DPDPA India: The Complete Guide to India’s Digital Personal Data Protection Act 2023

India has entered a transformative era of digital privacy. After years of deliberation and development, the country’s first comprehensive data protection legislation—the Digital Personal Data Protection Act (DPDPA) 2023—has been fully operationalized with the notification of implementing rules in November 2025. This landmark legislation affects virtually every organization processing personal data of individuals in India, representing one of the most significant regulatory shifts in the world’s most populous nation.

Understanding DPDPA India: From Legislation to Implementation

The journey to comprehensive data privacy protection in India has been both complex and historic. The Digital Personal Data Protection Act received presidential assent and was published in the Official Gazette on August 11, 2023, but the law required detailed implementing regulations to become operational.

The Path to Privacy Protection

The DPDP Act was enacted after more than half a decade of deliberations, including multiple draft versions and extensive stakeholder consultation. The legislative process began in earnest following a landmark 2017 Supreme Court ruling that recognized privacy as a fundamental right under Article 21 of the Indian Constitution.

The drafting process involved:

• An initial expert committee draft in 2018
• The Personal Data Protection Bill introduced in Parliament in 2019
• Parliamentary committee review and recommendations in 2021
• A significantly revised draft in November 2022
• Final passage in August 2023

On January 3, 2025, the Ministry of Electronics and Information Technology published draft Digital Personal Data Protection Rules for public consultation, marking a critical step toward making the law operational. The Ministry of Electronics and Information Technology notified the final rules on Friday, November 14, 2025, formally operationalizing India’s first dedicated personal-data protection regime.

DPDPA India: Scope and Application

Who Must Comply?

The DPDPA India framework applies broadly to any organization processing digital personal data within India, regardless of company size or sector. The law applies to the processing of all digital personal data within India, creating obligations for:

• E-commerce platforms and online marketplaces
• Social media companies and digital platforms
• Financial services institutions and fintech companies
• Healthcare providers managing electronic health records
• Educational institutions maintaining digital student data
• Technology companies and software service providers
• Marketing and advertising agencies
• Data brokers and analytics firms
• Any business collecting customer information digitally

Extraterritorial Reach

The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized. It will also apply to such processing outside India, if it is for offering goods or services in India. This extraterritorial application means international companies serving Indian customers must comply with DPDPA requirements even if they have no physical presence in India.

What Constitutes Personal Data Under DPDPA?

Personal data is defined as “any data about an individual who is identifiable by or in relation to such data”. This encompasses information such as:

• Names and contact details
• Identification numbers (Aadhaar, PAN, passport)
• Financial and banking information
• Location data and device identifiers
• Biometric information
• Online identifiers and IP addresses
• Behavioral data and browsing history
• Health and medical records
• Educational and employment records

Notably, unlike GDPR, DPDPA-2023 does not distinguish between personal and sensitive personal data, treating all personal information under a unified framework.

Key Exemptions

The DPDPA exempts certain processing scenarios. The law in its entirety does not apply to personal data processed for personal or domestic purposes, and to the processing of personal data made publicly available by the data subject or by any person legally obligated to do so.

Additional exemptions include:

• Processing by notified government agencies for national security purposes
• Prevention or detection of offenses
• Research, archival, or statistical purposes under specified conditions
• Enforcement of legal rights or court-approved corporate restructuring
• Processing necessary for ascertaining financial status of loan defaulters

Core Principles and Legal Foundations

Understanding Key DPDPA Terms

The DPDPA introduces terminology that parallels but differs from other major privacy regulations:

Data Fiduciary – This includes any entity that’s responsible for data collection and processing activities. This concept is borrowed from the General Data Protection Regulation (GDPR), which refers to this entity as the “data controller“.

Data Principal – As the equivalent to a “data subject,” this refers to the individual whose personal data is collected by a fiduciary.

Data Processor – A data processor is the person who processes personal data on behalf of the data fiduciary.

