Everything about DPDP Act 2023 for Indian businesses
India's Digital Personal Data Protection Act 2023 reaches every business that processes Indians' personal data — direct or via vendors. This pillar explains what DPDP requires, who's affected, what to ship, and links to every RingSafe resource on the topic — guides, checklists, calculator, assessment tool, and 20+ practitioner blog posts.
What DPDP Act 2023 is
The Digital Personal Data Protection Act 2023 received Presidential assent on 11 August 2023. It governs the processing of digital personal data by Data Fiduciaries within India and Data Fiduciaries outside India that offer goods or services to data principals in India. It establishes the Data Protection Board, enumerates data principal rights, sets fiduciary obligations, and creates a graded penalty regime up to ₹250 crore per instance.
Implementation is staged via DPDP Rules notified in tranches by MeitY. As of 2026, several Rules have been issued (consent management, breach notification format, children's data verification, SDF designation criteria); some remain pending. Track the MeitY notifications page; treat the Act as in force and the Rules as filling in operational details.
Who DPDP applies to
- Data Fiduciaries — entities that determine the purpose and means of processing. Almost every Indian business with a customer database, employee records, or vendor data.
- Data Processors — entities that process on behalf of fiduciaries (cloud, SaaS, BPOs, IT-services).
- Significant Data Fiduciaries (SDFs) — to be designated by the Central Government based on volume/sensitivity/impact. Carry extra obligations: DPO, DPIA, independent data audit.
- Cross-border — non-Indian fiduciaries offering goods or services to Indian data principals are in scope.
- Out of scope — non-digital personal data; personal/domestic processing; lawfully made publicly available data; research/statistical/archival in approved circumstances.
Your rights & duties under DPDP
What data principals can demand (§11–14), and what fiduciaries must do in return (§8–9).
Data principal rights (§11–14)
- Right to information — what data, why, who it's shared with.
- Right to access — copy of personal data being processed.
- Right to correction & erasure — fix inaccurate, complete incomplete, update old, erase no-longer-necessary.
- Right of grievance redressal — first to fiduciary; then to Data Protection Board.
- Right to nominate — designate person to exercise rights in case of incapacity / death.
Fiduciary obligations (§8–9)
- Notice in clear, plain language at consent collection.
- Process for specified purpose only (purpose limitation).
- Reasonable security safeguards (the de-facto §8(5) requirement).
- Breach notification to DPB and affected individuals (timelines per Rules).
- Data accuracy, retention only for as long as necessary, secure erasure.
- Grievance redressal mechanism.
- Children's data — verifiable parental consent; no behavioural monitoring or targeted advertising.
What to ship — in this order
The right starting sequence for any Indian business building DPDP foundations from scratch.
Data Mapping & Inventory
Every system that holds personal data, every category, every flow. The foundation everything else rests on.
Lawful Basis & Consent UX
Per processing operation: consent or specified legitimate use. Build a granular, revocable consent UX.
Notice + Privacy Policy
Plain-language notices at collection points. Public privacy policy reflecting actual processing.
DSR Workflow
Operational workflow for access, correction, erasure, grievance — with an SLA you can prove.
Vendor / DPA
DPAs with every processor. Sub-processor disclosure. Audit rights. Breach-notification flow-down.
Security Safeguards
Encryption, access control, logging, MFA, retention, secure deletion — the §8(5) baseline.
Breach Playbook
72-hour clock, DPB + affected-individual notification templates, tabletop-tested.
SDF readiness
If likely SDF: appoint DPO, plan DPIA cycle, scope independent data audit.
Every RingSafe DPDP resource, by type
Guides, free tools, services, academy modules and related hubs — grouped so you can jump straight to what you need.
Free tools3
DPDP Readiness Checklist
Twenty practitioner-grade questions covering data mapping, consent UX, DSR workflow, vendor DPAs, breach playbook, and SDF triggers.
DPDP Assessment Tool
Deeper assessment than the checklist — produces a domain-by-domain DPDP readiness score and remediation list.
