A comprehensive guide to understanding India's landmark data protection law — what it means, who it covers, and what every organisation must do to comply.
The Basics
The Digital Personal Data Protection Act, 2023 (DPDPA) is India's first comprehensive data protection legislation. Enacted on 11 August 2023, it establishes a legal framework governing how personal data of Indian citizens must be collected, processed, stored, and transferred — by entities both within India and abroad.
The law is built on the principle that every Indian citizen has a fundamental right to privacy, as affirmed by the Supreme Court in the landmark 2017 Puttaswamy judgment. DPDPA gives that constitutional guarantee practical, enforceable teeth.
Unlike sector-specific rules that existed before, DPDPA is a horizontal, principles-based law — it applies across all industries, all types of organisations, and even foreign companies that process data of Indian residents. It creates two central categories: Data Fiduciaries (organisations that decide how and why data is processed) and Data Principals (citizens whose data is being processed).
Full enforcement begins May 13, 2027, with the Data Protection Board of India empowered to investigate complaints and impose penalties of up to ₹250 Crores per violation. No grace period will apply once enforcement begins.
The DPDPA received Presidential assent and establishes a comprehensive framework for how personal data of Indian citizens must be collected, processed, stored, and transferred — by entities both within India and abroad.
Foundation
The Act is built on seven foundational principles drawn from global data protection best practices — adapted for India's legal, social, and economic context.
Personal data may only be collected for a specific, lawful purpose with the individual's free, informed, and unambiguous consent. Data cannot be reused for unrelated purposes.
Only personal data strictly necessary for the specified purpose may be collected — no more, no less. Excess data collection is a violation in itself.
Citizens have the right to access, correct, and erase their personal data, and to nominate a representative to exercise these rights on their behalf.
An independent adjudicatory body empowered to investigate complaints from Data Principals, conduct inquiries, and impose financial penalties on violating Fiduciaries.
Data Fiduciaries must implement appropriate technical and organisational safeguards to prevent personal data breaches. A breach triggers mandatory notification obligations.
Processing personal data of children (under 18) requires verifiable parental consent. Tracking, behavioural monitoring, and targeted advertising to children are prohibited.
Data Fiduciaries are responsible for compliance and must be able to demonstrate it. Significant Data Fiduciaries face enhanced accountability — including mandatory DPOs and audits.
Applicability
The Act has broad, deliberate reach — covering entities inside India and those targeting Indian users from abroad. If you handle personal data of Indian citizens anywhere in the world, DPDPA applies to you.
Any entity — company, startup, non-profit, or government body — that decides how and why personal data is processed. Subject to the most comprehensive obligations under the Act, including consent management, security, and breach notification.
Primary Obligation HolderThird-party providers who process data on behalf of a Fiduciary — cloud vendors, BPOs, analytics platforms, and technology partners. Must operate under a contract with the Fiduciary and follow their instructions.
Contractual ObligationsEvery Indian citizen whose personal data is being processed. Rights-holders under the Act with the right to access, correct, erase, and nominate. The Act exists primarily to protect Data Principals.
Rights HolderEntities notified by the government that process data at significant scale or sensitivity. Subject to enhanced obligations — appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and periodic independent audits.
Enhanced ObligationsForeign companies that offer goods or services to individuals in India, or that profile Indian users — regardless of where the company is headquartered. DPDPA has explicit extra-territorial application.
Extra-territorial ReachChildren (under 18) and persons with disabilities receive additional protections. Verifiable parental or guardian consent is mandatory before processing a child's data. Behavioural tracking and targeted advertising to children are explicitly banned.
Additional ProtectionsJourney of the Law
From India's first privacy framework recommendation to a fully enacted law — a decade in the making.
India's first structured privacy framework recommendation, published by an expert group chaired by Justice AP Shah. It outlined nine core privacy principles — including collection limitation, purpose specification, use limitation, security, and openness — that would directly shape every subsequent data protection draft.