Significant Data Fiduciary (SDF) – SDFs are fiduciaries that the Indian government specifically identifies based on data volume, sensitivity, risk, and national security impact. SDFs must meet additional data protection requirements.

Legal Bases for Processing

Consent is the main lawful ground prescribed by the DPDPA, and the law does not include commonly used lawful grounds in other jurisdictions, such as ‘legitimate interest’ and ‘contractual necessity’.

However, under India’s Digital Personal Data Protection Act (DPDPA), personal data may be processed without explicit consent under certain legitimate uses, including:

• Voluntary provision of data by the data principal for a specific purpose
• Employment-related processing and prevention of loss to employers
• Medical emergencies and public health situations
• Disaster management and breakdown of public order
• Performance of state functions and compliance with legal obligations

Consent Requirements

The DPDPA prescribes a high standard for obtaining valid consent and requires consent to be free, specific, informed, unconditional, unambiguous, and indicated using a clear affirmative action.

This means organizations must:

• Obtain granular consent for each specific processing purpose
• Provide clear, detailed notices before collecting consent
• Ensure consent mechanisms are as easy to withdraw as they are to give
• Avoid bundling consent or making it a condition for unrelated services
• Obtain verifiable parental consent for processing children’s data (individuals under 18)

Data Principal Rights Under DPDPA India

The DPDPA establishes comprehensive rights giving Indian citizens meaningful control over their personal information.

Right to Access

Organizations must provide a means for data principals to request access to their personal information, thus ensuring transparency. Data principals can obtain summaries of personal data processed, details of processing activities, and information about all data fiduciaries and processors accessing their data.

Right to Correction

Data principals can request corrections or updates to incomplete or inaccurate information. Organizations must maintain data accuracy, completeness, and consistency, particularly for data likely to be used in decision-making affecting the data principal.

Right to Erasure (Right to be Forgotten)

Individuals can also request that fiduciaries delete their digital personal data at any time. However, businesses may retain data if necessary for specific legitimate purposes or legal compliance.

The regulations lay out a three-year retention term from the enforcement of the Digital Personal Data Protection Rules, 2025, or the last time the Data Principal approached the Data Fiduciary to execute the specified purpose or exercise their rights, whichever is later for certain categories of data fiduciaries.

Right to Consent Management

Data fiduciaries must obtain clear and informed consent, ensuring individuals are aware of and agree to data collection and processing. Data principals can withdraw their consent at any time, and organizations must make withdrawal processes as convenient as the original consent mechanism.

Right to Grievance Redressal

Individuals can file complaints and seek redress if they believe their rights have been violated. Data fiduciaries must establish effective grievance mechanisms and respond to requests within reasonable timeframes.

Right to Nominate

Data principals have the right to nominate another individual to exercise their rights in the event of death or incapacity, ensuring continued protection of personal data even in such circumstances.

Obligations for Data Fiduciaries

Privacy Notice Requirements

Under the Draft Rules, data fiduciaries (organizations controlling the processing of personal data) need to ensure that privacy notices are clear, comprehensive, and easily understandable. These notices should clearly specify the nature of the data collected, the purpose of the data collection, and how the data will be used.

The notice provided by the Data Fiduciary to the Data Principal must be independently understandable without reliance on other information. It needs to clearly detail the personal data to be processed along with its specified purpose, including an itemised description of personal data sought to be processed.

Privacy notices must include:

• Clear identification of the data fiduciary
• Itemized description of personal data being collected
• Specific purposes for which data will be processed
• Contact information for exercising data principal rights
• Procedures for withdrawing consent
• Grievance redressal mechanisms
• How to file complaints with the Data Protection Board

Data Security Obligations

The Draft Rules impose stringent security measures that data fiduciaries must implement to protect personal data from breaches. These reasonable security safeguards include, at a minimum: Data security measures such as encryption, obfuscation, masking, or virtual tokens mapped to personal data. Access controls to secure computer resources used by data fiduciaries and data processors.

