In This Guide
- The DPDP Act 2023 and DPDP Rules 2025 together form India's comprehensive data protection framework.
- The Rules were notified on November 14, 2025, with compliance phased over 18 months.
- The Act applies to all organizations processing digital personal data connected to India.
- Penalties can reach INR 250 crore (approximately USD 30 million) for serious violations.
- Consent Managers must register within 12 months of Rules notification.
Overview and Background
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data protection law, receiving Presidential assent in August 2023. The DPDP Rules 2025 provide the detailed implementation framework.
Key milestones:
- August 2023: DPDP Act enacted
- January 2025: DPDP Rules notified
- 2025-2027: Phased enforcement begins
The DPDP Act adopts a consent-centric, principle-based approach rather than prescriptive rules. Organisations have flexibility in implementation but must demonstrate accountability for personal data protection.
Who Does DPDP Apply To?
The DPDP Act applies to:
Territorial Scope
- Processing of digital personal data within India
- Processing outside India if it relates to offering goods/services to individuals in India
- Processing outside India if it involves profiling individuals in India
What is Covered
- Digital personal data (data in electronic form)
- Personal data that is digitised after collection
- Both automated and non-automated processing of digital personal data
Exemptions
- Personal data processed for personal or domestic purposes
- Personal data made publicly available by the data principal
- Processing necessary for enforcement of legal rights
- Processing by State for specified sovereign functions
Key Terms and Roles
The DPDP Act introduces specific terminology:
| DPDP Term | Equivalent (GDPR) | Definition |
|---|---|---|
| Data Principal | Data Subject | The individual whose personal data is processed |
| Data Fiduciary | Data Controller | Entity that determines purpose and means of processing |
| Data Processor | Data Processor | Entity that processes data on behalf of Data Fiduciary |
| Consent Manager | No equivalent | Registered entity to manage consent on behalf of principals |
| Significant Data Fiduciary | Similar to GDPR DPO requirement triggers | High-risk fiduciaries notified by government |
Data Principal Rights
The DPDP Act grants individuals the following rights:
Right to Information
- Summary of personal data being processed
- Processing activities undertaken
- Identity of other fiduciaries and processors with whom data is shared
- Any other information as may be prescribed
Right to Correction and Erasure
- Correction of inaccurate or misleading personal data
- Completion of incomplete personal data
- Erasure of personal data no longer necessary for purpose
Right of Grievance Redressal
- Right to approach Data Fiduciary's grievance mechanism
- Right to escalate to Data Protection Board if unresolved
Right to Nominate
- Right to nominate another individual to exercise rights in case of death or incapacity
Data Fiduciary Obligations
Data Fiduciaries must comply with these core obligations:
Ground for Processing
- Consent: Primary ground - free, specific, informed, unconditional, unambiguous
- Legitimate Uses: Specified purposes without consent (employment, emergency, State functions, legal obligations)
Purpose Limitation
- Process only for purposes consented to or legitimate uses
- No processing for purposes not disclosed at consent
Data Minimisation
- Collect only data necessary for specified purpose
- Not retain data beyond period necessary for purpose
Accuracy
- Ensure completeness, accuracy, consistency of personal data
- Particularly where data may impact principal or shared with others
Security Safeguards
- Implement reasonable security safeguards
- Prevent personal data breach
- Notify Board and affected principals of breach
Accountability
- Publish contact details of person to answer queries
- Implement grievance redressal mechanism
- Erase data when consent withdrawn or purpose fulfilled
Consent Requirements
The DPDP Act establishes detailed consent requirements:
Characteristics of Valid Consent
- Free: Not obtained through coercion or undue influence
- Specific: Given for specific purposes, not blanket consent
- Informed: Principal understands what they're consenting to
- Unconditional: Not bundled with service access inappropriately
- Unambiguous: Clear affirmative action, not assumed from silence
Notice Requirements
Before or at collection, provide notice containing:
- Personal data to be collected and purpose
- How the principal may exercise rights
- How to make complaint to Data Protection Board
- Available in English and 22 scheduled languages
Consent for Children
- Verifiable parental consent required for children under 18
- No tracking, behavioural monitoring, or targeted advertising to children
- No processing that may cause harm to child
