Digital Personal Data Protection Act (DPDP) 2023: Complete Guide
The Ministry of Electronics and Information Technology (MeitY) has published the highly anticipated draft of the Digital Personal Data Protection Rules, 2025, which are now open for public consultation. These proposed Rules are significant towards the proper enactment of India's new data protection law, the Digital Personal Data Protection Act (DPDP Act 2023).
The Digital Personal Data Protection Act represents India's first all-encompassing privacy law, which seeks to regulate how personal data is collected, stored, and processed in a digital economy. It aims to strengthen rights for individuals, clarify requirements for organizations, and create enforcement mechanisms through the Data Protection Board of India.
The Digital Personal Data Protection Act establishes India alongside global legal and social privacy standards while recognizing India's unique and pervasive data challenges across all sectors, including banking, healthcare, and technology. This blog will break down what the DPDP Act is, the key provisions of the law, how compliance can be met, and the impact on both organizations and individuals.
Key Takeaways
- Personal data should be collected and processed only when users give clearly informed consent.
- Citizens (Data Principals) have the right to access, modify, and delete their data and withdraw consent at any time.
- Organizations (Data Fiduciaries) should minimize the data they collect and process, secure that data, and respond to any data breaches.
- Violations carry potentially substantial penalties of up to ₹250 crores per violation.
- It brings India closer to privacy frameworks of international privacy laws, such as the GDPR, while the enforcement remains based in India.
What is the DPDP Act 2023?
The Digital Personal Data Protection (DPDP) Act, 2023, represents India’s first complete regulation of the collection, processing, storage, and sharing of personal data in digital form. The overall purpose of the Act aims to balance two priorities: to protect the privacy of individuals, and to regulate the use of data for the economy of digital commerce in India.
The scope of the Act is broad. It applies to any digital personal data processed in India, regardless of whether the processing happens within the country or outside, provided the data relates to offering goods or services to individuals in India or profiling them. The Act does exclude several categories, such as non-digital records, personal or domestic use, and some exemptions provided by the government. However, the law is meant to govern digital interactions of citizens or businesses with the State.
To understand the framework better, the Act defines key roles and responsibilities:
- Data Principal — the individual whose personal data is being collected or processed.
- Data Fiduciary — the organization that determines why and how personal data will be processed.
- Data Processor — an organization that processes personal data on behalf of a Data Fiduciary.
- Significant Data Fiduciary (SDF) — An SDF is a category that refers to large or high-impact fiduciaries that must take on additional obligations, including appointing a Data Protection Officer, completing impact assessments, and following stricter rules for reporting.
The Act establishes obligations, including safeguards such as data minimization, purpose limitation, and storage limitation. Organizations are required to collect only data that is necessary, process that data only for lawful and consented purposes, safeguard the data from misuse, and delete data as soon as it is no longer necessary. Organizations are also required to inform individuals of how their data will be used, obtain explicit consent, and notify individuals of any breaches of security promptly.
The Act also creates rights for individuals, known as Data Principals, the ability to access and obtain a copy of the data collected, correct inaccuracies in the data collected, delete the data when requested, withdraw consent, and ask for redress of grievances. The purpose of these rights is to help individuals take greater control over their personal information, to help reduce the asymmetry between citizens and organizations that hold their data.
Enforcement of the Act is charged to the Data Protection Board of India, which has the authority to investigate complaints, require corrective action, and impose penalties. Non-compliance could lead to substantial penalties, which can reach up to ₹250 crores, especially for serious violations that lead to data breaches or violations of the rights of a user. For the businesses, this shifts data protection activities from a best practice to a legislative mandate, with potential real loss of funds.
Key Features of the DPDP Act
The Digital Personal Data Protection Act, 2023, establishes a consent-first and accountability-centered structure of data protection in India. Below are the bill's key features:
1. Consent-Based Processing
Central to the Act is the notion of valid and informed consent. Organizations must provide clear notice of what data they are collecting, how they will use that data, and for how long they will retain that data. Consent must be:
- Free, specific, informed, and unambiguous
- Revocable at any time by the individual (data principal)
- Obtained before processing, except in “legitimate use” situations (e.g., legal, emergency)
2. Rights of Data Principals
The Act provides individuals with rights similar to the rights afforded by other prominent international privacy frameworks (e.g., GDPR). Every citizen will have the right to:
- Access their personal data held by organizations
- Rectify or amend personal data that is inaccurate or out of date
- Erase personal data that isn't necessary for the intended purposes
- Withdraw consent at any time, which obliges organizations to cease processing personal data
These rights give individuals back control of how their identity in a digital realm is managed. Importantly, the draft DPDP Rules, 2025, introduce additional guardrails. For instance, if certain user thresholds are crossed, certain categories of data fiduciaries, like e-commerce platforms, online gaming services, and social media intermediaries, may be required to retain personal data for a period of no less than three years. This balances the need for accountability against compliance with the realities of operational needs.