Some of the reasonable security measures under the DPDP rules, 2025 include: Implementing measures like encryption, obfuscation, masking or the use of virtual tokens mapped to specific personal data.

Additional security requirements include:

• Data backup measures ensuring continuity even in case of data loss
• Retention of data for at least one year to support breach detection and investigation
• Contractual provisions with data processors to safeguard personal data
• Regular security assessments and updates

Breach Notification

Data fiduciaries are required to notify personal data breaches to the newly created Data Protection Board and to impacted data subjects, regardless of the magnitude of the breach or risk of harm. Further, the DPDPA does not prescribe specific deadlines for reporting.

This universal breach notification requirement means organizations must have robust incident response procedures to:

• Detect and assess breaches promptly
• Notify the Data Protection Board
• Inform affected data principals
• Document breach circumstances and remedial actions

Data Processor Management

Data fiduciaries have numerous obligations under the DPDPA. The most important of them include: Obtaining explicit user consent unless the data can be processed on another legal basis. Using the personal data only for the purpose it has been collected for.

Organizations must also maintain contractual relationships with data processors ensuring DPDPA compliance and deliver consumer requests within reasonable timeframes.

Data Protection Officer Requirements

Not all businesses are required to appoint a Data Protection Officer (DPO). You only need to appoint one if you are a “significant data fiduciary,” but we don’t yet know what data fiduciaries will be considered to be significant.

Once designated as an SDF, organizations must appoint a qualified DPO responsible for representing the organization to data principals and the Data Protection Board.

Enhanced Requirements for Significant Data Fiduciaries

A Significant Data Fiduciary must conduct a Data Protection Impact Assessment and audit every twelve months from its notification or inclusion in the notified class of Data Fiduciaries to ensure compliance with the DPDPA and the Rules.

Data Protection Impact Assessments (DPIAs)

SDFs must conduct annual DPIAs examining:

• The nature, scope, and context of data processing
• Risks to data principal rights and freedoms
• Measures to address and mitigate identified risks
• Compliance with DPDPA requirements

Independent Audits

The person conducting the assessment and audit must submit a report with significant observations to the Board. The audit report must be prepared by an independent auditor who exercises objective and impartial judgment.

Algorithmic Due Diligence

The Significant Data Fiduciary must also exercise due diligence to ensure that any algorithmic software it deploys for handling personal data does not pose risks to the rights of Data Principals. This requirement is particularly significant given India’s rapid AI adoption and the DPDPA’s alignment with emerging AI governance frameworks.

Data Localization

Additionally, it must ensure that specified personal data and associated traffic data, as determined by the Central Government based on recommendations from a constituted committee, are processed under restrictions preventing their transfer outside India.

Although the DPDPA allows cross-border data flows, the Draft Rules authorize the government to impose specific conditions for sensitive data transfers. For large-scale data handlers, this could lead to potential data localization requirements.

Cross-Border Data Transfers

The DPDPA permits cross-border data transfers to jurisdictions outside of India other than those jurisdictions specifically identified by the Indian government on its list of countries to which data transfers are restricted (to be published).

This approach differs from GDPR’s adequacy framework by:

• Starting with a presumption of permissibility
• Identifying restricted countries rather than approved jurisdictions
• Potentially imposing additional conditions for SDFs
• Allowing government flexibility to restrict transfers based on national security or other concerns

Organizations transferring data internationally must:

• Monitor government notifications of restricted jurisdictions
• Assess whether they qualify as SDFs with localization obligations
• Implement appropriate safeguards for cross-border transfers
• Document transfer mechanisms and purposes

The Data Protection Board of India

Under section 18 of the Digital Personal Data Protection Act, 2023, the Data Protection Board of India, an adjudicating body, will be established.

