The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Back to Compliance Playbook

Procedural Guide

Appointment of Data Protection Officer

A comprehensive procedural guide for Significant Data Fiduciaries on the appointment, qualifications, and statutory obligations of a Data Protection Officer under the Digital Personal Data Protection Act, 2023.

Statutory Foundation

Section 10(2) of DPDPA 2023 mandates that every Significant Data Fiduciary shall appoint a Data Protection Officer who shall represent the Significant Data Fiduciary in relation to its compliance obligations under the Act.

Rule 12 of DPDP Rules 2025 prescribes the qualifications, appointment procedure, and functional responsibilities of the Data Protection Officer.

Applicability

Mandatory Requirement

The obligation to appoint a DPO applies exclusively to entities notified as Significant Data Fiduciaries by the Central Government under Section 10(1). Ordinary Data Fiduciaries are not statutorily required to appoint a DPO, though such appointment may be undertaken as a matter of prudent governance.

Qualification Requirements

The DPDP Rules 2025 prescribe the following qualifications for a Data Protection Officer:

Residency

The DPO must be based in India. This requirement ensures accessibility to the Data Protection Board and affected Data Principals.

Seniority

The individual must hold a senior management position within the organisation, with direct reporting access to the Board of Directors or equivalent governing body.

Professional Competence

Demonstrable expertise in data protection law and practice, including familiarity with the technical and organisational aspects of data processing operations.

Independence

The DPO must be able to perform duties independently and shall not be dismissed or penalised for performing statutory functions.

Appointment Procedure

Board Resolution

Pass a formal resolution of the Board of Directors or equivalent governing body authorising the appointment of a Data Protection Officer. The resolution should specify the scope of authority, reporting lines, and resource allocation.

Selection and Due Diligence

Identify a candidate meeting the statutory qualifications. Conduct appropriate due diligence on professional credentials, conflict of interest assessment, and capacity to fulfil the role.

Formal Appointment Letter

Issue a written appointment letter specifying the statutory basis (Section 10(2) DPDPA), term of appointment, responsibilities, independence guarantees, and resource commitments.

Registration with Data Protection Board

Within the prescribed timeframe, register the DPO appointment with the Data Protection Board of India through the designated portal, providing contact details and appointment documentation.

Public Disclosure

Publish the DPO contact details on the organisation website and in all privacy notices, ensuring Data Principals can direct grievances to the DPO.

Internal Communication

Issue an internal circular informing all relevant personnel of the DPO appointment and establishing protocols for escalation of data protection matters.

Statutory Functions of the DPO

Act as the point of contact for the Data Protection Board of India

Represent the Significant Data Fiduciary before the Board in all proceedings

Monitor and ensure compliance with the provisions of DPDPA 2023

Advise the organisation on data protection obligations and risk mitigation

Coordinate with the Board on grievance redressal matters

Oversee the conduct of Data Protection Impact Assessments

Maintain records of processing activities as required under the Act

Facilitate audits conducted by the Board or its authorised representatives

Compliance Timeline

Key Dates

DPDP Rules Notification: 13th November 2025

Full Compliance Deadline: 13th May 2027 (18 months from Rules notification)

Significant Data Fiduciaries must have a duly appointed DPO in place and registered with the Data Protection Board by the compliance deadline.

Required Documentation

Board Resolution authorising DPO appointment

DPO Appointment Letter with terms of reference

DPO credentials and qualification certificates

Conflict of interest declaration

Registration form for Data Protection Board

Updated Privacy Notice with DPO contact details

Internal policy on DPO functions and authority

Resource allocation documentation

Disclaimer

This guidance is provided for informational purposes and does not constitute legal advice. Organisations should seek qualified legal counsel to address specific circumstances. The statutory provisions of DPDPA 2023 and DPDP Rules 2025 prevail in case of any inconsistency with this guidance.