The report drew heavily from the OECD Privacy Guidelines and recommended India adopt a comprehensive Privacy Act. While no legislation followed immediately, the report established the intellectual foundation and the vocabulary that the DPDPA would eventually adopt.
The Supreme Court of India's landmark 9-judge Constitutional Bench unanimously declared the Right to Privacy a fundamental right under Article 21 of the Constitution. The ruling — delivered in the case of Justice K.S. Puttaswamy (Retd.) vs Union of India — was a watershed moment.
By constitutionally embedding privacy, the judgment made comprehensive data protection legislation not merely desirable but constitutionally imperative. It gave the Centre both the mandate and the urgency to draft a law, and set the rights-based framing that the DPDPA would ultimately adopt.
A government-appointed expert committee chaired by retired Supreme Court Justice BN Srikrishna produced India's first comprehensive Personal Data Protection Bill. The draft introduced core concepts that survive to this day — Data Fiduciary, Data Principal, purpose limitation, data minimisation, and the proposed Data Protection Authority.
The draft drew from GDPR but adapted it substantially for India's federal structure, diverse digital economy, and the government's own data processing needs. It sparked significant public debate over government exemptions, data localisation, and the independence of the proposed regulator.
The 2019 Personal Data Protection Bill was introduced in Parliament and referred to a Joint Parliamentary Committee (JPC) for scrutiny. Over two years, the JPC reviewed hundreds of submissions and suggested 81 amendments — covering everything from children's data, cross-border transfers, and the scope of government exemptions, to the structure of the Data Protection Authority.
The JPC submitted its report in December 2021 with a substantially revised bill. However, amid growing concerns from civil society about disproportionate government exemptions and surveillance provisions, the government made the unusual decision to completely withdraw the 2019 bill in August 2022 — clearing the path for a leaner, principles-based rewrite.
The Digital Personal Data Protection Act, 2023 was passed by both Houses of Parliament in the Monsoon Session and received Presidential assent on 11 August 2023. The law was a deliberate simplification of its predecessors — leaner, more principles-based, and designed to delegate technical detail to Rules — giving the government flexibility to adapt as digital technology evolves.
The Act comprises 44 sections across 9 chapters, covering consent, lawful bases for processing, Data Principal rights, obligations of Data Fiduciaries, cross-border data transfers, the establishment of the Data Protection Board, penalties, and special provisions for children.
MeitY has circulated the Draft DPDPA Rules 2025 for public consultation. The Rules set out technical implementation details — including consent notice formats, breach reporting procedures, the framework for Consent Managers, and operational requirements for the Data Protection Board.
The Data Protection Board is in the process of being constituted. The government is also in the process of notifying the list of Significant Data Fiduciaries — large-scale entities that will face enhanced obligations. Organisations should use this window to build compliance programmes, as implementation typically takes 6–18 months.
Full DPDPA enforcement begins on May 13, 2027. Penalties apply from Day 1. The Data Protection Board can impose fines of up to ₹250 Crores per violation with absolutely no grace period. This applies to every organisation that processes personal data of Indian residents — including foreign companies.
Compliance implementation typically takes 6–18 months depending on organisation size, data complexity, and the maturity of existing privacy practices. Organisations that have not yet begun should start immediately. The free tools on this site are designed to help you assess your current posture and prioritise action.
Enforcement
The Data Protection Board of India is empowered to investigate complaints, conduct inquiries, and impose significant financial penalties. Penalties are structured by violation category — and there is no maximum cap on cumulative fines across multiple violations.