The Draft Rules provide for the immediate establishment of the Data Protection Board of India (“Board”), which will oversee the enforcement of the DPDPA. The Board will handle complaints, impose penalties, and facilitate dispute resolution.

Board Powers and Functions

The Data Protection Board serves as India’s dedicated privacy regulator with authority to:

• Investigate complaints from data principals
• Conduct compliance audits and inspections
• Impose penalties for violations
• Issue guidance on DPDPA interpretation
• Facilitate dispute resolution between parties
• Order urgent remedial measures for data breaches

The Central Government will establish a Search-cum-Selection Committee to recommend individuals for the position of Chairperson and other Members of the Board. The Board shall function as a digital office and can adopt techno-legal measure to conduct their proceedings.

Independence and Governance

The government has tried to guarantee the independence of the Board Members by ensuring that the Board Members with a conflict of interest in any matter will be recused from such proceedings, helping maintain the Board’s credibility as an independent regulator.

Consent Managers: A Novel Feature

Rule 4 introduces Consent Managers, entities responsible for managing and verifying consent for data processing.

Consent Managers must be from companies incorporated in India with sufficient technical, operational, and financial capacity to fulfill obligations as a Consent Manager.

Role of Consent Managers

Consent Managers serve as intermediaries between data principals and data fiduciaries, helping individuals:

• Grant consent through a centralized platform
• Track which organizations have access to their data
• Manage consent across multiple data fiduciaries
• Withdraw consent efficiently
• Exercise data principal rights

This consent management framework represents an innovative approach to giving individuals practical control over their data across the digital ecosystem. It is important to use the cookie consent manager created by Captain Compliance to be compliant with Indias DPDPA.

Penalties and Enforcement

Penalties for non-compliance under the DPDPA range from INR500 million (€5.7 million) to INR2.5 billion (€28 million).

Failure to comply with the DPDPA can result in significant penalties, including fines of up to 4% of global annual turnover or INR 250 Crores (approximately $30 million), whichever is higher following in the line of the EU’s GDPR fine and violation guidelines.

Penalty Framework

The Data Protection Board can impose graduated penalties based on:

• Severity of the violation
• Nature and sensitivity of data involved
• Number of affected data principals
• Whether violations were intentional or negligent
• Repeat violations by the same organization
• Cooperation with investigations
• Steps taken to mitigate harm

The Data Protection Board is also empowered to impose urgent remedial or mitigation measures in the event of a personal data breach.

Blocking Authority

The 2023 law contains a novel provision not included or discussed in any previous version. This is Section 37, which allows the government, based on a reference from the board, to block the public’s access to any information that enables a data fiduciary to provide goods or services in India. This has to be based on two criteria: (a) the board has imposed penalties against such data fiduciaries on two or more prior occasions, and (b) the board has recommended a blockage. The government has to provide the data fiduciary an opportunity to be heard before taking such action.

This blocking power represents a significant enforcement mechanism for repeat violators, though its application to international platforms remains to be tested.

Compliance Timeline and Implementation

Organizations have an 18-month compliance window to redesign consent flows and implement privacy measures following the November 2025 notification of the final rules.

Phased Implementation Approach

The DPDPA regulations take effect in stages:

Immediate Requirements (Upon Notification)

• Establishment of the Data Protection Board
• Registration and recognition of Consent Managers
• Publication of basic privacy notices

Near-Term Compliance (Within 6-12 Months)

• Implementation of data principal rights mechanisms
• Grievance redressal systems
• Basic security safeguards
• Data mapping and inventory exercises

Full Compliance (18-Month Deadline)

• Complete consent management systems
• Comprehensive privacy notices
• All security measures operational
• Breach notification procedures
• Data retention policies
• Cross-border transfer mechanisms

Ongoing Requirements for SDFs

• Annual DPIAs and audits
• Regular algorithmic due diligence
• Continuous compliance monitoring

Special Provisions for Children’s Data

The DPDPA places particular emphasis on protecting children’s personal data. To protect children’s personal data, the data fiduciaries must implement measures to obtain verifiable parental consent.

