DPDP Act 2023: The Complete Guide to India's Data Protection Law

What is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's landmark data protection legislation. Enacted on 11 August 2023 after years of deliberation, it establishes a comprehensive framework for protecting the digital personal data of individuals in India.

The Act recognizes both the right of individuals to protect their personal data and the need for organizations to process personal data for lawful purposes. It replaces the earlier Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and sets a new standard for data governance in India.

India joins a growing number of nations with dedicated data protection laws. According to UNCTAD, over 137 countries have enacted data protection legislation as of 2024.

Who does the DPDP Act apply to?

The DPDP Act applies broadly to two categories of entities:

Within India: Any person or organization (data fiduciary) that processes digital personal data collected within the territory of India, regardless of the nationality of the data principal. Outside India: Any entity that processes digital personal data outside India if such processing is in connection with offering goods or services to data principals located in India.

This means the Act has extraterritorial application. A company based in the United States or Europe that collects personal data from Indian users through its website or app must comply with the DPDP Act.

Notable exemptions include personal data processed for personal or domestic purposes, data that has been made publicly available by the data principal, and processing necessary for certain state functions, research, and archival purposes.

What are the key definitions under the DPDP Act?

Understanding the DPDP Act starts with its core terminology:

Digital Personal Data: Any personal data that exists in digital form, whether collected in digital form originally or digitized later.

Data Principal: The individual to whom the personal data relates. For minors, the parent or lawful guardian acts as the data principal.

Data Fiduciary: Any person or entity who, alone or in conjunction with others, determines the purpose and means of processing personal data.

Data Processor: Any entity that processes personal data on behalf of a data fiduciary.

Consent Manager: A registered entity that acts as an intermediary between data principals and data fiduciaries for managing consent.

Significant Data Fiduciary (SDF): A data fiduciary designated by the government based on volume, sensitivity, and risk factors — subject to additional obligations.

What are the rights of data principals?

The DPDP Act grants data principals several fundamental rights:

Right to Access Information: Data principals can request a summary of their personal data being processed and details of all data fiduciaries and data processors with whom their data has been shared. Right to Correction and Erasure: Data principals may request the correction of inaccurate or misleading data, the completion of incomplete data, the updating of outdated data, and the erasure of data no longer necessary for the stated purpose. Right to Grievance Redressal: Every data fiduciary must provide a mechanism for data principals to file grievances. If unsatisfied, data principals can escalate to the Data Protection Board of India. Right to Nominate: A data principal may nominate another individual to exercise their rights in the event of the data principal's death or incapacity. Right to Withdraw Consent: Consent can be withdrawn at any time, and the withdrawal must be as easy as giving consent.

What are the obligations of data fiduciaries?

Data fiduciaries bear the primary burden of compliance under the DPDP Act:

Lawful Processing: Personal data may only be processed for a lawful purpose with the consent of the data principal, or for certain legitimate uses specified in the Act. Notice and Transparency: Before collecting data, fiduciaries must provide a clear notice describing what data is being collected, the purpose of processing, and how the data principal may exercise their rights. Purpose Limitation: Data must only be processed for the purpose specified in the notice. Using data for new purposes requires fresh consent. Data Minimization: Only data that is necessary for the stated purpose should be collected and processed. Storage Limitation: Personal data must be erased once the specified purpose has been fulfilled and retention is no longer necessary. Security Safeguards: Fiduciaries must implement reasonable security measures to prevent personal data breaches and notify the Data Protection Board and affected data principals in the event of a breach. Children's Data: Processing data of children (under 18) requires verifiable parental consent, and tracking, behavioral monitoring, and targeted advertising directed at children are prohibited.

What are the penalties and fines under the DPDP Act?

The DPDP Act establishes a tiered penalty structure enforced by the Data Protection Board of India:

Failure to take security safeguards leading to a data breach: Up to Rs 250 crore (approximately USD 30 million)

Failure to notify the Board and affected individuals of a breach: Up to Rs 200 crore

Non-fulfillment of obligations regarding children's data: Up to Rs 200 crore

Failure to fulfill general obligations as a data fiduciary: Up to Rs 150 crore

Violation of duties by a data principal (providing false information): Up to Rs 10,000

The Data Protection Board considers factors such as the nature and gravity of the non-compliance, the duration and whether it is a repeat offense, the type and amount of data affected, and the actions taken by the fiduciary to mitigate the impact.

