What is the DPDPA? India’s Digital Personal Data Protection Act, 2023 Explained

The Digital Personal Data Protection Act, 2023 (DPDPA) is India’s landmark data protection law. After more than half a decade of drafts and consultations, it establishes a single national framework for how personal data is collected, stored, used and shared — replacing the limited protections that previously existed under the Information Technology Act and its 2011 rules.

The Act is built around a simple idea: individuals (called Data Principals) have rights over their personal data, and organisations that process that data (called Data Fiduciaries) have corresponding duties. The Digital Personal Data Protection Rules, 2025 add the operational detail — exactly what notices must say, how breaches are reported, and what extra obligations significant organisations carry.

Who does the DPDPA apply to?

The DPDPA applies to the processing of digital personal data within India where the data is collected in digital form, or collected on paper and later digitised. Crucially, it also applies extra-territorially: an organisation outside India must comply if it processes the personal data of individuals in India in connection with offering them goods or services.

In practice, this means almost every modern business is covered — e-commerce stores, SaaS companies, banks, hospitals, schools, startups and enterprises alike. If you hold customer, employee or user data in digital form, you are a Data Fiduciary with obligations under the Act.

What are the key DPDPA definitions?

Understanding the DPDPA starts with its vocabulary. These terms appear throughout the Act and the Rules.

Personal data

Any data about an individual who is identifiable by or in relation to such data.

Data Principal

The individual to whom the personal data relates — including parents/guardians for children and guardians for persons with disabilities.

Data Fiduciary

Any person who, alone or with others, determines the purpose and means of processing personal data (similar to a GDPR “controller”).

Data Processor

A person who processes personal data on behalf of a Data Fiduciary.

Significant Data Fiduciary (SDF)

A Data Fiduciary notified by the government as “significant” based on volume and sensitivity of data and risk, carrying extra duties.

Consent Manager

A registered, accountable intermediary through which a Data Principal can give, manage and withdraw consent.

What are the core principles of the DPDPA?

The Act codifies a set of data-protection principles that should guide every processing activity:

• Lawful purpose — personal data may be processed only for a lawful purpose, on the basis of consent or certain legitimate uses.
• Notice and consent — a clear notice must precede consent, and consent must be free, specific, informed, unconditional and unambiguous.
• Purpose limitation — data is used only for the purpose for which it was collected.
• Data minimisation — only the personal data necessary for that purpose is collected.
• Accuracy — reasonable efforts are made to keep data correct and up to date.
• Storage limitation — data is erased once the purpose is served and retention is no longer required.
• Reasonable security safeguards — appropriate technical and organisational measures protect the data.
• Accountability — the Data Fiduciary is responsible for compliance, including where processing is outsourced.

How does consent work under the DPDPA?

Consent is the primary basis for processing personal data under the Act. Section 5 requires that, on or before requesting consent, the Data Fiduciary gives the Data Principal an itemised notice describing the personal data to be collected, the purpose of processing, how the individual can exercise their rights, and how to complain to the Data Protection Board. The notice must be available in English or any language listed in the Eighth Schedule to the Constitution.

Section 6 sets the standard for consent itself: it must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action, and limited to the data necessary for the stated purpose. Equally important, a Data Principal can withdraw consent at any time — and withdrawing it must be as easy as giving it.

Beyond consent, the Act permits processing for a defined set of “legitimate uses” (Section 7) — for example, where the individual has voluntarily provided data for a specified purpose, or for certain employment, medical-emergency and disaster-response situations.

What rights do individuals have?

The DPDPA grants Data Principals a clear set of rights that organisations must be able to honour:

• Right to access — obtain a summary of the personal data being processed and the processing activities.
• Right to correction and erasure — correct, complete, update or erase personal data.
• Right to grievance redressal — a readily available mechanism to raise complaints.
• Right to nominate — appoint another individual to exercise rights in the event of death or incapacity.

What duties do Data Fiduciaries have?

Section 8 places the operational burden on the Data Fiduciary. You must process data only for the consented purpose, ensure accuracy, implement reasonable security safeguards, erase data when the purpose is served, publish the contact details of a person who can answer processing questions, and notify the Data Protection Board and affected individuals in the event of a personal data breach. You remain accountable even when a Data Processor handles the data on your behalf.

Are there special rules for children’s data?

Yes. Section 9 treats anyone under 18 as a child. Processing a child’s personal data requires verifiable consent from a parent or lawful guardian, and the Act prohibits processing that is likely to cause harm to a child, as well as tracking, behavioural monitoring and targeted advertising directed at children.

What are the penalties for non-compliance?

The Schedule to the Act empowers the Data Protection Board to impose significant financial penalties. The headline figure is up to ₹250 crore for failing to take reasonable security safeguards to prevent a personal data breach. Other failures — such as breach-notification lapses or breaches of children’s-data obligations — carry penalties up to ₹200 crore, assessed per instance based on the nature, gravity and duration of the violation.

The cost of non-compliance is no longer theoretical: penalties scale to ₹250 crore, and they are assessed per instance.

Who enforces the DPDPA?

The Act establishes the Data Protection Board of India — a digital-first adjudicatory body that investigates complaints and breaches, directs remedial measures, and imposes penalties. Appeals from the Board lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). The Board is designed to operate as a digital office, so engaging with it — and proving your compliance — will itself be a largely digital exercise.

How should businesses prepare?

DPDPA readiness is an operating capability, not a one-off policy document. The practical starting points are: build a data inventory, deploy compliant consent notices and a consent-management capability, stand up a Data Principal rights workflow, tighten security safeguards, prepare a breach-response plan, and govern your vendors through data-processing agreements. From there, maintain continuous evidence so you can demonstrate compliance whenever the Board asks.