Obtain verifiable consent from the parents/legal guardians of children or legal guardians in the case of persons with disability. A child is an individual under the age of 18 years.

Children’s Data Protection Requirements

Organizations processing children’s data must:

• Implement age verification mechanisms
• Obtain verifiable parental or guardian consent
• Provide clear, age-appropriate privacy notices
• Limit data collection to what’s necessary
• Avoid behavioral monitoring for advertising purposes

The Rules exempt clinical establishments, healthcare professionals, educational institutions, and childcare facilities from certain DPDPA restrictions on behavioural monitoring of children for purposes like healthcare, education, and child safety.

DPDPA vs. GDPR: Key Differences

While the DPDPA draws inspiration from the GDPR, several important differences exist:

Scope of Data

The DPDPA regulates the processing of digital personal data, i.e., personal data collected in digital form, or collected in non-digital form and subsequently digitised. Whilst the DPDPA’s personal data definition is similar to that provided under the GDPR, it excludes from its scope personal data made publicly available by the data principal or by any other person under a legal obligation to make that data publicly available.

Legal Basis for Processing

Unlike GDPR’s six legal bases (including legitimate interests and contractual necessity), the DPDPA relies primarily on consent with specific “legitimate uses” as alternatives.

Data Sensitivity

Unlike these laws, however, the Indian one does not have a definition of sensitive personal data. As a result, it does not provide additional protection to such data, treating all personal data under a unified framework.

Breach Notification

Data fiduciaries are required to notify personal data breaches to the newly created Data Protection Board and to impacted data subjects, regardless of the magnitude of the breach or risk of harm, whereas GDPR requires notification only when there’s likely risk to individuals’ rights and freedoms.

Territorial Scope

Both laws have extraterritorial application, but the DPDPA’s approach focuses on offering goods or services to individuals in India, while GDPR covers monitoring of EU data subjects.

Compliance Strategies for Organizations

“India Inc. now has an 18-month runway to gear up for full compliance. For most organisations, it will be necessary to start with data mapping, redesigns of consent and notice flows, and training programs to ensure compliance, with the help of lawyers, technologists, and privacy professionals”.

Essential Compliance Steps

1. Data Mapping and Inventory

• Document all personal data processing activities
• Identify data sources, flows, and storage locations
• Map data to specific purposes and legal bases
• Assess cross-border transfer requirements

2. Consent Management Overhaul

• Review and redesign consent collection mechanisms
• Ensure consent meets DPDPA standards (free, specific, informed, unconditional, unambiguous)
• Implement easy consent withdrawal processes
• Consider engaging with Consent Managers

3. Privacy Notice Updates

• Draft clear, comprehensive privacy notices
• Ensure notices are independently understandable
• Include all required elements (itemized data, purposes, rights mechanisms)
• Make notices accessible and user-friendly

4. Data Principal Rights Infrastructure

• Build systems for handling access requests
• Implement correction and erasure workflows
• Establish grievance redressal mechanisms
• Set reasonable response timeframes

5. Security Enhancement

• Implement encryption, obfuscation, and masking
• Establish access controls and authentication
• Deploy data backup and continuity measures
• Conduct regular security assessments

6. Breach Response Procedures

• Develop incident detection and response protocols
• Create notification templates for the Board and data principals
• Designate breach response teams
• Implement breach logging and documentation systems

7. Vendor and Processor Management

• Review and update data processing agreements
• Ensure processors commit to DPDPA compliance
• Conduct vendor due diligence
• Monitor processor performance

8. Training and Awareness

• Educate employees about DPDPA requirements
• Provide role-specific training (IT, legal, customer service)
• Create privacy champions within departments
• Maintain ongoing awareness programs