| Violation | Description | Max Penalty |
|---|---|---|
| Data breach — inadequate security | Failure to implement appropriate technical and organisational safeguards resulting in a personal data breach | ₹250 Crores |
| Failure to notify breach | Not notifying the Data Protection Board and affected Data Principals within 72 hours of becoming aware of a breach | ₹200 Crores |
| Children's data violations | Processing children's data without verifiable parental consent, or engaging in prohibited tracking and targeting of children | ₹200 Crores |
| SDF additional obligations | Significant Data Fiduciaries failing to meet enhanced obligations — DPO appointment, Data Protection Impact Assessments, or independent audits | ₹150 Crores |
| Failure to honour Data Principal rights | Refusing or ignoring a Data Principal's request to access, correct, erase, or exercise the right of nomination | ₹10,000 (per principal) |
| Other violations | Any other failure to comply with obligations under the Act or Rules not specifically listed above | ₹50 Crores |
⚠ These are per-violation limits. The Data Protection Board can impose separate penalties for each distinct violation. There is no aggregate cap, meaning cumulative exposure for large organisations can be substantially higher. The Board may also consider intent, the scope of harm, the number of Data Principals affected, and whether the violation was repeated.
Data Principal Rights
DPDPA grants every Indian citizen — every Data Principal — six enforceable rights over their personal data. Organisations must build workflows to honour these rights within prescribed timelines.
Every Data Principal can request confirmation of whether their personal data is being processed, a summary of the data held, and the identities of all Data Processors to whom the data has been or is likely to be disclosed. Response timeline: 30 days.
Data Principals can request correction of inaccurate or misleading personal data, completion of incomplete data, and erasure of data no longer needed for the purpose it was collected for. Organisations must action these requests promptly.
Every Data Principal has the right to a readily available grievance redressal mechanism. They can escalate unresolved grievances to the Data Protection Board, which has the power to investigate and impose penalties.
Data Principals may nominate another individual to exercise their data rights on their behalf in the event of death or incapacity. This is a uniquely Indian provision — recognising the family structure and the need for digital estate management.
Where processing is based on consent, Data Principals can withdraw consent at any time. Withdrawal must be as easy as giving consent. Following withdrawal, the organisation must cease processing and may need to delete the data.
Data Principals retain rights against automated decisions that significantly affect them — including decisions made purely through algorithmic processing without meaningful human review, particularly in areas such as credit, employment, and insurance.
Need ready-to-use templates? The Data Principal Rights Explorer tool includes 6 downloadable compliance templates — consent notices, access request forms, correction and erasure request forms, grievance notices, and nomination forms — all pre-drafted to DPDPA requirements.
Download Templates →Getting Compliant
DPDPA compliance is not a single project — it's an ongoing programme. Here are the foundational steps every organisation should work through before May 2027.
First, confirm whether and how DPDPA applies to your organisation. Key questions: Do you process personal data of Indian residents? Do you process data on behalf of a Data Fiduciary? Are you likely to be notified as a Significant Data Fiduciary? The answers determine which obligations apply and with what urgency.
Conduct a comprehensive data mapping exercise. Identify all categories of personal data you collect, why you collect it, how it is stored and secured, who it is shared with, and how long you retain it. This forms the foundation of your Record of Processing Activities (ROPA) — a key compliance document under the Act.
For every processing activity, identify and document the lawful basis — primarily consent, or one of the legitimate uses recognised by the Act. Where consent is the basis, design and implement a compliant consent notice framework: notices must be in plain language, purpose-specific, freely given, and as easy to withdraw as to give. Integrate with a Consent Manager where required.
Establish processes and systems to receive and respond to Data Principal requests — access, correction, erasure, nomination, and grievance complaints. Assign ownership, define response timelines (30 days for most requests), and build an internal escalation path to the Data Protection Board for unresolved grievances.
Implement appropriate technical and organisational security measures proportionate to the sensitivity of data you hold. Critically, build a breach response plan — you have 72 hours from becoming aware of a breach to notify the Data Protection Board, and must also notify affected Data Principals without undue delay. Test your plan before enforcement begins.
Determine whether your organisation is likely to be notified as a Significant Data Fiduciary. If so, begin appointing a Data Protection Officer (who must be India-based), preparing for Data Protection Impact Assessments, and establishing the governance structures required for periodic independent audits. Even if you are not an SDF, building these governance structures early is good practice.