Knowledge Center / DPDP Act
MeitY, Government of India · India

DPDP Act, 2023 (India)

India’s data-protection law governing the personal data of data principals.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s dedicated law for the protection of digital personal data. It governs how organisations (data fiduciaries) handle the personal data of individuals (data principals) in India, and is enforced by the Data Protection Board of India. This is a practical compliance guide, not legal advice.

Key definitions

TermMeaning
Data PrincipalThe individual to whom the personal data relates (for a child, the parent/lawful guardian)
Data FiduciaryThe entity that determines the purpose and means of processing personal data (like a GDPR controller)
Data ProcessorAn entity that processes personal data on behalf of a data fiduciary
Significant Data Fiduciary (SDF)A fiduciary notified by the government based on volume/sensitivity, risk and other factors — with extra duties
Consent ManagerA registered entity through which a data principal can give, manage and withdraw consent

Applicability

  • Applies to processing of digital personal data within India (collected digitally, or collected physically and later digitised).
  • Applies extraterritorially to processing outside India if it relates to offering goods or services to data principals in India.
  • Does not apply to personal data made publicly available by the data principal or under a legal obligation, and to certain other exclusions.

Obligations of a data fiduciary

  • Process personal data only for a lawful purpose, with consent or for a "legitimate use" permitted by the Act.
  • Give an itemised notice describing the data, purpose and how to exercise rights and complain.
  • Obtain free, specific, informed, unconditional and unambiguous consent with a clear affirmative action — as easy to withdraw as to give.
  • Ensure completeness, accuracy and consistency of data used for decisions or shared.
  • Implement reasonable security safeguards to prevent personal data breaches.
  • Notify the Data Protection Board and affected data principals of a breach.
  • Erase personal data when consent is withdrawn or the purpose is no longer served (unless retention is legally required).
  • Have a means for data principals to exercise rights and a grievance-redressal mechanism.
  • Bind data processors through valid contracts.

Data principal rights

RightWhat it allows
AccessA summary of personal data processed and the processing activities
Correction & erasureCorrect, complete, update or erase personal data
Grievance redressalA readily available means to raise grievances with the fiduciary/Consent Manager
NominationNominate another individual to exercise rights in case of death or incapacity

Data principals also have duties (e.g., not to file false or frivolous complaints); non-compliance can attract a penalty up to ₹10,000.

  • Consent must be free, specific, informed, unconditional, unambiguous and via clear affirmative action.
  • A notice must accompany or precede the consent request, in clear plain language, with the option of English or a Scheduled language.
  • Withdrawal of consent must be as easy as giving it; on withdrawal, processing must stop and data erased within a reasonable time.
  • Consent can be given, managed, reviewed and withdrawn through a registered Consent Manager.

Significant Data Fiduciary (SDF) additional duties

  • Appoint a Data Protection Officer (DPO) based in India, answerable to the board/governing body.
  • Appoint an independent data auditor.
  • Undertake periodic Data Protection Impact Assessments (DPIAs) and periodic audits.
  • Undertake other measures the government may prescribe (e.g., on algorithmic/processing risks).

Children’s data

  • Obtain verifiable parental consent before processing a child’s (under-18) personal data.
  • Do not undertake processing likely to cause detriment to a child.
  • Do not track, behaviourally monitor or target advertising at children (subject to notified exemptions).

Security safeguards and breach notification

  • Implement reasonable security safeguards (encryption, access control, monitoring, backups) to prevent breaches — this carries the highest penalty cap.
  • On a personal data breach, notify the Data Protection Board and each affected data principal in the manner prescribed.
  • A data processor’s breach is still the fiduciary’s responsibility to manage and notify.

Penalties schedule

The Schedule to the Act sets maximum penalties, applied by the Data Protection Board based on the nature, gravity, duration and impact of the breach:

ContraventionMaximum penalty
Failure to take reasonable security safeguards to prevent a personal data breachUp to ₹250 crore
Failure to notify the Board and affected data principals of a breachUp to ₹200 crore
Breach of obligations relating to children’s dataUp to ₹200 crore
Failure of a Significant Data Fiduciary to meet its additional obligationsUp to ₹150 crore
Breach of any other provision of the Act or its RulesUp to ₹50 crore
Breach of a data principal’s dutiesUp to ₹10,000

Implementation roadmap

  1. Build a personal-data inventory and map data flows across systems, vendors and geographies — everything depends on this.
  2. Establish lawful bases: map each processing activity to consent or a legitimate use.
  3. Design consent, notice and withdrawal mechanisms (and a Consent Manager integration if used).
  4. Stand up data-principal-rights and grievance-redressal workflows (access, correction, erasure, nomination).
  5. Implement reasonable security safeguards and a breach detection + notification process.
  6. Bind processors with compliant contracts; assess vendor risk.
  7. If a Significant Data Fiduciary: appoint a DPO and independent auditor, and run DPIAs and audits.
  8. Operate, evidence and continually improve.

Readiness checklist

  • A complete personal-data inventory and data-flow map exists.
  • Each processing activity has a lawful basis (consent or legitimate use).
  • Notices are clear, itemised and multilingual as required.
  • Consent capture, records and an easy withdrawal path are implemented.
  • Data-principal-rights and grievance workflows are live and time-bound.
  • Reasonable security safeguards are implemented and tested.
  • A breach detection and Board/data-principal notification process exists.
  • Processor contracts include DPDP obligations.
  • SDF duties (DPO, DPIA, audit) are addressed if applicable.
  • A retention and erasure schedule is enforced.

Common gaps

  • Starting with a policy template instead of a data map — everything else stalls without the inventory.
  • Bundled or pre-ticked consent, or a withdrawal path harder than the consent path.
  • No working erasure/rights workflow (fiduciaries often cannot locate all copies of the data).
  • No breach notification process, or unclear processor responsibilities.
  • Ignoring children’s-data tracking/advertising restrictions.

DPDP vs GDPR

AspectDPDP Act (India)GDPR (EU)
RolesData Fiduciary / Data Processor / Data PrincipalController / Processor / Data Subject
Lawful basesConsent or specified "legitimate uses"Six lawful bases (consent, contract, legitimate interests, etc.)
PenaltiesUp to ₹250 crore (per the Schedule)Up to €20m or 4% of global turnover
DPIA / DPORequired for Significant Data FiduciariesRequired in defined high-risk cases
How CyberSigma helps
We run DPDP readiness end to end — data mapping, consent and notice design, rights and grievance workflows, security safeguards, breach processes and SDF duties (DPO/DPIA/audit) — so you close exposure before the Rules commence.

Frequently asked questions

What are the penalties under the DPDP Act?
The Schedule sets penalties up to ₹250 crore for failure to take reasonable security safeguards, ₹200 crore for breach-notification failures, and others — set by the Data Protection Board based on nature and gravity. Our DPDP penalty calculator estimates exposure.
Who is a data fiduciary vs a data processor?
A data fiduciary determines the purpose and means of processing (like a GDPR controller); a data processor processes on the fiduciary’s behalf.
Is the DPDP Act in force?
The Act is enacted; its detailed Rules and enforcement commence in stages. Organisations should prepare now, as the grace period ends when the Rules commence.

Need help with DPDP Act?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.