The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Back to Compliance Playbook

Procedural Guide

Conducting a Data Protection Impact Assessment

A methodological framework for Significant Data Fiduciaries to conduct Data Protection Impact Assessments in compliance with Section 10(2) of DPDPA 2023 and the DPDP Rules 2025.

Statutory Foundation

Section 10(2)(b) of DPDPA 2023 mandates that every Significant Data Fiduciary shall undertake a Data Protection Impact Assessment in relation to processing activities that are likely to pose significant risk to the rights of Data Principals.

Rule 13 of DPDP Rules 2025 prescribes the methodology, scope, and documentation requirements for conducting a DPIA.

When is a DPIA Required

A DPIA must be conducted prior to commencing processing activities that involve:

Large scale processing of personal data or sensitive personal data

Systematic monitoring of publicly accessible areas

Processing involving automated decision making with legal or significant effects

Processing of personal data of children on a large scale

Use of new technologies that may pose high risks to Data Principal rights

Profiling of Data Principals for targeted communications

Cross border transfer of personal data at scale

Any processing notified by the Central Government as requiring DPIA

DPIA Methodology

Describe the Processing

Document the nature, scope, context, and purposes of the proposed processing. Identify categories of personal data, Data Principals affected, data flows, retention periods, and third party involvement.

Assess Necessity and Proportionality

Evaluate whether the processing is necessary for the stated purpose and whether the scope of data collection is proportionate. Consider whether less intrusive alternatives exist.

Identify and Assess Risks

Systematically identify risks to Data Principal rights arising from the processing. Assess each risk for likelihood and severity. Consider risks of unauthorised access, loss, destruction, or misuse.

Identify Mitigation Measures

For each identified risk, determine appropriate technical and organisational measures to eliminate or reduce the risk to acceptable levels. Document the residual risk after mitigation.

Consultation

Where processing is likely to result in high residual risk despite mitigation measures, consult with the Data Protection Board prior to commencing processing.

Sign Off and Implementation

Obtain approval from appropriate governance body. Implement identified measures before commencing processing. Establish monitoring mechanisms to verify effectiveness.

Review and Update

Review the DPIA periodically and whenever there is a material change in the nature, scope, or risks of processing. Maintain version control and audit trail of all revisions.

Risk Assessment Framework

Likelihood / Severity	Low	Medium	High
High	Medium	High	Critical
Medium	Low	Medium	High
Low	Low	Low	Medium

Documentation Requirements

Processing activity description and data flow diagrams

Legal basis and purpose limitation analysis

Necessity and proportionality assessment

Risk register with likelihood and severity ratings

Mitigation measures and residual risk analysis

Consultation records with Data Protection Board

Governance approval and sign off documentation

Review schedule and version control log

Compliance Timeline

Key Requirement

DPIAs must be conducted prior to commencement of any processing activity that triggers the DPIA requirement. Retrospective DPIAs are required for existing high risk processing activities by 13th May 2027.

The completed DPIA must be submitted to the Data Protection Board upon request and shall be retained for the duration of the processing activity plus six years.

Disclaimer

This guidance is provided for informational purposes and does not constitute legal advice. The methodology presented should be adapted to the specific circumstances of each processing activity. Organisations should seek qualified legal counsel for specific compliance matters.