Digital Personal Data Protection Act 2023: A Plain Guide

What the DPDP Act is

The Digital Personal Data Protection Act, 2023 (the “DPDP Act”) is India’s first dedicated data privacy law. It received Presidential assent on 11 August 2023 and governs how organisations collect, store and use the personal data of individuals in digital form. It replaces the patchwork of rules under Section 43A of the Information Technology Act, 2000, and gives Indians enforceable rights over their own data for the first time.

The Act uses two key terms. A Data Principal is the individual whose data is processed (you and me). A Data Fiduciary is the organisation that decides why and how that data is processed (a business, hospital, bank, app or government body).

If your organisation handles customer or employee data, you cannot ignore this law. Our cyber and data protection lawyers regularly advise Delhi businesses on getting compliant before the enforcement deadlines below.

Current status: the DPDP Rules 2025 (important)

The DPDP Act could not operate on its own; it needed subordinate Rules to set out the detail. A draft of the Digital Personal Data Protection Rules was published for public consultation in January 2025. After consultation, the Ministry of Electronics and Information Technology (MeitY) notified the final DPDP Rules, 2025 on 14 November 2025.

Critically, the law is not yet fully in force. The Rules adopt a phased rollout:

• From 14 November 2025 — Rules 1, 2 and 17 to 21 took effect. These set up the Data Protection Board of India and core definitions and procedure.
• From around November 2026 (one year after notification) — Rule 4 on the registration and obligations of Consent Managers comes into force.
• From around May 2027 (eighteen months after notification) — the bulk of the substantive obligations apply: notice and consent standards, security safeguards, breach notification, data retention/erasure, data principal rights and the duties of Significant Data Fiduciaries.

In short, as of June 2026 the framework exists and the Board is being established, but the day-to-day compliance duties on most businesses become enforceable in May 2027. The intervening period is widely treated as a transition or “soft enforcement” window for organisations to prepare. Always confirm the latest notification dates, as the government may issue clarifications.

Rights of individuals (Data Principals)

The Act gives every Data Principal four core rights:

1. Right to information / access — to know what personal data a Data Fiduciary holds about you and how it is being processed.
2. Right to correction and erasure — to have inaccurate or outdated data corrected, completed or deleted when it is no longer needed.
3. Right to grievance redressal — to a readily available means of raising complaints with the Data Fiduciary (or its Consent Manager) before approaching the Board.
4. Right to nominate — to nominate another person to exercise your rights if you die or become incapacitated.

Individuals also have duties — for example, not to file false or frivolous complaints. Breaching these can attract a penalty of up to Rs 10,000.

Obligations of businesses (Data Fiduciaries)

Every Data Fiduciary must:

• Obtain valid consent that is free, specific, informed, unconditional and unambiguous, given by clear affirmative action. Consent can be withdrawn as easily as it was given.
• Give a clear notice in plain language (and in any of the languages in the Eighth Schedule on request) stating what data is collected, the purpose, how to exercise rights, and how to complain to the Board.
• Process data only for lawful, specified purposes and stop processing (and delete data) once the purpose is served or consent is withdrawn.
• Maintain accuracy of data used to make decisions or shared with others.
• Implement reasonable security safeguards to prevent personal data breaches.
• Report data breaches — see below.
• Protect children’s data: verifiable parental consent is required for users under 18, and behavioural tracking or targeted advertising directed at children is prohibited.
• Appoint a grievance officer / contact for Data Principal queries.

Breach notification

On becoming aware of a personal data breach, a Data Fiduciary must give affected Data Principals an intimation without delay, and provide a detailed report to the Data Protection Board within 72 hours (extendable on request). The 72-hour clock runs from when the fiduciary becomes aware of the breach.

Significant Data Fiduciaries (SDFs)

The Central Government can designate certain large or high-risk organisations as Significant Data Fiduciaries, based on volume and sensitivity of data, risk to electoral democracy, security of the State, and public order. SDFs carry extra duties:

• Appoint a Data Protection Officer (DPO) based in India who reports to the board of directors.
• Appoint an independent data auditor and undergo periodic audits.
• Conduct a Data Protection Impact Assessment (DPIA) at least once every 12 months and exercise algorithmic due diligence.

The Data Protection Board of India

The Data Protection Board of India (DPBI) is the regulator that enforces the Act. It is a digital-first body that investigates breaches, hears complaints, directs remedial action and imposes financial penalties. Appeals against its orders go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and onward to the Supreme Court. The Board does not award compensation to individuals — its penalties are paid to the government.

Penalties

The Act sets steep monetary penalties (the Board decides the actual amount based on the facts). Key heads in the Schedule are:

Contravention	Maximum penalty
Failure to take reasonable security safeguards to prevent a breach	Up to Rs 250 crore
Failure to notify a breach to the Board or affected Data Principals	Up to Rs 200 crore
Breach of obligations regarding children’s personal data	Up to Rs 200 crore
Breach of additional obligations of Significant Data Fiduciaries	Up to Rs 150 crore
Breach of any other provision of the Act or Rules	Up to Rs 50 crore
Breach of duties by a Data Principal	Up to Rs 10,000

Exemptions

Certain processing is exempt or partially exempt — for example, processing for legal rights/claims, by courts and regulatory bodies, for prevention and investigation of offences, and certain research, archiving or statistical purposes. The Central Government may exempt notified State instrumentalities (e.g. for security of the State) and certain startups from some obligations. The Act applies to processing outside India where it relates to offering goods or services to individuals in India.

Compliance checklist for businesses

Use the transition window before May 2027 to:

• Map your data — what personal data you collect, where it sits, who you share it with and why.
• Rewrite consent and notice flows in plain language; enable easy withdrawal of consent.
• Set up a grievance redressal process and name a contact person.
• Build data principal request handling for access, correction, erasure and nomination.
• Fix retention — delete data when the purpose ends.
• Strengthen security safeguards (encryption, access controls, logging).
• Create a 72-hour breach response plan for Board and Data Principal notifications.
• Verify children’s data flows and add parental-consent controls.
• Review vendor/processor contracts to flow down DPDP obligations.
• If you may be an SDF, prepare a DPO appointment, DPIA process and independent audits.

For wider context, see our guides on cyber security law and cyber crime and law in India.

Conclusion

The DPDP Act 2023, now backed by the DPDP Rules 2025, is the biggest shift in Indian data law in a generation. With most obligations becoming enforceable around May 2027 and penalties reaching Rs 250 crore, the time to prepare is now.

This is general information, not legal advice. Consult our lawyers for advice on your situation.