The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Legal Evolution

DPDPA 2023 vs IT Act 2000

The evolution of India's data protection framework from incidental provisions under the Information Technology Act to a comprehensive, purpose-built privacy legislation.

Legislative Timeline

2000Information Technology Act enacted

Primary focus on e-commerce and cyber crimes; Section 43A added later

2008IT Act Amendment

Section 43A introduced for body corporate data protection

2011IT (Reasonable Security Practices) Rules

First comprehensive data protection rules; SPDI categories defined

2017Puttaswamy Judgment

Supreme Court declares privacy a fundamental right

2019Personal Data Protection Bill

First comprehensive draft; withdrawn in 2022

2023DPDPA Enacted

Digital Personal Data Protection Act receives Presidential assent (11 August)

2025DPDP Rules Notified

Detailed implementation rules published (13 November)

2027Full Enforcement

All DPDPA provisions become fully applicable (13 May)

Executive Summary

For over a decade, Section 43A of the IT Act 2000 (inserted by the 2008 amendment) and the IT (Reasonable Security Practices) Rules, 2011 constituted India's primary data protection framework. This regime, designed primarily for body corporates handling sensitive personal data, was never intended as comprehensive privacy legislation.

The Supreme Court's landmark Puttaswamy judgment (2017) recognising privacy as a fundamental right under Article 21 catalysed the development of dedicated data protection legislation. After multiple iterations, the Digital Personal Data Protection Act, 2023 represents a paradigm shift from the compensatory, sector-agnostic approach of Section 43A to a rights-based, comprehensive framework with dedicated regulatory oversight.

Key Transition: Organisations currently compliant with IT Act provisions must undertake substantial restructuring to meet DPDPA requirements by the 13th May 2027 enforcement deadline.

Legislative Framework

Aspect	IT Act 2000 / Rules 2011	DPDPA 2023
Legal Instrument	Section 43A of IT Act 2000 + IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011	Standalone Digital Personal Data Protection Act, 2023 with DPDP Rules, 2025
Legislative Intent	Incidental data protection within e-commerce/cyber crime framework	Purpose-built comprehensive data protection legislation
Constitutional Basis	No explicit constitutional grounding	Rooted in Article 21 right to privacy (Puttaswamy, 2017)
Regulatory Authority	No dedicated regulator; adjudication by IT Act adjudicating officers	Dedicated Data Protection Board of India (DPBI)

Scope & Coverage

Aspect	IT Act 2000 / Rules 2011	DPDPA 2023
Covered Entities	Body corporate possessing, dealing, or handling SPDI	All Data Fiduciaries processing digital personal data
Definition of Personal Data	Personal information + Sensitive Personal Data or Information (SPDI)	Digital personal data: any data by which an individual is identifiable
SPDI Categories	8 specific categories: passwords, financials, health, sexual orientation, medical records, biometrics, etc.	No separate SPDI category; all personal data subject to consent requirements
Non-Digital Data	Not applicable	Explicitly excluded; applies only to digital personal data
Government Processing	Largely exempt	Government covered; specific exemptions for sovereignty, security, public order

Consent & Lawful Processing

Aspect	IT Act 2000 / Rules 2011	DPDPA 2023
Consent Standard	Consent in writing (letter/fax/email) for SPDI collection	Free, specific, informed, unconditional consent with clear affirmative action
Consent Withdrawal	Right to withdraw; no specification on ease	Must be as easy to withdraw as to give consent
Lawful Use Without Consent	Limited: necessary for legal obligation/contract/medical emergency	Enumerated "Legitimate Uses" under Section 7
Purpose Limitation	Collection only for lawful purpose connected with function	Explicit purpose limitation; data used only for specified purposes

Individual Rights

Aspect	IT Act 2000 / Rules 2011	DPDPA 2023
Right to Access	Right to review SPDI; update/correct on request	Section 11: Comprehensive right to summary of data and processing
Right to Correction	Implicit in review right	Section 12: Explicit right to correction, completion, updating
Right to Erasure	No explicit right	Section 13: Right to erasure when consent withdrawn/purpose fulfilled
Right to Nomination	Not provided	Section 14: Nominate person to exercise rights in case of death/incapacity
Grievance Redressal	Grievance officer designation	Section 13: Dedicated grievance redressal with time-bound response

Security & Breach

Aspect	IT Act 2000 / Rules 2011	DPDPA 2023
Security Standard	"Reasonable security practices": IS/ISO/IEC 27001 or equivalent	Reasonable security safeguards to prevent breach
Breach Notification	No mandatory breach notification	Mandatory notification to DPBI; two-stage reporting within 72 hours
Impact Assessment	Not required	DPIA mandatory for Significant Data Fiduciaries
Data Protection Officer	Not required	DPO mandatory for Significant Data Fiduciaries

Penalties & Enforcement

Aspect	IT Act 2000 / Rules 2011	DPDPA 2023
Maximum Penalty	Compensation for wrongful loss/gain; no fixed upper limit but typically moderate	Up to ₹250 crore per contravention
Penalty for Security Breach	Compensatory: damages to affected individuals	Up to ₹250 crore for failure to implement safeguards
Penalty for Children's Data	No specific provision	Up to ₹200 crore for processing children's data unlawfully
Enforcement Mechanism	Civil compensation through adjudicating officers	Administrative penalties by Data Protection Board
Criminal Liability	Section 72A: Imprisonment up to 3 years for wrongful disclosure	No criminal provisions; purely administrative penalties

Cross-Border Transfers

Aspect	IT Act 2000 / Rules 2011	DPDPA 2023
Transfer Mechanism	Transfer permitted to countries with "same level" of protection or with consent	Blacklist approach: permitted except to countries notified by Government
Data Localisation	No requirement	May be prescribed for certain data categories
Contract Requirements	Same level of protection to be ensured	No specific contractual requirements currently prescribed

Transition Requirements: IT Act to DPDPA

What Changes

• SPDI-specific approach → All digital personal data covered
• Written consent → Clear affirmative action consent
• Grievance officer → Dedicated grievance redressal mechanism
• No breach notification → Mandatory 72-hour reporting
• Compensatory damages → Administrative penalties up to ₹250 cr
• No regulator → Data Protection Board oversight

What Continues

• Reasonable security practices remain relevant
• Consent as primary legal basis preserved
• Purpose limitation principle carried forward
• Cross-border transfer with conditions continues
• IS/ISO 27001 compliance still valuable
• Existing privacy policies can be adapted

Essential

DPDP Rules 2025 →

Complete rules explained

DPDPA vs GDPR →

Global comparison

Resource

Implementation Playbook →

12-step compliance roadmap

Legal Disclaimer: This comparison is provided for educational purposes and does not constitute legal advice. IT Act analysis reflects provisions as amended through 2008 and IT Rules 2011. DPDPA analysis incorporates DPDP Rules, 2025 notified 13th November 2025. Section 43A and related IT Act provisions may be amended or repealed upon full DPDPA enforcement.