain/loss when fixing penalty. Use our DPDP Penalty Calculator to estimate exposure for a hypothetical breach.

12Implementation timeline

Effective rollout is phased:

  • Aug 2023: Act receives assent.
  • 2025: First Rules notified (consent, notice, breach format).
  • 2025–26: Board operationalised, SDF criteria notified.
  • 2026: Cross-border restricted-country list expected.
  • Ongoing: Sector-specific overlays from RBI, IRDAI, ABDM.

13Practical checklist

If you're starting your DPDP programme today:

  1. Map your data flows — where does personal data enter, how does it move, where is it stored, who has access.
  2. Rebuild consent UX — DPDP-grade affirmative consent with easy withdrawal.
  3. Rewrite your privacy notice — plain language, separate from ToS.
  4. Name a Grievance Officer — contact details public, intake process documented.
  5. Build DSAR fulfilment — process for access, correction, erasure requests.
  6. Audit security safeguards — encryption, access control, logging, incident response.
  7. Sign DPAs with all processors — vendors, SaaS, cloud, analytics.
  8. Draft breach playbook — 72-hour ready, with templates pre-approved by legal.
  9. Run a tabletop — exercise the playbook before you need it.
  10. Track regulatory updates — Rules are still landing.

Run our DPDP self-assessment for a personalised score and remediation roadmap.

14Next steps

If you'd like a second pair of eyes on your DPDP posture, we offer 30-minute scoping calls at no cost. We'll review your data flows, consent UX, breach posture, and tell you honestly which obligations apply most urgently to your business.

Get a DPDP scoping call

30 minutes. Your stack. Honest answers. We'll tell you whether you're closer to ₹250 cr exposure or ₹2 lakh.

Start the self-assessment DPDP services