DPDPA 2023 — Plain English Summary for Indian Businesses

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's comprehensive data protection legislation. It received Presidential assent on 11 August 2023 and was published in the Gazette of India as Act No. 22 of 2023. The DPDPA Rules 2025 (subordinate legislation providing operational details) were published on 3 January 2025 and notified on 6 January 2025.

DPDPA applies to the processing of digital personal data within India, and also to processing outside India if it relates to offering goods or services to individuals in India. Critically, there is no size threshold or revenue exemption — every business that processes personal data of Indian residents is covered, from a 3-person startup to a multinational conglomerate.

Key Definitions

Data Fiduciary (Section 2(i))

Any person (including a company, partnership, sole proprietor, government body, or any other entity) who alone or in conjunction with others determines the purpose and means of processing personal data. This is the primary obligation-bearing entity under the Act. Every Indian business that collects customer, employee, or vendor personal data is a Data Fiduciary.

Data Principal (Section 2(j))

The individual to whom the personal data relates. In the case of a child (under 18 years), the Data Principal is the parent or lawful guardian. In the case of a person with a disability who has a lawful guardian, the lawful guardian acts on their behalf.

Data Processor (Section 2(k))

Any person who processes personal data on behalf of a Data Fiduciary. This includes cloud hosting providers, CRM vendors, payment processors, analytics platforms, HR SaaS tools, and any third-party service handling personal data on your instructions. The Data Fiduciary remains liable for the Data Processor's actions and must have a valid contract (Section 8(2)).

Personal Data (Section 2(t))

Any data about an individual who is identifiable by or in relation to such data. This includes names, email addresses, phone numbers, IP addresses, device identifiers, biometric data, financial data, health data, and any other information that can identify a specific person directly or indirectly.

Consent Manager (Section 2(g) and Rule 4)

A person registered with the Data Protection Board who acts as a single point of contact for Data Principals to give, manage, review, and withdraw consent. Consent Managers must be incorporated in India, have a minimum net worth of Rs. 2 crore, and be registered with the Board. As of May 2026, the Board has not yet registered any Consent Managers.

Significant Data Fiduciary (Section 10)

A Data Fiduciary notified by the Central Government based on volume and sensitivity of personal data processed, risk of harm, potential impact on sovereignty, and other prescribed factors. Significant Data Fiduciaries have additional obligations including appointing a Data Protection Officer based in India, appointing an independent data auditor, conducting Data Protection Impact Assessments, and periodic compliance audits.

Core Obligations of Data Fiduciaries

1. Notice Before Consent (Section 5, Rule 3)

Before or at the time of collecting personal data, a Data Fiduciary must provide a notice to the Data Principal containing: an itemised description of personal data being collected, the specific purpose of processing, how the Data Principal can exercise rights, and how to file a complaint with the Data Protection Board. Under Rule 3, the notice must be in English or any of the 22 scheduled languages. The notice must separately identify each item of personal data being collected and the purpose for which it will be processed.

2. Consent Requirements (Section 6)

Consent must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. Consent must be limited to the personal data necessary for the specified purpose. Bundled consent (one checkbox for multiple unrelated purposes) is invalid. Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent. The Data Fiduciary must cease processing within a reasonable period after withdrawal.

3. Data Accuracy (Section 8(3))

Data Fiduciaries must make reasonable efforts to ensure that personal data is complete, accurate, and not misleading, having regard to the purpose for which it is being processed. This is particularly critical for data used for making decisions about Data Principals.

4. Security Safeguards (Section 8(4), Rule 6)

Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches. Rule 6 specifies this includes encryption, access controls, data backup, logging, and testing. The safeguards must be proportionate to the nature and volume of data processed.

5. Breach Notification (Section 8(6), Rule 7)

In the event of a personal data breach, the Data Fiduciary must notify the Data Protection Board and each affected Data Principal "without delay." Rule 7 specifies the notification must contain: the nature of the breach, the personal data affected, the approximate number of Data Principals affected, the likely consequences, and the measures taken or proposed to mitigate the breach. Note: CERT-In has a separate 6-hour cyber incident reporting obligation under the IT Act.

6. Data Deletion (Section 8(7), Rule 8)

Personal data must be erased when the Data Principal withdraws consent or when the specified purpose is fulfilled, whichever is earlier — unless retention is required by law. Rule 8(2) requires a 48-hour prior notice to the Data Principal before deletion, giving them a chance to request a copy of their data or take other action.

7. Processor Contracts (Section 8(2))

Processing by a Data Processor must be under a valid contract. The Data Fiduciary remains responsible for ensuring that Data Processors comply with the Act. This means every vendor agreement involving personal data must include DPDPA-compliant clauses covering security, breach notification, deletion, and audit rights.

