The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Back to Compliance Playbook

Procedural Guide

Drafting a DPDPA Compliant Privacy Notice

A comprehensive guide to drafting privacy notices that meet the disclosure requirements under Section 5 of the Digital Personal Data Protection Act, 2023 and the DPDP Rules 2025.

Statutory Foundation

Section 5 of DPDPA 2023 requires every Data Fiduciary to provide itemised notice to Data Principals before or at the time of collection of personal data, or where data is not collected directly, as soon as reasonably practicable thereafter.

Rule 4 of DPDP Rules 2025 prescribes the form, content, and manner of providing the notice, including language requirements and accessibility standards.

Mandatory Notice Content

Under Section 5, the notice must contain the following particulars:

Personal Data Categories

A clear enumeration of the categories of personal data being collected or processed.

Purpose of Processing

A description of each purpose for which personal data is being processed, stated in clear and plain language.

Rights of Data Principal

An itemised summary of the rights available to the Data Principal under Section 11 to 14 of the Act.

Grievance Redressal

The manner in which the Data Principal may make a complaint to the Data Fiduciary and the contact details of the grievance officer.

Complaint to Board

The manner in which the Data Principal may make a complaint to the Data Protection Board of India.

Drafting Procedure

Data Mapping Exercise

Conduct a comprehensive data mapping exercise to identify all categories of personal data collected, sources of collection, processing purposes, and third party disclosures.

Legal Basis Analysis

Document the legal basis for each processing activity. Under DPDPA, lawful processing requires either consent of the Data Principal or certain legitimate uses specified in Section 7.

Draft Core Content

Prepare the notice content covering all mandatory elements. Use clear, plain language avoiding legal jargon. Structure the notice in a logical, easily navigable format.

Language Compliance

Ensure the notice is available in English and, where processing involves Data Principals in a specific region, in the language scheduled under the Eighth Schedule to the Constitution commonly used in that region.

Accessibility Review

Review the notice for accessibility compliance. The notice must be presented in clear and plain language and in a manner that is easily comprehensible to the Data Principal.

Legal Review

Subject the draft to legal review to verify compliance with DPDPA requirements and consistency with contractual terms and other regulatory obligations.

Approval and Publication

Obtain appropriate governance approval. Publish the notice on all collection points, website, and mobile applications. Maintain version control and change log.

Drafting Principles

Specificity

Each purpose must be stated with sufficient particularity. Generic statements such as "improving services" are insufficient.

Clarity

Language must be clear and plain. Avoid legal or technical terminology unless necessary and explained.

Completeness

All processing activities must be covered. Omission of any processing purpose may vitiate the validity of consent.

Currency

The notice must be kept up to date. Any material change in processing must be notified to Data Principals.

Additional Requirements for Children

Enhanced Disclosure Obligations

Where processing involves personal data of children (individuals below 18 years), the notice must additionally:

• Be addressed to the parent or lawful guardian of the child
• Clearly identify the processing as relating to children's data
• Explain the mechanism for obtaining verifiable parental consent
• State that processing shall not be detrimental to the well being of the child
• Confirm that behavioural monitoring and targeted advertising directed at children is prohibited

Compliance Timeline

Key Requirement

The notice must be provided before or at the time of collection of personal data. Where personal data is not collected directly from the Data Principal, notice must be given as soon as reasonably practicable.

All existing privacy notices must be updated to comply with DPDPA requirements by 13th May 2027.

Disclaimer

This guidance is provided for informational purposes and does not constitute legal advice. Privacy notices should be tailored to specific processing activities and reviewed by qualified legal counsel. The statutory provisions prevail in case of any inconsistency.