The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Legislative Reference

DPDP Rules, 2025

The Digital Personal Data Protection Rules, 2025 — notified on 13th November 2025 — operationalise the DPDPA 2023 with detailed procedural requirements for consent, breach notification, cross-border transfers, and regulatory compliance.

Total Rules

Months to Comply

Hours Breach Report

₹250Cr

Max Penalty

Implementation Timeline

11 August 2023

DPDPA 2023 receives Presidential Assent

13 November 2025

DPDP Rules 2025 notified in Official Gazette

13 November 2026

Consent Manager registration deadline (12 months)

13 May 2027DEADLINE

Full enforcement of all provisions (18 months)

Rule-by-Rule Summary

Rule 3

Notice and Consent

Requirements for itemised privacy notice and valid consent collection

Standalone notice before or at time of data collection
Eight mandatory elements in every notice
Clear, plain language in English or scheduled languages
Specific consent for each processing purpose

Rule 4

Consent Managers

Framework for registered consent management intermediaries

Registration with Data Protection Board required
Minimum net worth and infrastructure requirements
Interoperable platform for consent tracking
Registration deadline: 13 November 2026 (12 months)

Rule 5

Legitimate Uses

Processing without consent for specified purposes

Employment purposes including background verification
Medical emergencies and public health
Legal obligations and court orders
Credit scoring with existing borrower relationship

Rule 6

Data Principal Rights

Exercise of access, correction, erasure, and grievance rights

Written request through accessible mechanism
Response within reasonable time (to be prescribed)
Grounds for declining requests specified
Grievance redressal within 30 days

Rule 7

Breach Notification

Two-stage notification to Data Protection Board

Stage 1: Immediate intimation upon awareness
Stage 2: Detailed report within 72 hours
14 mandatory particulars in detailed report
Notification to affected Data Principals as directed

Rule 8

Children's Data

Verifiable parental consent and processing restrictions

Verifiable parental consent for all under 18
Prohibition on behavioural monitoring of children
No targeted advertising directed at children
Exemptions for healthcare and educational institutions

Rule 9-11

Significant Data Fiduciary

Enhanced obligations for large-scale processors

Classification criteria: volume, sensitivity, risk to sovereignty
Mandatory Data Protection Officer appointment
Annual Data Protection Impact Assessment
Periodic independent audit requirements

Rule 12-14

Cross-Border Transfers

International data transfer framework

Blacklist approach: transfers permitted except to restricted countries
Government to notify restricted territories
No standard contractual clauses currently mandated
Sector-specific restrictions may be prescribed

Immediate Compliance Actions

By November 2026

Register as Consent Manager (if applicable)
Assess Significant Data Fiduciary classification
Appoint Data Protection Officer (if SDF)

By May 2027

Implement compliant privacy notice
Establish consent management framework
Deploy breach notification procedures
Complete Data Protection Impact Assessment

Frequently Asked Questions

When do the DPDP Rules 2025 come into force?

The DPDP Rules 2025 were notified on 13th November 2025. Full enforcement of all provisions occurs 18 months from notification, i.e., 13th May 2027. Consent Manager registration must be completed within 12 months (by 13th November 2026).

What is the breach notification timeline under DPDP Rules?

Breach notification follows a two-stage process: immediate intimation upon becoming aware of the breach, followed by a detailed report with 14 mandatory particulars within 72 hours. Notification to affected Data Principals is made as directed by the Data Protection Board.

Who needs to appoint a Data Protection Officer?

Only Significant Data Fiduciaries — those notified by the Government based on data volume, sensitivity, and risk to national security — are required to appoint a DPO. The DPO must be a senior management-level official, resident in India, with professional competence in data protection.

What are the penalties under DPDP Rules 2025?

Penalties are specified in the Schedule to DPDPA 2023, ranging from ₹10,000 for Data Principal duty breaches to ₹250 crore for security failures resulting in breaches. Children's data violations attract penalties up to ₹200 crore.

Tool

Compliance Diagnostic →

Assess your DPDP Rules readiness

Guide

Implementation Playbook →

12-step roadmap to May 2027

Comparison

DPDPA vs IT Act →

What changed from IT Rules 2011

Legal Disclaimer: This summary is provided for educational purposes and does not constitute legal advice. It reflects the DPDP Rules, 2025 as notified on 13th November 2025. Organisations should refer to the official Gazette notification and obtain professional legal counsel for compliance implementation.