8. Grievance Redressal (Section 13)

Every Data Fiduciary must provide a mechanism for Data Principals to raise grievances. The Data Fiduciary must respond to grievances within the prescribed timeframe. If the Data Principal is not satisfied with the response, they may file a complaint with the Data Protection Board.

Data Principal Rights

1. Right to Access (Section 11)

Data Principals have the right to obtain a summary of their personal data being processed by the Data Fiduciary, the processing activities, the identities of all Data Processors and other Data Fiduciaries with whom data has been shared, and any other information prescribed by rules.

2. Right to Correction and Erasure (Section 12)

Data Principals can request correction of inaccurate or misleading personal data, completion of incomplete data, updating of outdated data, and erasure of data that is no longer necessary for the specified purpose.

3. Right to Grievance Redressal (Section 13)

Data Principals have the right to have readily available means of grievance redressal regarding any act or omission of the Data Fiduciary or Data Processor in relation to their personal data.

4. Right to Nominate (Section 14)

Data Principals can nominate any other individual who shall exercise the Data Principal's rights in the event of their death or incapacity. This right is unique to DPDPA and does not exist in GDPR or most other data protection laws globally.

5. Right to Withdraw Consent (Section 6(4))

Data Principals may withdraw consent at any time for any or all purposes. The ease of withdrawal must be comparable to the ease of giving consent. Withdrawal does not affect the lawfulness of processing done before withdrawal.

Penalty Schedule (DPDPA Schedule)

DPDPA uses a fixed penalty schedule (unlike GDPR's percentage-of-turnover model). The Data Protection Board determines the quantum within these caps:

• Up to Rs. 200 crore — Failure to take reasonable security safeguards to prevent a data breach (Section 8(4))
• Up to Rs. 250 crore — Failure to notify the Board and affected Data Principals of a personal data breach (Section 8(6))
• Up to Rs. 200 crore — Non-compliance with additional obligations relating to children's data (Section 9)
• Up to Rs. 150 crore — Non-compliance with additional obligations of Significant Data Fiduciaries (Section 10)
• Up to Rs. 50 crore — Non-compliance with any other provision of the Act or Rules
• Up to Rs. 10,000 — Penalty on Data Principals for frivolous or false complaints, providing false information, or suppressing material information

For repeat offences, the Board may impose a penalty of up to Rs. 500 crore per instance. The Board considers factors including the nature and gravity of the non-compliance, whether it is repetitive, whether the entity gained financially from the breach, and steps taken for mitigation.

Enforcement Body — Data Protection Board of India

The Data Protection Board of India (DPB) was constituted in November 2025. It is a quasi-judicial body with powers to receive complaints, conduct inquiries, issue directions, and impose penalties. The Board operates as a digital office and conducts proceedings digitally. Appeals against Board orders lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

The DPB is not a regulator in the traditional sense — it does not issue guidance, conduct inspections, or approve codes of conduct. It functions purely as an adjudicatory body that acts on complaints and references.

Exemptions (Section 17)

The Central Government may exempt certain categories of processing from the Act's provisions, including processing by the State for national security purposes, processing necessary for enforcement of legal rights or claims, processing by courts or tribunals, and processing for research, archival, or statistical purposes (with conditions). These exemptions are specified in Section 17 and can be subject to conditions.

Timeline and Implementation Status

• 11 August 2023 — DPDPA enacted (Presidential assent)
• 3 January 2025 — DPDPA Rules 2025 published
• 6 January 2025 — DPDPA Rules 2025 notified
• November 2025 — Data Protection Board constituted
• 2026 — Phased enforcement expected; Board operational and accepting complaints

Source References

• The Digital Personal Data Protection Act, 2023 — Gazette of India, Extraordinary, Part II Section 1
• The Digital Personal Data Protection Rules, 2025 — MeitY Data Protection Framework
• MeitY Official Portal — meity.gov.in

Key Takeaways for Indian Businesses

Every Indian business processing personal data — regardless of size or revenue — must comply with DPDPA. The Act requires lawful consent with clear notice, purpose limitation, data minimisation, reasonable security, breach notification, deletion upon purpose fulfilment, valid processor contracts, and grievance redressal. Penalties are substantial (up to Rs. 250 crore per violation) and the Data Protection Board is operational.

Businesses should conduct a data inventory, map all personal data flows, update consent mechanisms, review vendor contracts, implement breach response procedures, and establish a DSR (Data Subject Request) handling process. Automation is essential for businesses handling more than a few hundred data principals — manual compliance tracking becomes unsustainable at scale.