1. What is the DPDPA?
The Digital Personal Data Protection Act 2023 (Act No. 22 of 2023) was enacted by the Indian Parliament on 11 August 2023. It is India's first comprehensive data protection legislation governing the processing of digital personal data of Indian citizens.
The Act applies to Data Fiduciaries — entities that determine the purpose and means of processing personal data — both within India and outside, if they process the personal data of Indian residents in connection with offering goods or services to them.
The DPDP Rules 2025 were notified on 13 November 2025. They fully operationalise the Act, prescribing specific timelines, notice formats, security standards, and procedures for exercising data principal rights.
The government has described the Act's philosophy as SARAL: Simple, Accessible, Rational, Actionable — intended to be less prescriptive than the GDPR and designed for the Indian market.
2. Key Definitions
| Term | Definition | Practical Example |
|---|---|---|
| Data Principal | The individual whose personal data is being processed | Your customer, user, or employee |
| Data Fiduciary | Entity that determines the purpose and means of processing personal data | Your company or startup |
| Data Processor | Entity that processes personal data on behalf of a Data Fiduciary | Your CRM vendor, analytics provider, or cloud host |
| Personal Data | Any data about an individual who is identifiable by or in relation to such data | Name, phone number, email, IP address, device ID |
| Consent Manager | A DPDPB-registered entity that enables individuals to give, manage, review, and withdraw consent | A third-party consent platform acting as intermediary |
| Significant Data Fiduciary (SDF) | A high-risk Data Fiduciary notified by the Central Government based on data volume, sensitivity, or national security impact | Large social media platforms, health data platforms |
| Data Protection Board (DPB) | The statutory adjudicatory body constituted under the Act to adjudicate complaints and impose penalties | The regulator — equivalent to a data protection authority |
3. Who Does It Apply To?
The DPDPA applies to any entity that processes digital personal data of Indian citizens, regardless of where the entity is located. Specifically:
- →Any Indian company that collects or processes digital personal data of Indian residents
- →Foreign companies that offer goods or services to Indian residents and process their personal data
- →Any entity that processes personal data collected within the territory of India in digital form
Exemptions (Schedule 2 conditions) include processing for personal or domestic use, journalistic or research purposes (subject to conditions), and processing notified by the Central Government for national security or public order.
Children are defined as individuals under 18 years of age. Processing children's data requires verifiable parental consent and prohibits behavioural tracking, profiling, and targeted advertising.
4. Core Obligations
Eight categories of obligation apply to all Data Fiduciaries. See our 22-point compliance checklist for a detailed mapping.
Before collecting personal data, you must give the data principal a clear, itemised notice in plain language (and in any language listed in the 8th Schedule to the Constitution, on request). The notice must specify every purpose for which data is being collected.
Consent must be free, specific, informed, unconditional, and unambiguous — expressed through a clear affirmative action. Bundled or pre-ticked consent is invalid. Data principals may withdraw consent at any time.
You must establish a mechanism for data principals to exercise their rights: access information, correct inaccurate data, erase data, redress grievances, and nominate a representative. Requests must be resolved within 30 days.
You must implement reasonable security safeguards to prevent personal data breaches. The Rules specify technical and organisational measures including encryption, access controls, and incident response protocols.
In the event of a personal data breach, you must notify the Data Protection Board and affected data principals within 72 hours. The notification must specify the nature of the breach, affected data categories, and remediation measures taken.
You are responsible for ensuring your Data Processors process personal data only as per your instructions and comply with the Act. A written contract (DPA) must be in place with all processors.
You must not retain personal data beyond the period necessary for the purpose it was collected. When the purpose is fulfilled, data must be erased. Schedule 3 of the Rules specifies default retention periods by data category.
Processing personal data of children requires verifiable parental consent obtained through a Consent Manager or approved mechanism. Behavioural tracking, profiling, and targeted advertising to children is prohibited.
5. Data Principal Rights
Right to Access Information
Data principals can request a summary of the personal data you hold about them, the purposes it is being processed for, and a list of entities with whom it has been shared. You must respond within 30 days.
