What Is the DPDP Act 2023? Guide for Indian Business Compliance

India Now Has a Data Protection Law. Here Is What It Says.

On 11 August 2023, the Indian Parliament enacted the Digital Personal Data Protection Act, 2023 (DPDP Act). It received Presidential assent the same day. This is India’s first dedicated data protection legislation, governing how organisations collect, store, process, and delete personal data of individuals.

The Act applies to every business that handles digital personal data of individuals in India. There are no exemptions based on company size, revenue, or sector. If you collect a customer’s name, phone number, email address, or Aadhaar number, this law governs how you handle that data.

Full enforcement is expected from May 2027, after the Consent Manager registration window closes in November 2026. Once enforcement begins, the Data Protection Board of India will accept complaints and issue penalties.

Who the Act Defines: Three Roles You Need to Know

The DPDP Act introduces specific legal terminology for the parties involved in data processing. Understanding these roles is the first step toward compliance.

• Data Principal: The individual whose data is being collected. Your customers, employees, website visitors, and app users are all Data Principals.
• Data Fiduciary: The organisation that determines the purpose and means of processing personal data. If you decide what data to collect and why, you are a Data Fiduciary. This includes companies, partnerships, trusts, and sole proprietors.
• Significant Data Fiduciary (SDF): A subset of Data Fiduciaries designated by the Central Government based on volume of data processed, sensitivity of data handled, or risk to Data Principals. SDFs face additional obligations including mandatory Data Protection Impact Assessments, appointment of a Data Protection Officer based in India, and periodic independent audits.

Most Indian businesses processing customer data will qualify as Data Fiduciaries. The SDF designation will apply to larger organisations, though the exact thresholds are still being notified through subordinate rules.

Seven Obligations Every Data Fiduciary Must Meet

The Act establishes clear obligations. These are not recommendations. They are legal requirements with financial consequences for non-compliance.

1. Lawful purpose and consent: You must have a valid reason to process personal data. In most cases, this means obtaining informed, specific, and freely given consent from the Data Principal before collecting their data. Consent must be requested in clear, plain language.

2. Purpose limitation: Data collected for one stated purpose cannot be repurposed without obtaining fresh consent. If you collect an email address for order confirmations, you cannot use it for marketing without separate, explicit permission.

3. Data minimisation: Collect only the data that is necessary for the stated purpose. Collecting “everything, just in case” is a violation.

4. Accuracy and completeness: Ensure personal data remains accurate and up to date for the duration of its use. Stale or incorrect records create liability.

5. Storage limitation: Personal data must be deleted once the purpose for which it was collected has been fulfilled. Indefinite retention without justification is non-compliant.

6. Security safeguards: Implement reasonable security measures to protect personal data against breaches, unauthorised access, and accidental loss. The Act does not prescribe specific technologies, but it expects demonstrable, documented controls.

7. Breach notification: In the event of a data breach, you must notify both the Data Protection Board of India and the affected Data Principals. Notification to the Board is due within 72 hours of becoming aware of the breach. Delayed or suppressed breach reporting carries its own penalties.

Rights of Data Principals

The Act does not only impose duties on businesses. It grants enforceable rights to individuals.

• Right to access: Data Principals can request a summary of the personal data you hold about them and the processing activities you perform on it.
• Right to correction and erasure: Individuals can demand correction of inaccurate data or complete erasure of their data, subject to certain legal exceptions.
• Right to grievance redressal: Every Data Fiduciary must establish a mechanism for Data Principals to raise complaints. You cannot redirect them to a generic support email and call it compliance.
• Right to nominate: Data Principals can nominate another individual to exercise their data rights in case of death or incapacity.

These rights are not optional features you can add later. They must be operational before the enforcement deadline.

Penalties: Up to ₹250 Crore Per Violation

The DPDP Act carries significant financial penalties. The Data Protection Board of India has the authority to impose fines based on the nature and severity of the violation.

• Failure to take reasonable security safeguards resulting in a breach: up to ₹250 crore
• Failure to notify the Board and affected individuals of a breach: up to ₹200 crore
• Non-compliance with obligations relating to children’s data: up to ₹200 crore
• Failure to comply with other provisions of the Act: up to ₹50 crore

These are not theoretical figures. The Act establishes the Data Protection Board as an adjudicatory body with the power to investigate complaints, conduct inquiries, and impose penalties. For a detailed breakdown, see the penalties guide.

The Enforcement Timeline

The Central Government is bringing the Act into full effect in phases. The DPDP Rules were notified on 13 November 2025. The Consent Manager registration window is expected to close in November 2026, and the Data Protection Board’s penalty enforcement is expected from May 2027.

This means every Data Fiduciary must have the following operational well before May 2027:

• A consent management system that captures, stores, and allows withdrawal of consent
• A documented data processing register mapping what data you collect, why, and for how long
• A breach notification protocol with defined response timelines
• A grievance redressal mechanism accessible to Data Principals
• Technical and organisational security measures that can withstand audit

For a step-by-step preparation timeline, refer to the DPDP compliance timeline.

What This Means for Your Business Today

The gap between “we collect data” and “we are DPDP-compliant” is substantial. Most Indian businesses today lack formal consent records, have no documented data retention policies, and have never conducted a data inventory.

This is not a criticism. India has not had a data protection law before. But the absence of prior regulation does not extend the compliance window. May 2027 enforcement is the date to plan against, and the Board’s enforcement powers are broad.

The practical starting point is a gap assessment: a structured audit of your current data practices measured against the Act’s requirements. This tells you exactly where you stand and what needs to change.

If you have not started, the DPDP Compliance Checklist provides a structured framework for evaluating your readiness.

Run a Free Compliance Vault Assessment

ConsentOS provides a structured DPDP gap assessment that maps your current data practices against every obligation in the Act. It identifies gaps, quantifies risk exposure, and produces a prioritised remediation plan.

No cost. No commitment. Just a clear picture of where you stand before the enforcement clock runs out.

Run Your Free Compliance Vault Assessment