The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

DPDPA 2023: A Comprehensive Overview for Compliance Officers

Introduction

The Digital Personal Data Protection Act, 2023 ("DPDPA" or "the Act") represents India first comprehensive legislative framework dedicated exclusively to the protection of digital personal data. Receiving Presidential assent on 11th August 2023, the Act establishes a principles based regulatory regime that imposes substantial obligations upon entities processing personal data of individuals situated in India.

For compliance officers and legal practitioners, understanding the structural architecture of DPDPA is essential to developing robust data governance frameworks. This analysis examines the Act key provisions, definitional framework, and operational requirements.

Territorial Scope and Application

Section 3 of the Act establishes its territorial application. DPDPA applies to the processing of digital personal data within the territory of India where such data is collected in digital form or is digitised subsequent to collection in non digital form.

Significantly, the Act extends to processing of digital personal data outside India if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India. This extraterritorial application mirrors similar provisions in the European Union General Data Protection Regulation, though India approach adopts a more streamlined formulation.

Key Determination

An entity offering goods or services to individuals in India, regardless of its place of incorporation or data processing location, falls within the jurisdictional scope of DPDPA 2023.

Core Definitional Framework

Data Principal

Section 2(j) defines "Data Principal" as the individual to whom the personal data relates. In cases involving children below the age of eighteen years, the term includes the parent or lawful guardian. For persons with disabilities, it encompasses the lawful guardian acting on their behalf.

Data Fiduciary

Section 2(i) defines "Data Fiduciary" as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. This definition establishes the primary duty bearer under the Act, analogous to the concept of "data controller" under GDPR.

Personal Data

Section 2(t) defines "Personal Data" as any data about an individual who is identifiable by or in relation to such data. Unlike GDPR, DPDPA does not create a distinct category of "sensitive personal data" with enhanced protections, though the DPDP Rules 2025 introduce additional safeguards for children data.

Lawful Basis for Processing

Section 4 establishes that personal data may only be processed for a lawful purpose. The Act recognises two primary grounds for lawful processing:

Consent (Section 6): Processing based on free, specific, informed, unconditional, and unambiguous consent given by the Data Principal through a clear affirmative action.
Legitimate Uses (Section 7): Processing for specified purposes including voluntary provision of data, State functions, legal obligations, medical emergencies, and employment purposes.

Data Fiduciary Obligations

Section 8 imposes general obligations upon Data Fiduciaries, including the requirement to implement appropriate technical and organisational measures, ensure processing accuracy and completeness, and establish grievance redressal mechanisms.

Section 8(6) mandates breach notification to both the Data Protection Board of India and affected Data Principals in the event of a personal data breach. The DPDP Rules 2025 subsequently prescribed a 72 hour timeline for detailed breach reports following initial intimation.

Significant Data Fiduciaries

Section 10 empowers the Central Government to notify certain Data Fiduciaries as "Significant Data Fiduciaries" (SDFs) based on factors including volume and sensitivity of data processed, risk to rights of Data Principals, potential impact on sovereignty and integrity, and risk to electoral democracy.

SDFs are subject to enhanced obligations including mandatory appointment of a Data Protection Officer resident in India, annual independent audits, and conduct of Data Protection Impact Assessments before undertaking processing that poses significant risk.

Implementation Timeline

With the notification of DPDP Rules 2025 on 13th November 2025, the implementation timeline has been established:

Consent Manager registration: Within 12 months (by November 2026)
Full compliance with all provisions: Within 18 months (by 13th May 2027)

Conclusion

DPDPA 2023 establishes India as a jurisdiction with comprehensive data protection legislation. For compliance officers, the immediate priority is conducting a gap analysis against existing data processing activities, updating privacy notices to meet Section 5 requirements, and establishing consent management frameworks compliant with Section 6. Organisations should utilise the transitional period to achieve full compliance before the 13th May 2027 deadline.