A CERT-In Empanelled Auditing Organization
Home/Blog/DPDPA
DPDPA

DPDPA 2023: what Indian businesses must do now

The Digital Personal Data Protection Act, 2023 (DPDPA) is India’s first comprehensive privacy law, and it changes how almost every organisation must collect, use and protect personal data. If you handle information about people in India — customers, employees or users — it applies to you. This is a plain-English tour of what the Act asks, why it exists, who it touches, and where a sensible organisation should begin.

Privacy compliance can feel abstract until it becomes concrete, so throughout this post we will keep returning to the practical question: what does this actually require you to do?

Why India needed this law

For years, privacy in India rested on a patchwork of provisions in the Information Technology Act — rules drafted before smartphones, social media, data brokers and cloud computing reshaped how personal data is gathered and monetised. The gap between that framework and modern reality grew steadily wider. The Supreme Court’s landmark recognition of privacy as a fundamental right made a dedicated, modern law inevitable. The DPDPA is the result: a rights-driven framework that gives individuals genuine control over their personal data and places clear, enforceable duties on the organisations that use it.

Understanding that origin helps explain the Act’s emphasis. It is not primarily a security law — though security is part of it — but a law about agency: an individual’s right to know what is done with their data and to influence it.

Who the Act applies to

The DPDPA speaks in terms of a few key roles. A Data Principal is the individual the data is about. A Data Fiduciary is the organisation that decides why and how that personal data is processed — in practice, most businesses. A Data Processor processes data on a fiduciary’s behalf, such as a cloud host or an outsourced service provider. Organisations that process large volumes or particularly sensitive data may be notified as Significant Data Fiduciaries, who carry additional duties including appointing a Data Protection Officer, conducting periodic audits, and running data-protection impact assessments.

Importantly, the Act reaches beyond India’s borders: it applies to organisations outside India that offer goods or services to people in India. A business does not need a physical presence in the country to be caught — a lesson global companies learned the hard way with the GDPR.

The obligations that matter most

What this looks like in practice

It helps to translate these duties into everyday operations. Notice and consent means auditing every point where you collect personal data — web forms, apps, call centres, paper — and rebuilding the ones that fall short. Rights mean giving individuals a visible, working channel to make requests, and giving your team the ability to find and act on a person’s data across systems. Retention means setting and enforcing deletion schedules rather than keeping everything forever. None of it is exotic, but all of it requires deliberate design.

The cost of getting it wrong

The Act provides for financial penalties of significant scale — up to ₹250 crore per instance for failing to take reasonable security safeguards, with further penalties across other duties. But the fine is only part of the exposure. For many businesses, and especially for anyone whose brand rests on trust, a public failure to protect personal data does lasting reputational damage that no penalty schedule captures. Viewed that way, privacy readiness is not a compliance cost but an investment in the thing customers value most: confidence that you will handle their data responsibly.

Update: the DPDP Rules, 2025 were notified in November 2025, starting an 18-month runway to full compliance by 13 May 2027. For the phased timeline and what to do first, see DPDP Rules 2025: your countdown to 13 May 2027. Confirm specifics against the official gazette before acting.

A six-step readiness plan

  1. Map your data. Find where personal data lives, why you hold it, where it flows and how long you keep it. Everything else depends on this foundation.
  2. Fix notice and consent. Rebuild your notices and your consent and withdrawal mechanisms to meet the standard, purpose by purpose.
  3. Stand up rights workflows. Give people a clear route to access, correct, erase and complain, and give yourself a reliable way to respond in time.
  4. Tighten security. Close the gaps that would turn an ordinary mistake into a reportable breach.
  5. Prepare for breaches. Have a tested plan to detect, contain, assess and report.
  6. Assign ownership. Decide who is accountable — a DPO where required, and clear, empowered governance everywhere else.

Where to start

None of this needs to happen overnight, but it does need to start, and the most useful first move is almost always a focused gap assessment. It tells you precisely where you stand against each obligation and what to tackle first, so effort flows to where the risk actually is rather than where the noise is loudest. Approached this way, privacy stops being a looming compliance burden and becomes what it should be: a demonstrable commitment to the people whose data you hold.

DPDPAConsentData FiduciaryPrivacy
Share

Keep reading

Related insights

DPDPA

DPDP Rules 2025 are here: your countdown to 13 May 2027

The Rules that operationalise the DPDP Act are notified and the clock is ticking to 13 May 2027. Here is the phased timeline - and what to do in 2026.

6 min read
DPDPA

Consent Managers under the DPDPA: what they are and how to prepare

The DPDP framework introduces a new intermediary - the Consent Manager. Here is what it is, who can be one, and how to get your systems ready.

4 min read
DPDPA

Do you need a Data Protection Officer under the DPDPA?

Some organisations must appoint a DPO under the DPDPA; many others benefit from one. Who needs it, what the role does, and how to resource it.

3 min read

Have a question this raised?

Our team turns guidance like this into working compliance and security programmes. Tell us where you are — we’ll help you plan the next step.