What is the Consent Manager framework?

Consent Managers are a distinctive feature of India's DPDP framework. They serve as intermediaries that help data principals manage their consent across multiple data fiduciaries through a single interface.

Registration Requirements: A Consent Manager must register with the Data Protection Board and maintain a minimum net worth of Rs 2 crore. They must be incorporated in India and demonstrate technical capability to manage consent across platforms. Key Functions:

Provide a unified dashboard for data principals to view all consents given

Enable consent withdrawal from a single platform

Maintain auditable records of consent transactions

Ensure interoperability across data fiduciaries

Obligations: Consent Managers must act in the interest of data principals, maintain transparency, and comply with technical standards prescribed by the Board. They are accountable for any failure in managing consent and can face penalties for non-compliance.

This framework is similar to the Account Aggregator model that India successfully implemented in the financial sector and is expected to be a key enabler of consent-based data sharing.

How does the DPDP Act compare with GDPR?

While both the DPDP Act and the EU's General Data Protection Regulation (GDPR) aim to protect personal data, there are significant differences:

Scope: The DPDP Act covers only digital personal data, while GDPR applies to all personal data regardless of format. DPDP does not distinguish between categories of sensitive data, whereas GDPR has special categories. Legal Bases: DPDP recognizes consent and certain legitimate uses as lawful bases. GDPR provides six legal bases including legitimate interests, which DPDP does not explicitly include. Consent: DPDP requires free, specific, informed, unconditional, and unambiguous consent with a clear affirmative action. GDPR similarly requires freely given, specific, informed, and unambiguous consent. Data Protection Authority: DPDP creates the Data Protection Board of India (DPBI), which is a government-appointed body. GDPR mandates independent supervisory authorities in each member state. Right to Data Portability: GDPR includes an explicit right to data portability. DPDP does not currently include this right. Penalties: DPDP penalties cap at Rs 250 crore per violation. GDPR penalties can reach 4% of annual global turnover or EUR 20 million, whichever is higher. Cross-Border Transfers: DPDP uses a government-maintained list of restricted countries. GDPR has multiple mechanisms including adequacy decisions, Standard Contractual Clauses, and Binding Corporate Rules.

For a detailed side-by-side analysis, see our dedicated comparison guide.

What is the DPDP compliance timeline?

The DPDP Rules 2025, published on 3 January 2025, establish a phased implementation timeline:

Phase 1 (Immediate — January 2025): Core definitions, basic obligations for data fiduciaries, and establishment of the Data Protection Board framework take effect. Phase 2 (By November 2026): Full compliance with consent requirements, privacy notices, data principal rights mechanisms, breach notification procedures, and Consent Manager registration must be completed. Phase 3 (By May 2027): Enhanced obligations for Significant Data Fiduciaries, including Data Protection Officer appointments, Data Protection Impact Assessments, periodic audits, and cross-border transfer compliance.

Organizations should start preparing well before these deadlines, as implementing comprehensive data protection programs takes significant time and resources.

How can your organization comply with the DPDP Act?

Achieving DPDP compliance requires a systematic approach:

Step 1 — Data Mapping: Identify all personal data you collect, process, and store. Document the purpose, legal basis, storage duration, and data flows. Step 2 — Consent Mechanism: Implement a lawful consent collection system with clear privacy notices. Consent must be as easy to withdraw as it is to give. Step 3 — Rights Infrastructure: Build workflows to handle data principal requests for access, correction, erasure, and grievance redressal within prescribed timelines. Step 4 — Security Safeguards: Implement technical and organizational measures proportionate to the risk, including encryption, access controls, and regular security assessments. Step 5 — Breach Response: Create an incident response plan with processes to notify the Data Protection Board and affected individuals within prescribed timelines. Step 6 — Vendor Management: Ensure data processors acting on your behalf comply with your instructions and maintain adequate safeguards. Review existing contracts. Step 7 — Governance: If designated as a Significant Data Fiduciary, appoint a Data Protection Officer, conduct Data Protection Impact Assessments, and arrange periodic audits. Step 8 — Training: Educate employees on data protection responsibilities, consent handling, and breach reporting procedures.

Anumiti KAVACH automates many of these steps — from consent management and data mapping to breach detection and automated compliance reporting. Start your free trial to see how we can simplify your DPDP journey.