The Digital Personal Data Protection Act, 2023 (DPDPA) is India’s first comprehensive privacy law, and it changes how almost every organisation must collect, use and protect personal data. If you handle information about people in India — customers, employees or users — it applies to you. This is a plain-English tour of what the Act asks, why it exists, who it touches, and where a sensible organisation should begin.
Privacy compliance can feel abstract until it becomes concrete, so throughout this post we will keep returning to the practical question: what does this actually require you to do?
Why India needed this law
For years, privacy in India rested on a patchwork of provisions in the Information Technology Act — rules drafted before smartphones, social media, data brokers and cloud computing reshaped how personal data is gathered and monetised. The gap between that framework and modern reality grew steadily wider. The Supreme Court’s landmark recognition of privacy as a fundamental right made a dedicated, modern law inevitable. The DPDPA is the result: a rights-driven framework that gives individuals genuine control over their personal data and places clear, enforceable duties on the organisations that use it.
Understanding that origin helps explain the Act’s emphasis. It is not primarily a security law — though security is part of it — but a law about agency: an individual’s right to know what is done with their data and to influence it.
Who the Act applies to
The DPDPA speaks in terms of a few key roles. A Data Principal is the individual the data is about. A Data Fiduciary is the organisation that decides why and how that personal data is processed — in practice, most businesses. A Data Processor processes data on a fiduciary’s behalf, such as a cloud host or an outsourced service provider. Organisations that process large volumes or particularly sensitive data may be notified as Significant Data Fiduciaries, who carry additional duties including appointing a Data Protection Officer, conducting periodic audits, and running data-protection impact assessments.
Importantly, the Act reaches beyond India’s borders: it applies to organisations outside India that offer goods or services to people in India. A business does not need a physical presence in the country to be caught — a lesson global companies learned the hard way with the GDPR.
The obligations that matter most
- Notice and consent. You must provide a clear, itemised notice and obtain free, specific, informed and unambiguous consent, with a route to withdraw it as easily as it was given. Certain legitimate uses may proceed without consent, but consent is the backbone of the regime, and getting it right is where much of the redesign work concentrates.
- Purpose limitation and minimisation. Collect only what you need, for a stated purpose, and keep it only as long as that purpose requires. “We might need it someday” is no longer a defensible reason to hoard data.
- Data Principal rights. Individuals can access a summary of their data, seek correction or erasure, nominate someone to act for them, and raise grievances. You therefore need real processes to receive, verify and fulfil these requests within reasonable timelines.
- Security safeguards. You must take reasonable security measures to prevent a personal-data breach. This is the obligation that carries the heaviest penalty, which tells you how seriously the legislature takes it.
- Breach notification. Breaches must be reported to the Data Protection Board and to affected individuals.
- Children’s data. Processing a child’s data requires verifiable parental consent, and tracking or targeted advertising to children is restricted.
What this looks like in practice
It helps to translate these duties into everyday operations. Notice and consent means auditing every point where you collect personal data — web forms, apps, call centres, paper — and rebuilding the ones that fall short. Rights mean giving individuals a visible, working channel to make requests, and giving your team the ability to find and act on a person’s data across systems. Retention means setting and enforcing deletion schedules rather than keeping everything forever. None of it is exotic, but all of it requires deliberate design.
The cost of getting it wrong
The Act provides for financial penalties of significant scale — up to ₹250 crore per instance for failing to take reasonable security safeguards, with further penalties across other duties. But the fine is only part of the exposure. For many businesses, and especially for anyone whose brand rests on trust, a public failure to protect personal data does lasting reputational damage that no penalty schedule captures. Viewed that way, privacy readiness is not a compliance cost but an investment in the thing customers value most: confidence that you will handle their data responsibly.
Update: the DPDP Rules, 2025 were notified in November 2025, starting an 18-month runway to full compliance by 13 May 2027. For the phased timeline and what to do first, see DPDP Rules 2025: your countdown to 13 May 2027. Confirm specifics against the official gazette before acting.
A six-step readiness plan
- Map your data. Find where personal data lives, why you hold it, where it flows and how long you keep it. Everything else depends on this foundation.
- Fix notice and consent. Rebuild your notices and your consent and withdrawal mechanisms to meet the standard, purpose by purpose.
- Stand up rights workflows. Give people a clear route to access, correct, erase and complain, and give yourself a reliable way to respond in time.
- Tighten security. Close the gaps that would turn an ordinary mistake into a reportable breach.
- Prepare for breaches. Have a tested plan to detect, contain, assess and report.
- Assign ownership. Decide who is accountable — a DPO where required, and clear, empowered governance everywhere else.
Where to start
None of this needs to happen overnight, but it does need to start, and the most useful first move is almost always a focused gap assessment. It tells you precisely where you stand against each obligation and what to tackle first, so effort flows to where the risk actually is rather than where the noise is loudest. Approached this way, privacy stops being a looming compliance burden and becomes what it should be: a demonstrable commitment to the people whose data you hold.