3. Obligations of Data Fiduciaries
Organizations that decide the ‘how’ and ‘why’ of the processing of personal data, which is referred to as data fiduciaries in the DPDP Act, face a higher standard of responsibility as compared to the previous SPDI regime in India, which required only the appointment of a grievance officer on behalf of a data fiduciary. The DPDP Act expands significantly on the grievance officer requirement:
- Data Protection Officers: Significant Data Fiduciary (SDF) must appoint a Data Protection Officer (DPO) based in India. Smaller fiduciaries may either appoint a DPO or designate an individual to respond to data-related queries. The draft Rules further require that the DPO’s contact details be made easily accessible, such as on company websites and in communications with data principals.
Moreover, all data fiduciaries will have core obligations to comply with, which include:
- Data minimization - only collect the minimum necessary data to serve the purpose the data was collected.
- Breach reporting - report to the Data Protection Board and affected individuals of a breach of data within 72 hours
- Require Data Protection Officers (DPOs) - for both Significant Data Fiduciaries, which are based on size or impact
- Perform risk assessments and audits for compliance with the law
4. Data Protection Board of India
The Act establishes the Data Protection Board of India (DPBI) as the enforcement authority of this Act. The Board is responsible for:
- Monitoring compliance with the DPDP Act
- Investigating complaints and breaches
- Imposing financial penalties of up to ₹250 crores per breach
- Guiding organizations on corrective actions The Data Protection Board India is an indication of India's intent to create a structured enforcement ecosystem to ensure the law has teeth and is not just empty policy.
What Data is Excluded from the DPDP Act?
Although the Digital Personal Data Protection (DPDP) Act 2023 establishes a wide-ranging schema for the protection of personal data in India, it does not capture every conceivable kind of information. The Act, by design, does not incorporate information in order to focus on protecting information that truly poses a risk to individuals' privacy and security in a digital context.
-
Non-digital data
The Act applies to information only in digital form. Documentation that is only maintained on physical media like paper files, hand-written registers, or offline records is outside the compass of the Act. But, to be clear, records of this nature that later become digitized will be unambiguously captured by the DPDP Act. -
Non-personal data
Information not traceable to an identifiable person does not qualify as personal data under the scope of the DPDP Act. For example, anonymized datasets, aggregation statistics, and insights drawn from de-identified information are not qualified as personal data. An example would be a report on broad consumer purchasing tendencies that does not tie reported tendencies back to an individual, would not be personal data under the DPDP Act. -
Data for personal or domestic use
The Act does not apply to the processing of data which is purely personal or domestic in nature. For example, if a person processes data for non-commercial purposes, such as tracking his or her family budget on a spreadsheet, storing contact numbers on a personal phone, or creating a personal photo album, that is exempt. The emphasis is on the scale of processing data about individuals that are organizational and commercial in nature.
Penalties and Compliance Requirements
The Digital Personal Data Protection Act 2023 contains some of the harshest financial sanctions ever for data privacy in India. Organizations found to be involved in the misuse of personal data, or breaching the obligations to notify regulatory authorities, or disregarding an individual's rights, can incur penalties of as high as ₹250 crores for each violation. These penalties are meant not only to deter non-compliance, but also to force organizations to elevate data protection to one of the top-tier priorities of the organization. In addition to monetary consequences, organizations suffer other repercussions such as a downgrade of reputation, lack of trust from customers, and potential interruption of business.
A crucial compliance standard in the Act is the requirement for timely notification of data breaches. Every organization that falls under the Act's reach must notify the Data Protection Board of India in less than 72 hours after becoming aware of the breach. This requirement is similar to globally recognized standards that the EU's GDPR provides, and shows how India is seeking to follow the lead of global privacy standards.