Significant Data Fiduciaries
The Central Government may notify certain Data Fiduciaries as "Significant Data Fiduciaries" (SDFs) based on:
Criteria for SDF Designation
- Volume and sensitivity of personal data processed
- Risk to rights of data principals
- Potential impact on sovereignty and integrity of India
- Risk to electoral democracy
- Security of the State
- Public order
Additional SDF Obligations
- Data Protection Officer: Appoint a DPO based in India, point of contact for principals and Board
- Data Protection Impact Assessment: Periodic DPIAs as prescribed
- Audit: Periodic audit by independent data auditor
- Other Measures: As may be prescribed by rules
Cross-Border Data Transfers
The DPDP Act takes a permissive approach to cross-border transfers:
Default Position
- Personal data may be transferred outside India
- No adequacy determination required by default
Government Restrictions
- Central Government may restrict transfer to specified countries
- Restrictions will be notified as needed
- At present, no countries are on the restricted list
Practical Considerations
- Other laws may impose additional restrictions (e.g., RBI data localisation)
- Contractual obligations with processors should address transfer
- Security safeguards must apply regardless of location
Penalties
The DPDP Act introduces significant financial penalties:
| Violation | Maximum Penalty (INR) | Approximate USD |
|---|---|---|
| Failure to take security safeguards (breach) | Rs. 250 crore | ~$30 million |
| Failure to notify breach | Rs. 200 crore | ~$24 million |
| Failure to comply with children's data requirements | Rs. 200 crore | ~$24 million |
| Failure to comply with SDF obligations | Rs. 150 crore | ~$18 million |
| Failure to comply with other provisions | Rs. 50 crore | ~$6 million |
Note: The Data Protection Board determines penalties based on nature, gravity, and duration of breach, type of personal data affected, and fiduciary's compliance history.
What to Do Now
Organisations should take the following steps:
Immediate Actions
- Assess applicability of DPDP Act to your organisation
- Inventory personal data processing activities
- Review and update privacy notices
- Assess consent mechanisms against DPDP requirements
- Review data processor agreements
Medium-Term Actions
- Implement/enhance data subject rights mechanisms
- Establish grievance redressal processes
- Review security safeguards
- Prepare breach notification procedures
- Train staff on DPDP requirements
Ongoing Activities
- Monitor for SDF notification (if applicable)
- Track rule-making and regulatory guidance
- Maintain compliance program
Frequently Asked Questions
What is the DPDP Act?
The DPDP Act (Digital Personal Data Protection Act, 2023) is India's comprehensive data protection law, passed in August 2023 and operationalized by the DPDP Rules 2025. It establishes a consent-centric framework governing how organizations collect, process, store, and share digital personal data of individuals in India.
When do organizations need to comply with DPDP?
Compliance is phased: governance structures and privacy frameworks should be established now, operationalization of key requirements (consent mechanisms, rights management, breach notification) is expected by mid-2026, and full enforcement-readiness including audits and DPO appointments (for SDFs) should be in place by late 2026.
Does the DPDP Act apply to foreign companies?
Yes, the DPDP Act applies to organizations outside India if they process personal data in connection with offering goods or services to Data Principals (individuals) in India, or if they profile individuals in India. This extra-territorial scope is similar in principle to the GDPR.
What are the penalties under DPDP?
Penalties under the DPDP Act can reach up to INR 250 crore (approximately USD 30 million) per violation for the most serious breaches, such as failure to implement reasonable security safeguards. The Data Protection Board of India determines fines based on factors including the nature, gravity, and duration of the breach.
How is DPDP different from GDPR?
While DPDP shares similar principles with GDPR (consent, purpose limitation, data minimization), it uses India-specific terminology and concepts: Data Fiduciary instead of Controller, Data Principal instead of Data Subject, and introduces the unique concept of Consent Managers. The enforcement body is the Data Protection Board of India rather than independent supervisory authorities, and cross-border transfer rules differ significantly.
Do I need an independent DPDP assessment?
An independent DPDP assessment is recommended for demonstrating accountability and identifying compliance gaps. It provides an objective evaluation of your data protection practices against DPDP requirements. Glocert International provides independent DPDP compliance assessments and attestation services to help organizations demonstrate conformity.