Question 1

What is the DPDPA?

Accepted Answer

The DPDPA is the Digital Personal Data Protection Act, 2023 — India’s first comprehensive data protection law. It governs how organisations collect, store, use and share the digital personal data of individuals in India, and gives individuals (Data Principals) enforceable rights over their data.

Question 2

When does the DPDPA come into effect?

Accepted Answer

The Act was passed in August 2023 and is being brought into force in phases. The Digital Personal Data Protection Rules 2025 operationalise it, with the government providing transition periods for different obligations. Businesses should begin compliance now rather than wait for the final enforcement date.

Question 3

Who needs to comply with the DPDPA?

Accepted Answer

Any organisation that processes the digital personal data of individuals in India — whether based in India or abroad — must comply. This includes SMEs, enterprises, startups, e-commerce stores, SaaS companies and any business that handles customer, employee or user data.

Question 4

What are the penalties for DPDPA non-compliance?

Accepted Answer

The Schedule to the Act allows the Data Protection Board to impose financial penalties of up to ₹250 crore for failure to take reasonable security safeguards to prevent a breach, and up to ₹200 crore for other failures. Penalties are assessed per instance based on the nature and gravity of the violation.

Question 5

What is a Data Fiduciary?

Accepted Answer

A Data Fiduciary is any person or organisation that, alone or with others, determines the purpose and means of processing personal data. It is broadly equivalent to a "data controller" under the GDPR. Most businesses that decide why and how they use personal data are Data Fiduciaries.

Question 6

What is a Data Principal?

Accepted Answer

A Data Principal is the individual to whom the personal data relates. For children, the Data Principal includes their parents or lawful guardians; for persons with disabilities, it includes their lawful guardian.

Question 7

What counts as valid consent under the DPDPA?

Accepted Answer

Under Section 6, consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action, and limited to the personal data necessary for the specified purpose. Pre-ticked boxes and bundled "accept all" consent are not valid.

Question 8

Can a Data Principal withdraw consent?

Accepted Answer

Yes. The DPDPA requires that withdrawing consent must be as easy as giving it. Once consent is withdrawn, the Data Fiduciary must stop processing the relevant personal data within a reasonable time, unless another legal basis applies.

Question 9

What is a Consent Manager?

Accepted Answer

A Consent Manager is an accountable intermediary, registered with the Data Protection Board, through which a Data Principal can give, manage, review and withdraw consent. The DPDPA envisions an interoperable consent ecosystem built around Consent Managers.

Question 10

Do I need a consent notice in Indian languages?

Accepted Answer

Yes. The Data Principal must be able to access the consent notice in English or any language listed in the Eighth Schedule to the Constitution of India. A DPDPA-compliant notice should be available in the languages of your users.

Question 11

What rights do Data Principals have under the DPDPA?

Accepted Answer

Data Principals have the right to access information about their personal data, the right to correction, completion, updating and erasure, the right to grievance redressal, and the right to nominate another person to exercise their rights in the event of death or incapacity.

Question 12

How quickly must I respond to a Data Principal request?

Accepted Answer

The DPDPA and DPDP Rules 2025 require Data Fiduciaries to respond to rights requests within a prescribed, reasonable timeframe and to publish the contact details of a person who can answer questions about the processing. Build a workflow with clear internal SLAs.

Question 13

What is a grievance redressal mechanism?

Accepted Answer

It is the process a Data Fiduciary must provide for Data Principals to raise complaints about how their personal data is handled. You must publish a point of contact (such as a grievance officer) and respond within the prescribed period before the Data Principal escalates to the Data Protection Board.

Question 14

What is a Significant Data Fiduciary (SDF)?

Accepted Answer

A Significant Data Fiduciary is a Data Fiduciary (or class of them) notified by the government based on factors such as the volume and sensitivity of personal data processed and risk to Data Principals. SDFs face extra duties: appointing a Data Protection Officer in India, conducting Data Protection Impact Assessments, and commissioning independent audits.

Question 15

What are the rules for processing children’s data?

Accepted Answer

Processing the personal data of anyone under 18 requires verifiable consent from a parent or lawful guardian. The Act also restricts tracking, behavioural monitoring and targeted advertising directed at children.

Question 16

Am I responsible for my vendors and data processors?

Accepted Answer

Yes. Under Section 8(2), a Data Fiduciary remains responsible for compliance even when processing is carried out by a Data Processor on its behalf. You should flow DPDPA obligations down to vendors through a written Data Processing Agreement.

Question 17

Does the DPDPA restrict transferring data outside India?

Accepted Answer

The DPDPA permits cross-border transfer of personal data to countries except those specifically restricted by the Central Government through notification — a "blacklist" approach. Sectoral rules (for example in banking) may impose stricter data-localisation requirements.

Question 18

How does Data Adhikaar help with DPDPA compliance?

Accepted Answer

Data Adhikaar runs your DPDPA programme through ten specialist AI agents that handle consent, data principal rights, breach response, DPIAs, vendor management and audit evidence. You integrate once via SDK, API or MCP, and the agents operate the routine work — escalating to humans where the law requires judgement.

Question 19

Is Data Adhikaar suitable for small businesses?

Accepted Answer

Yes. Data Adhikaar is built for organisations of every size, from startups and SMEs on the Starter plan to large enterprises, BFSI and Significant Data Fiduciaries on Enterprise, with pricing that matches your data principal volume.

Question 20

Is the DPDPA readiness assessment really free?

Accepted Answer

Yes. The Data Adhikaar readiness assessment is free and takes about three minutes. It scores your current DPDPA posture and gives you a prioritised list of recommendations. A free developer sandbox is also always available.

Question 21

Where is my data stored?

Accepted Answer

Data Adhikaar runs on AWS Mumbai (ap-south-1) with disaster recovery in Hyderabad, so personal data does not leave India by default. It is built by an ISO 27001-certified company with SOC 2 Type II controls.

DPDPA questions, answered.

DPDPA basics

Data Principal rights

Obligations & special cases

About Data Adhikaar

Still have a DPDPA question?