The compliance threshold is still higher for Significant Data Fiduciaries (SDFs), organizations that process large-scale sensitive or high-impact personal data. SDFs must:
- Designate a Data Protection Officer (DPO) responsible for compliance and serving as a point of contact for both regulators and data principals.
- Undertake Data Protection Impact Assessments (DPIAs) on an ongoing basis to identify and mitigate risks before implementing new technologies, projects, or processing large-scale data.
- Implement higher security, ensuring stronger technical and organizational measures to protect against breaches and misuse.
Cross-Border Data Transfers under the DPDP Act
While the DPDP Act recognizes that the flow of personal data is an integral part of modern digital businesses, it sets forth guardrails to ensure that protection does not diminish once data crosses the borders of India.
-
Government-Imposed Restrictions:
The central government may notify a list of countries or territories the government will place restrictions on transfers of personal data. These restrictions will safeguard data transfers to jurisdictions that do not provide sufficient protection consistent with the DPDP Act. -
Compliance Responsibility:
Organizations (the data fiduciaries) will be responsible for confirming that what is shared outside of India continues to be safeguarded at similar levels. In advance of a transfer of personal data, they will need to confirm whether the jurisdiction or entity receives "equivalent protections" through law, a binding agreement, or regulatory means. -
Data Localizing Provisions:
While the DPDP Act does not have a single provision for data localization, it may allow the government the discretion to require that certain specified classes, especially sensitive and critical classes. This clause provides a high-risk data scenario policy to keep data under its sovereign controls (e.g., national data, strategic data set).
Below is an overview of penalties under the DPDP Act:
| Violation | Maximum Fine (₹) | When is it applied? |
|---|---|---|
| Failure to take security safeguards to prevent data breaches | ₹250 crore | Applies to fiduciaries that do not adopt reasonable technical/organizational measures. |
| Failure to notify the Data Protection Board of a breach within 72 hours | ₹200 crore | Includes delay or non-reporting of significant incidents. |
| Non-fulfillment of obligations related to children’s data | ₹200 crore | Covers improper consent, unsafe processing, or misuse of minors’ data. |
| Failure to honor Data Principal rights (access, correction, erasure, consent withdrawal) | ₹150 crore | When organizations ignore or delay responding to user rights requests. |
| Breach of Duties by Significant Data Fiduciaries | ₹125 crore | Includes failure to appoint a DPO, conduct DPIAs, or comply with heightened obligations. |
DPDP Act vs Global Privacy Laws
As India's first digital privacy legislation, the DPDP Act 2023 is compared to other international frameworks, including those in the European Union (EU), and other global laws. While the fundamental principles behind data protection are similar, the scope of the laws, enforcement of legal obligations, and applicable requirements all differ in ways that businesses should be prepared to manage.
Key Similarities
The DPDP Act, like other global privacy laws, such as GDPR, is based upon a consent-first operative model for organizations. They provide individuals with rights in relation to their personal data. Both types of law impose organizational accountability to publicly express important expectations related to the collection, processing, and securement of personal data.
| Aspect | DPDP Act 2023 | GDPR |
|---|---|---|
| Consent-first model | Requires clear, informed consent for data processing | Explicit consent is required for lawful processing |
| User rights | Rights to access, correction, erasure, and withdrawal | Rights to access, rectification, erasure (right to be forgotten), and portability |
| Data fiduciary/controller duties | Limit collection, secure storage, breach reporting | Strict obligations on a lawful basis, minimization, and accountability |
| Enforcement body | Data Protection Board of India | Independent Data Protection Authorities (one per EU country) |
Key Differences
While there are underlying principles, DPDP and GDPR differ in the methods of enforcement, scope, and rules for cross-border transfers. The DPDP Act is concerned only with India-specific contexts and governance applicable to a local context, while the GDPR applies globally on a much broader basis and has stricter rules that govern transfers of personal information and data.
| Aspect | DPDP Act 2023 | GDPR |
|---|---|---|
| Scope | Applies to the processing of Indian citizens’ data, even by foreign entities | Applies to all EU residents’ data, with global extraterritorial reach |
| Enforcement | Centralized under the Data Protection Board of India | Decentralized, as each EU member state has a Data Protection Authority |
| Cross-border transfers | Permitted except for blacklisted countries notified by the government. | Transfers restricted; allowed only with adequate safeguards (e.g., adequacy, SCCs) |
| Penalties | Up to ₹250 crore (~€28M) per violation | Up to €20 million or 4% of global annual turnover |
| Classification of entities | Introduces “Significant Data Fiduciaries” with extra duties | No equivalent, but risk-based obligations for controllers/processors |
Impact of DPDP Act on Business
The Digital Personal Data Protection Act 2023 transforms the environment in which organizations in India, whether nascent startups or large global enterprises, operate with personal data. It will apply and have an effect in different ways across different industries and businesses, but organizations will no longer be able to rely on ad hoc privacy practices and traditional approaches to data privacy. Privacy and data compliance will now need to be an embedded, operational requirement for many organizations doing business in India.
