The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s dedicated law for the protection of digital personal data. It governs how organisations (data fiduciaries) handle the personal data of individuals (data principals) in India, and is enforced by the Data Protection Board of India. This is a practical compliance guide, not legal advice.
Key definitions
| Term | Meaning |
|---|---|
| Data Principal | The individual to whom the personal data relates (for a child, the parent/lawful guardian) |
| Data Fiduciary | The entity that determines the purpose and means of processing personal data (like a GDPR controller) |
| Data Processor | An entity that processes personal data on behalf of a data fiduciary |
| Significant Data Fiduciary (SDF) | A fiduciary notified by the government based on volume/sensitivity, risk and other factors — with extra duties |
| Consent Manager | A registered entity through which a data principal can give, manage and withdraw consent |
Applicability
- Applies to processing of digital personal data within India (collected digitally, or collected physically and later digitised).
- Applies extraterritorially to processing outside India if it relates to offering goods or services to data principals in India.
- Does not apply to personal data made publicly available by the data principal or under a legal obligation, and to certain other exclusions.
Obligations of a data fiduciary
- Process personal data only for a lawful purpose, with consent or for a "legitimate use" permitted by the Act.
- Give an itemised notice describing the data, purpose and how to exercise rights and complain.
- Obtain free, specific, informed, unconditional and unambiguous consent with a clear affirmative action — as easy to withdraw as to give.
- Ensure completeness, accuracy and consistency of data used for decisions or shared.
- Implement reasonable security safeguards to prevent personal data breaches.
- Notify the Data Protection Board and affected data principals of a breach.
- Erase personal data when consent is withdrawn or the purpose is no longer served (unless retention is legally required).
- Have a means for data principals to exercise rights and a grievance-redressal mechanism.
- Bind data processors through valid contracts.
Data principal rights
| Right | What it allows |
|---|---|
| Access | A summary of personal data processed and the processing activities |
| Correction & erasure | Correct, complete, update or erase personal data |
| Grievance redressal | A readily available means to raise grievances with the fiduciary/Consent Manager |
| Nomination | Nominate another individual to exercise rights in case of death or incapacity |
Data principals also have duties (e.g., not to file false or frivolous complaints); non-compliance can attract a penalty up to ₹10,000.
Consent and notice
- Consent must be free, specific, informed, unconditional, unambiguous and via clear affirmative action.
- A notice must accompany or precede the consent request, in clear plain language, with the option of English or a Scheduled language.
- Withdrawal of consent must be as easy as giving it; on withdrawal, processing must stop and data erased within a reasonable time.
- Consent can be given, managed, reviewed and withdrawn through a registered Consent Manager.
Significant Data Fiduciary (SDF) additional duties
- Appoint a Data Protection Officer (DPO) based in India, answerable to the board/governing body.
- Appoint an independent data auditor.
- Undertake periodic Data Protection Impact Assessments (DPIAs) and periodic audits.
- Undertake other measures the government may prescribe (e.g., on algorithmic/processing risks).
Children’s data
- Obtain verifiable parental consent before processing a child’s (under-18) personal data.
- Do not undertake processing likely to cause detriment to a child.
- Do not track, behaviourally monitor or target advertising at children (subject to notified exemptions).
Security safeguards and breach notification
- Implement reasonable security safeguards (encryption, access control, monitoring, backups) to prevent breaches — this carries the highest penalty cap.
- On a personal data breach, notify the Data Protection Board and each affected data principal in the manner prescribed.
- A data processor’s breach is still the fiduciary’s responsibility to manage and notify.
Penalties schedule
The Schedule to the Act sets maximum penalties, applied by the Data Protection Board based on the nature, gravity, duration and impact of the breach:
| Contravention | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent a personal data breach | Up to ₹250 crore |
| Failure to notify the Board and affected data principals of a breach | Up to ₹200 crore |
| Breach of obligations relating to children’s data | Up to ₹200 crore |
| Failure of a Significant Data Fiduciary to meet its additional obligations | Up to ₹150 crore |
| Breach of any other provision of the Act or its Rules | Up to ₹50 crore |
| Breach of a data principal’s duties | Up to ₹10,000 |
Implementation roadmap
- Build a personal-data inventory and map data flows across systems, vendors and geographies — everything depends on this.
- Establish lawful bases: map each processing activity to consent or a legitimate use.
- Design consent, notice and withdrawal mechanisms (and a Consent Manager integration if used).
- Stand up data-principal-rights and grievance-redressal workflows (access, correction, erasure, nomination).
- Implement reasonable security safeguards and a breach detection + notification process.
- Bind processors with compliant contracts; assess vendor risk.
- If a Significant Data Fiduciary: appoint a DPO and independent auditor, and run DPIAs and audits.
- Operate, evidence and continually improve.
Readiness checklist
- A complete personal-data inventory and data-flow map exists.
- Each processing activity has a lawful basis (consent or legitimate use).
- Notices are clear, itemised and multilingual as required.
- Consent capture, records and an easy withdrawal path are implemented.
- Data-principal-rights and grievance workflows are live and time-bound.
- Reasonable security safeguards are implemented and tested.
- A breach detection and Board/data-principal notification process exists.
- Processor contracts include DPDP obligations.
- SDF duties (DPO, DPIA, audit) are addressed if applicable.
- A retention and erasure schedule is enforced.
Common gaps
- Starting with a policy template instead of a data map — everything else stalls without the inventory.
- Bundled or pre-ticked consent, or a withdrawal path harder than the consent path.
- No working erasure/rights workflow (fiduciaries often cannot locate all copies of the data).
- No breach notification process, or unclear processor responsibilities.
- Ignoring children’s-data tracking/advertising restrictions.
DPDP vs GDPR
| Aspect | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Roles | Data Fiduciary / Data Processor / Data Principal | Controller / Processor / Data Subject |
| Lawful bases | Consent or specified "legitimate uses" | Six lawful bases (consent, contract, legitimate interests, etc.) |
| Penalties | Up to ₹250 crore (per the Schedule) | Up to €20m or 4% of global turnover |
| DPIA / DPO | Required for Significant Data Fiduciaries | Required in defined high-risk cases |
Frequently asked questions
Need help with DPDP Act?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