Right to Correction and Erasure
Data principals can request correction of inaccurate or misleading data, completion of incomplete data, and erasure of data that is no longer necessary for the purpose it was collected. You must action these requests within 30 days.
Right to Grievance Redressal
Data principals have a right to a grievance redressal mechanism. You must designate a contact (DPO) and acknowledge grievances within a reasonable time. Unresolved grievances can be escalated to the Data Protection Board.
Right to Nominate
Data principals can nominate another individual to exercise their rights on their behalf in the event of death or incapacity. You must give effect to valid nominations presented to you.
6. Penalties
The Data Protection Board has the power to impose financial penalties up to the following maximums. Penalties are imposed per inquiry — multiple violations can result in multiple penalties.
| Violation | Maximum Penalty |
|---|---|
| Breach of security safeguards (S.8(5)) | ₹250 crore |
| Failure to notify a personal data breach (S.8(6)) | ₹200 crore |
| Violation of children's data obligations (S.9) | ₹200 crore |
| Non-compliance with SDF obligations | ₹150 crore |
| Non-fulfilment of Data Principal rights obligations | ₹50 crore |
| Other violations (notice, consent, processor obligations) | ₹50 crore |
7. Rules 2025 — Key Operational Requirements
Consent Notice Requirements
Notices must be in plain language, itemise each processing purpose separately, and be available in any language listed in the 8th Schedule on request. Must include information on how to withdraw consent and exercise rights.
Consent Record-Keeping
Data Fiduciaries must maintain consent records and make them available to data principals on request. This rule comes into force 1 year after gazette notification (i.e. November 2026).
Security Safeguards
Technical and organisational measures must include: encryption of personal data, access controls, regular audits, incident response plans, and vendor security assessments.
Breach Notification
Notification to the Board and affected data principals must occur within 72 hours of becoming aware of a breach. Notification must specify: nature of breach, categories of data affected, approximate number of data principals affected, and remediation measures.
Retention Periods
Schedule 3 of the Rules specifies default retention periods by data category. Data must be erased after the purpose is fulfilled and the retention period expires, or on withdrawal of consent.
Verifiable Parental Consent
Parental consent for children's data must be verifiable — obtained through an approved mechanism that confirms the age and identity of the parent or guardian.
Rights Request Mechanism
Data Fiduciaries must publish a clear mechanism (e.g. a web portal) through which data principals can submit and track requests to exercise their rights under Sections 11–14.
DPO Contact Publication
Every Data Fiduciary must publish contact information for their Data Protection Officer (or equivalent) and make it easily accessible on their website and in their consent notice.
SDF Obligations
Significant Data Fiduciaries must conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, conduct annual audits, and register high-risk algorithms with the Board.
8. Enforcement Timeline
DPDPA Enacted
Digital Personal Data Protection Act 2023 (Act No. 22 of 2023) receives Presidential Assent and is published in the Official Gazette.
Rules 2025 Notified
DPDP Rules 2025 notified on 13 November 2025. Rule 4 (consent record-keeping) comes into force after 1 year; Rules 3, 5–16 come into force after 18 months.
Data Protection Board Constituted
4-member Board notified. Board begins its operational mandate to adjudicate complaints and levy penalties.
Board Becomes Operational
Data Protection Board expected to begin accepting complaints and issuing orders. Enforcement of penalty provisions begins in earnest.
All Rules Fully In Force
All Rules, including Rule 4 (consent records) and the 18-month provisions (Rules 3, 5–16), are fully operative. Full compliance required across all obligations.
9. How DPDPA Shield Helps
DPDPA Shield maps directly to every obligation cluster in the DPDPA. Rather than managing compliance through spreadsheets, every action generates audit-ready proof.
- ✓Multi-language consent notice builder
- ✓Embeddable consent widget (<50kb)
- ✓Immutable proof vault (R2 + SHA-256)
- ✓Automatic consent record-keeping
- ✓Public rights portal per tenant
- ✓30-day SLA engine with countdown timers
- ✓OTP-verified request intake
- ✓DPO response templates + closure PDFs
- ✓72-hour breach notification countdown
- ✓Auto-severity classification
- ✓CERT-In format report generator
- ✓Compliance health score (0–100)
14-day trial. No credit card required.