For startups and SMEs, formal data governance processes will need to be established that many have not historically followed. When collecting customer data, even small firms will need to obtain customer consent, recognize and engage in customer data subject rights, and be prepared to demonstrate compliance with DPDP Act requirements to regulators as requested. There is no question that this will present challenges and introduce some overhead. However, building privacy as a first-class entity when developing a business presents significant value.
For large enterprises and MNCs with experience operating under privacy requirements such as the GDPR, the DPDP Act will cause frictions, but may present slightly less of a challenge than for startups and SMEs. The DPDP Act introduces requirements specific to the jurisdiction of India, such as local enforcement under the Data Protection Board and obligations on Significant Data Fiduciaries. This will require MNCs to rethink their policy for the transfer of personal data across international borders, implement local (Indian) officers, and ensure that the contracts with Indian companies are consistent with the DPDP Act requirements.
Compliance officers and Data Protection Officers (DPOs) will be central in implementing the law. They will need to develop policies related to data minimization, implement timely breach reporting, and manage consent processes. For Significant Data Fiduciaries, appointing a DPO is mandatory, which makes this a prominent area of investment in skilled personnel.
In addition to compliance, the Act presents a deeper opportunity. Building trust with customers will ultimately become a competitive edge in the market. Transparency, easy-to-use consent and data control features, and robust security will deepen customer loyalty in a landscape where data misuse will quickly destroy a company's reputation.
Final Thoughts
The Digital Personal Data Protection Act, 2023, isn’t simply another compliance box; it is a ground-up change in the way that organizations across India treat personal data. By placing consent, user rights, and accountability at the core, the DPDP Act exemplifies a future movement towards non-negotiable privacy. For organizations, compliance is not simply about avoiding penalties; compliance should also be viewed as an opportunity for organizations to reinforce trust, refine their data governance practices, and compete on transparency in a market that is growing increasingly privacy aware.
NEXT STEPS
Ready to simplify compliance with DPDP?
With Tech Prescient’s Identity Confluence, you can automate consent management, enforce governance, and stay audit-ready without adding operational complexity.
- Get started faster → Explore now
- See it in action.
Frequently Asked Questions (FAQs)
1. What is the DPDP Act in India?
The Digital Personal Data Protection (DPDP) Act, 2023, is India's first comprehensive law dedicated to digital personal data protection. The law will regulate how entities collect, store, and process personal data, offering protections for individuals' personal data and privacy, all the while allowing for a framework wherein businesses and the government can use data appropriately.2. What are the key provisions of the DPDP Act 2023?
The Act introduces a consent-first model for data processing, provides individuals with an enforceable set of rights, and imposes obligations on entities that utilize personal data. The Act also establishes a Data Protection Board to handle breaches and promote compliance in the digital personal data protection space. Importantly, the Act imposes significant penalties for violating its provisions, thus ensuring that businesses take the obligations seriously.3. What are the rights of individuals under DPDP?
Individuals (a Data Principal) will have rights to view their personal data, request corrections to inaccuracies, request deletion of their data, and retract previously given consent. The rights offered under the DPDP will provide transparency and offer users greater control over their data.4. What are the penalties for non-compliance with the DPDP Act?
Organizations that fail to comply with the Act may incur substantial fines of as much as ₹250 crores for each infraction. Examples of violations can include failure to notify of a data breach, collecting or processing data (including biometrics) without consent, or not honoring user rights. The financial consequence of not complying does find importance, underlining that compliance is not optional.5. How is DPDP different from GDPR?
DPDP and GDPR share common foundational principles based on consent-based processing, transparency, and user rights. However, GDPR is a global regulation that applies to organizations across the world that collect or use, or process data about EU citizens. DPDP is intended for and localized to India, with means of enforcement and compliance presumptions reflective of Indian law, and in compliance with local Indian business conditions.