The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

Back to Compliance Playbook

Critical Procedure

Data Breach Notification Procedure

A procedural framework for Data Fiduciaries to discharge breach notification obligations under Section 8 of DPDPA 2023, including the 72 hour detailed reporting requirement.

Statutory Foundation

Section 8(6) of DPDPA 2023 requires every Data Fiduciary to inform the Data Protection Board and each affected Data Principal of any personal data breach in such form and manner as may be prescribed.

Rule 7 of DPDP Rules 2025 prescribes a two stage notification process: initial intimation without unreasonable delay and a detailed report within 72 hours of becoming aware of the breach.

What Constitutes a Personal Data Breach

Under DPDPA 2023, a personal data breach means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.

Unauthorised access to personal data systems

Accidental disclosure to unauthorised recipients

Ransomware or malware affecting personal data

Loss or theft of devices containing personal data

Unauthorised modification of personal data records

System failure resulting in data unavailability

Insider misuse of personal data access

Third party processor security incidents

Two Stage Notification Process

Stage 1: Initial Intimation

To be provided without unreasonable delay upon becoming aware of the breach.

• Brief description of the breach
• Estimated number of Data Principals affected
• Contact details for further information
• Preliminary assessment of severity

Stage 2: Detailed Report

To be submitted within 72 hours of becoming aware of the breach.

• Comprehensive breach description
• Categories of personal data affected
• Root cause analysis
• Remedial measures taken
• Communication to Data Principals

Breach Response Procedure

Identification and Containment

Immediate

Upon detection of a potential breach, immediately activate the incident response team. Take immediate steps to contain the breach and prevent further unauthorised access or disclosure. Document the time of detection.

Initial Assessment

Within 4 hours

Conduct preliminary assessment to determine whether a personal data breach has occurred, the categories of data affected, and the estimated number of Data Principals involved.

Initial Intimation to Board

Without unreasonable delay

Submit initial intimation to the Data Protection Board through the designated portal. Include preliminary details and contact information for the designated liaison.

Detailed Investigation

Within 48 hours

Conduct thorough investigation to determine root cause, full scope of affected data and Data Principals, timeline of events, and vulnerabilities exploited.

Detailed Report Preparation

Within 60 hours

Prepare comprehensive breach report in the prescribed format. Include all mandatory particulars, remedial measures implemented, and steps to prevent recurrence.

Submit Detailed Report

Within 72 hours

Submit the detailed breach report to the Data Protection Board through the designated portal within the 72 hour deadline from awareness of the breach.

Notify Affected Data Principals

As soon as practicable

Notify each affected Data Principal of the breach in clear and plain language. Provide information about the nature of breach, potential consequences, and steps they may take to protect themselves.

Remediation and Review

Ongoing

Implement all remedial measures. Conduct post incident review. Update security measures and incident response procedures based on lessons learned.

Detailed Report Contents

Date and time of breach occurrence and detection

Nature and circumstances of the breach

Categories of personal data affected

Approximate number of Data Principals affected

Likely consequences of the breach

Description of measures taken to address the breach

Measures taken to mitigate adverse effects

Contact details of the DPO or designated officer

Steps Data Principals may take to protect themselves

Consequences of Non Compliance

Penalty Provisions

Failure to notify breach: Penalty up to ₹200 crore per instance
Failure to implement security safeguards resulting in breach: Penalty up to ₹250 crore

Additionally, the Data Protection Board may issue directions requiring remediation measures and may publish findings in cases of significant non compliance.

Disclaimer

This guidance is provided for informational purposes and does not constitute legal advice. Breach response procedures should be established with qualified legal counsel and tested regularly. The statutory provisions prevail in case of any inconsistency with this guidance.