9. Governance and Accountability

• Establish privacy governance committees
• Designate privacy officers (DPO if SDF)
• Implement privacy by design principles
• Document compliance efforts

10. Monitoring and Continuous Improvement

• Conduct regular compliance audits
• Monitor regulatory guidance from the Data Protection Board
• Stay informed about SDF classifications
• Update practices as regulations evolve

Preparing for SDF Designation

Organizations should proactively assess whether they might be designated as Significant Data Fiduciaries based on:

• Volume of personal data processed
• Sensitivity of data types handled
• Number of data principals affected
• Potential impact on data principal rights
• National security or sovereignty implications

If SDF designation appears likely, begin preparing for enhanced requirements:

• Appoint a qualified Data Protection Officer
• Establish DPIA and audit processes
• Review algorithmic systems for bias and rights impacts
• Assess data localization obligations
• Build robust compliance documentation

Industry-Specific Considerations

Financial Services and Fintech

Financial institutions face unique challenges including:

• High volumes of sensitive financial data
• Complex data sharing with regulators and partners
• Legacy systems requiring security upgrades
• Risk of SDF designation

Healthcare and Telemedicine

Healthcare providers must balance:

• Patient care requirements with consent obligations
• Electronic health records security
• Children’s health data protection
• Research exemptions and conditions

E-Commerce and Digital Platforms

Online businesses should focus on:

• Transaction data management
• Marketing and advertising consent
• Third-party tracking technologies
• International operations and transfers

Technology and Software Services

Tech companies must address:

• Product design and privacy by design
• Data minimization in software development
• API and integration security
• Client data processing responsibilities

The Role of Privacy Professionals

“Compliance under DPDPA is not a checklist; it’s a culture of trust every organisation must now institutionalise”.

The DPDPA’s implementation creates significant demand for privacy professionals who can:

• Interpret and apply complex regulatory requirements
• Bridge legal, technical, and business perspectives
• Design privacy-compliant systems and processes
• Conduct DPIAs and privacy audits
• Interface with the Data Protection Board
• Build organizational privacy culture

Organizations should consider developing internal privacy capabilities while engaging external expertise for specialized needs.

Looking Ahead: India’s Privacy Future

“The DPDP framework positions India at a critical inflection point. With a fully notified law, structured obligations, a citizen-first design, and a digital Data Protection Board, India is now aligned with global privacy regimes while retaining a distinct identity rooted in accessibility and innovation”.

Key Success Factors

The DPDPA’s long-term effectiveness will depend on:

• Data Protection Board’s approach to enforcement and guidance
• Clarity on SDF classifications and localization requirements
• Consent Manager ecosystem development
• Industry compliance culture and investment
• Balance between privacy protection and innovation
• International coordination on cross-border issues

Competitive Advantages of Compliance

“For India Inc, DPDPA compliance is more than a legal duty, it is a competitive edge in global trust economics”.

Organizations that embrace privacy as a strategic priority will:

• Build stronger customer trust and loyalty
• Differentiate in crowded markets
• Attract privacy-conscious consumers
• Reduce breach and liability risks
• Position for international business
• Align with AI governance frameworks

Conclusion: DPDPA India as a Catalyst for Trust

“There is no doubt that India has entered a new era of privacy. In the age of AI, trust is crucial. And because AI depends on large volumes of data, strong privacy protections must come first”.

The Digital Personal Data Protection Act represents far more than regulatory compliance—it’s a fundamental transformation in how India’s digital economy respects individual rights and builds trust. With an 18-month compliance window to redesign consent flows and implement privacy measures, organizations have a limited but reasonable timeframe to adapt.

“The real work begins now: translating policy into architecture and intent into impact. DPDP challenges organizations to lead on trust, not merely comply”.

Success under the DPDPA requires viewing privacy not as a burden but as an opportunity to build better products, earn customer confidence, and participate in India’s next chapter of digital innovation built on a foundation of respect for personal data.