DPDP Penalty Calculator
Estimate maximum exposure across breach categories under DPDP §33. Useful for board reporting and prioritisation.
Academy modules6
DPDP Act 2023 Foundations
Free academy module covering the Act's structure, definitions, rights, duties, and how to read the Rules as they're notified.
DPDP Data Mapping & Inventory
How to build a data inventory that survives audit — categories, flows, retention, lawful basis, sub-processors.
Consent UX & Withdrawal Mechanics
Designing consent UX that's both user-friendly and DPDP-compliant — granularity, revocability, audit trail.
Data Classification & Labelling Programme
Building a data classification programme that engineering and business actually adopt — taxonomy, MIP, DLP integration.
Privacy Engineering — Tokenisation, k-Anonymity
Privacy-preserving primitives — tokenisation, format-preserving encryption, k-anonymity, l-diversity, differential privacy.
Data Loss Prevention at Scale
DLP that works in 2026 — endpoint, network, cloud, email; rule design; rollout sequence; integration with classification.
DPDP Act 2023 — questions we get
Are we already in scope of DPDP, or do we wait for Rules?
The Act is in force. Several Rules are notified; others are pending. The pragmatic answer is: don't wait. Most fiduciary obligations (notice, lawful basis, security, breach notification, grievance redressal, retention limits) are clear from the Act itself. Rules fill in operational details (formats, timelines, SDF criteria), not whether the Act applies. Build now; tune as Rules notify.
What's the difference between DPDP and GDPR?
Conceptually similar, operationally different. DPDP has narrower lawful bases (consent + specified legitimate uses; no broad "legitimate interests"). DPDP cross-border rules use a government negative list (when notified) rather than adequacy. DPDP has no "right to be forgotten" against retention obligations; rights are read narrower than GDPR. DPDP penalties are fixed amounts (₹250 cr max) versus GDPR's revenue-percentage. A GDPR programme covers most DPDP needs but verify each specific clause.
What makes us a Significant Data Fiduciary (SDF)?
SDF designation comes from the Central Government based on volume of data, sensitivity, risk to data principals' rights, impact on India's sovereignty/integrity/electoral/public-order, and other listed factors. Fintech, healthtech, large e-commerce, social media, edtech, and some BPOs are likely candidates. SDFs must appoint a DPO, conduct DPIAs, and undergo independent data audits.
What about cross-border data transfer?
DPDP §16 takes a different approach than GDPR — transfers are permitted unless the destination country is on the Central Government's negative list (when notified). For sectoral regulated entities (RBI / SEBI / IRDAI / NPCI / UIDAI), sectoral localisation rules also apply. Build for India-primary storage with cross-border DR/safeguards layer; that posture survives most regulatory cuts.
Do startups under a certain size have exemptions?
The Central Government may notify exemptions for certain classes of fiduciaries (e.g., startups by turnover/age) under §17. Until specific notifications, all fiduciaries are in scope. Practical interpretation: if you have a data inventory, lawful basis per processing, security safeguards, and a DSR workflow, you're substantially compliant regardless of size.
What does "reasonable security safeguards" mean operationally?
The Act doesn't specify controls — it expects "reasonable" to scale with risk. Operationally we recommend: encryption at rest (AES-256) and in transit (TLS 1.2+); MFA on privileged access; centralised logging with retention; quarterly access review; vendor due diligence; tested breach playbook; annual VAPT for material systems; documented incident response. Track ISO 27001 / SOC 2 control families as a working baseline.
How long do we have to notify a breach?
The Act requires notification "without delay". The Rules notified to date specify within 72 hours of becoming aware of a breach (notice format prescribed). The clock runs from awareness, not investigation completion. Build a breach playbook that hits the timeline even with partial information; supplement later.
Do we need a DPO?
Mandatory only for SDFs. Voluntary appointment is sensible if you process material personal data — it's a market signal to enterprise buyers and structurally helpful even pre-SDF. The DPO must be in India, accessible to data principals, and reporting to the board.
Get DPDP-defensible in 90 days
A 30-minute working call. We map your data flows, identify SDF risk, and walk through the right 90-day sequence for your business.