What is the DPDPA?
The Digital Personal Data Protection Act 2023 — commonly referred to as the DPDPA or DPDP Act — is India's primary legislation governing how personal data of individuals in India must be collected, processed, stored, and deleted by organisations.
The Act received Presidential assent on 11 August 2023. The DPDP Rules 2025 were notified in January 2025, adding operational detail to the Act's requirements. Together, the Act and Rules create a comprehensive framework of obligations for organisations — referred to as Data Fiduciaries — that process personal data of Indian residents.
Who does DPDPA apply to?
The Act applies to the processing of digital personal data within India, and to the processing of digital personal data outside India if it is in connection with any activity related to offering of goods or services to individuals in India.
There is no revenue threshold, no employee count exemption, and no sector carve-out for most organisations. The Act applies based on whether you process personal data of Indian residents — not based on your company's size, stage, or business model.
Key definitions you need to know
Personal Data
Any data about an individual who is identifiable by or in relation to such data. This includes names, email addresses, phone numbers, payment details, location data, IP addresses, behavioural data, health information, and any other information that can be linked to an individual — directly or indirectly.
Data Fiduciary
Any person who, alone or in conjunction with others, determines the purpose and means of processing personal data. If your organisation decides what data to collect and why — you are a Data Fiduciary. Most organisations building products and services are Data Fiduciaries under the Act.
Data Principal
The individual to whom the personal data relates. Your users, customers, employees, and anyone whose personal data you process are Data Principals under the Act. They have specific rights — including the right to access their data, correct it, and request its erasure.
Data Processor
Any person who processes personal data on behalf of a Data Fiduciary. Analytics platforms, CRM tools, cloud providers, email services, and payment processors that handle your users' data are Data Processors. The Act requires you to have written contracts in place with every Data Processor you use.
Core obligations under the Act
The Act creates eight operational control areas that organisations must address. These are not documentation requirements — they are operational requirements that must be verifiable in how your systems, vendor relationships, and processes actually function.
Personal data may only be processed on a valid legal basis. For most organisations, this means obtaining consent that is free, specific, informed, and unambiguous — given through an affirmative action by the data principal. Pre-ticked checkboxes, bundled consent, and consent obtained via terms acceptance do not meet this standard.
Section 4, Section 6 — DPDPA Act 2023Before or at the time of collecting personal data, you must provide a notice specifying the personal data being collected, the purpose of processing, how data principal rights can be exercised, and the grievance process. The notice must be in clear and plain language and available in multiple languages as notified.
Section 5 — DPDPA Act 2023Personal data may only be processed for the specific purpose for which it was collected. Using data for secondary purposes — analytics, product improvement, marketing — that are not clearly disclosed and consented to is a violation. Each purpose must be specified, and separate consent obtained where required.
Section 6(1) — DPDPA Act 2023Every third-party service that processes personal data on your behalf must do so under a written contract that specifically governs data handling. Standard SaaS terms of service do not satisfy this requirement. You are responsible for ensuring your processors comply with the Act — including through contractual obligations.
Section 8(3) — DPDPA Act 2023Individuals have the right to access information about their personal data, correct inaccuracies, request erasure, and nominate a representative. You must have operational processes to respond to these requests within the timelines prescribed in the Rules. A "contact us" email is not a grievance mechanism.
Sections 11–13 — DPDPA Act 2023Personal data must not be retained beyond the period necessary for the purpose for which it was collected. Once the purpose is fulfilled and the data principal withdraws consent, data must be erased. Account deactivation is not the same as data erasure — the obligation extends across all systems and processors.
Section 8(7) — DPDPA Act 2023Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches. What constitutes "reasonable" will depend on the volume, nature, and sensitivity of data processed. The Rules add detail on what specific safeguards are expected for different categories of organisations.
Section 8(5) — DPDPA Act 2023In the event of a personal data breach, you must notify the Data Protection Board and affected data principals. Notification must be made regardless of whether internal investigation has concluded. Organisations must have a documented breach response process — not merely a policy statement.
Section 8(6) — DPDPA Act 2023What DPDPA compliance actually means operationally
DPDPA compliance is frequently misunderstood as a documentation exercise — drafting a privacy policy, updating terms of service, and moving on. This misunderstanding is important to correct, because the Act's obligations are operational, not documentary.
A privacy policy tells your users what you intend to do with their data. The Act requires you to demonstrate what you actually do. These two things — the policy and the system — are frequently not the same.
Common operational gaps
Based on the Act's requirements, the following are the most frequently identified operational compliance gaps in Indian organisations:
Consent collected incorrectly — Pre-ticked marketing checkboxes, consent bundled into terms acceptance, or no mechanism for users to withdraw consent once given.
Privacy notice deficiencies — Notices adapted from GDPR templates that do not address the Act's specific disclosure requirements, or notices that describe intended practices rather than actual system behaviour.
Vendor agreements missing — Analytics platforms, CRM tools, email services, and cloud providers processing user data under standard commercial agreements with no Data Processing Agreement in place.
Deletion not functioning — Account deletion triggering deactivation rather than actual erasure across all systems and processors.
Rights process inadequate — No accessible grievance mechanism, or a mechanism that does not operate within the Act's prescribed response timelines.
Penalties for non-compliance
The Data Protection Board of India has the authority to investigate complaints and impose financial penalties on organisations that breach the Act's requirements. Penalties under the Act can reach ₹250 crore per violation for the most serious breaches — specifically, failure to implement reasonable security safeguards resulting in a personal data breach.
Penalties are imposed per violation — not as annual caps. An organisation with multiple compliance gaps faces potential penalties across each separate violation. See the full DPDPA Penalty Guide for the complete penalty schedule.
Enforcement is not hypothetical. The Data Protection Board is operational and the Rules are notified. Organisations that delay compliance remediation are doing so on the assumption that enforcement will not reach them — an assumption that carries increasing risk as the Board's capacity and caseload develop.
How to assess your current compliance posture
The starting point for most organisations is understanding precisely where they currently stand — not against a generic privacy framework, but against the specific operational requirements of the DPDPA Act 2023 and Rules 2025.
A self-assessment or compliance checklist can provide a rough orientation. But a self-assessment measures what your team believes is true about your organisation — not what your systems, vendor contracts, and processes actually look like when reviewed independently.
The most reliable way to establish your compliance posture is an operational assessment conducted against the Act's specific requirements, with findings backed by evidence reviewed from your live systems and documentation. This is what Privara's DPDPA Readiness Review provides.
Next steps
If you have read this guide and want to understand precisely where your organisation stands operationally, the right starting point is a scoping conversation — not a commitment to a full engagement.
In a scoping conversation, we learn about your organisation, your data handling practices, and what has already been done. We then tell you honestly which engagement makes sense, what it will cover, and what it will cost — before anything is agreed.
You can also review the DPDPA Compliance Checklist for a structured overview of the eight control areas, or the DPDPA Penalty Guide for the full penalty schedule.