What is the Digital Personal Data Protection Act, 2023? A Plain-English Guide for Indian Businesses
The Short Answer
India now has a complete data privacy framework.
The Digital Personal Data Protection Act, 2023 — the DPDP Act — was passed by Parliament in August 2023. The Rules that operationalise it were notified by MeitY on 13 November 2025.
What this framework does is straightforward: it gives Indian citizens legal rights over their personal data, and it places binding obligations on every business that collects or processes that data.
If your business holds data about people — customers, employees, users, prospects — this law applies to you. There is no size threshold. There is no sector exemption. There is no opt-out.
Why This Law Exists
India has over 900 million internet users. Until recently, no single law governed what companies could do with their data.
Businesses operated under a patchwork — fragments of the IT Act 2000, RBI circulars, SEBI guidelines, sector-specific rules. None of it cohered. None of it gave individuals enforceable rights.
The DPDP Act replaces that patchwork with one unified framework. The Rules translate its principles into concrete operational requirements.
Who Does It Apply To?
Any entity that:
- Collects or processes digital personal data of individuals in India
- Offers goods or services to people in India — even if the company itself is based abroad
- Processes data within India, regardless of where it is incorporated
That means e-commerce platforms, hospitals, fintech apps, banks, HR departments, schools, SaaS companies, law firms, logistics companies, and every business in between.
What counts as personal data? Any data that can identify a living individual — directly or indirectly. Names, phone numbers, email addresses, financial records, health data, location data, biometric data, and combinations of data that together make someone identifiable.
The Four People You Need to Know
The Data Fiduciary is your business. You decide why personal data is collected and how it is used. You carry the legal responsibility.
The Data Principal is the individual. Your customer. Your employee. Your user. Under this framework, they have real, enforceable rights — to access their data, correct it, and have it erased.
The Data Processor is any third party that handles data on your behalf — your cloud provider, your payroll software, your marketing platform. They operate under your instructions and your contracts govern their obligations.
The Data Protection Board of India is the regulator. Established under the Rules, it is a fully digital body — complaints filed online, hearings conducted virtually, penalties imposed and enforced.
What the Law Requires of Your Business
Get consent before you collect. Free, specific, informed, unambiguous consent. Not implied. Not pre-ticked. Not buried in a terms document.
Use data only for the purpose you stated. Collect data to process a purchase, use it to process that purchase. Purpose limitation is a hard requirement.
Collect only what you need. Data minimisation is a legal requirement.
Keep it accurate. If data is wrong and an individual tells you so, fix it promptly.
Delete it when you are done. Once the purpose is served and there is no legal reason to retain the data, it must go. The Rules add a specific notification requirement before erasure.
Protect it properly. Reasonable technical and organisational safeguards. System and processing logs must be retained for a minimum of one year.
Report breaches — fast. Immediate notification to affected individuals and the Board. A detailed breach report to the Board within 72 hours.
The Penalties
| Violation | Maximum Penalty |
|---|---|
| Inadequate security safeguards | ₹250 crore |
| Failure to notify a breach | ₹200 crore |
| Violations involving children's data | ₹200 crore |
| Any other non-compliance | ₹50 crore |
Per violation. Not an annual cap.
The Compliance Timeline
The Rules introduced a phased rollout:
- From 13 November 2025 — Procedural provisions in force. The Data Protection Board is established. Compliance planning must begin immediately.
- By 13 November 2026 — Consent Manager registration requirements take effect.
- By 13 March 2027 — All substantive provisions fully in force. Consent obligations, notices, data fiduciary obligations, and individual rights are all enforceable.
Eighteen months from notification sounds comfortable. Build in the time required to audit your data, rebuild consent flows, update vendor contracts, and train your teams — and it is not comfortable at all.
The Bottom Line
The DPDP Act and Rules together shift something fundamental. Personal data is no longer a business asset to be collected freely and used indefinitely. It is held in trust, for specific purposes, with the individual's consent, under legal obligations that carry real penalties for breach.
The companies that will navigate this well are not the ones with the largest compliance budgets. They are the ones that start earliest.