DPDP Act 2023 · Plain-language primer

The DPDP Act, in plain English

India's Digital Personal Data Protection Act, 2023 is the law that governs how every organisation in India handles personal data. Below is a practitioner's walkthrough — what it covers, who it applies to, and what you actually have to do.

What it is

The DPDP Act 2023 is India's first comprehensive personal-data protection law. It was passed by Parliament in August 2023 and notified through the DPDP Rules in 2025. Together, the Act and the Rules establish the legal framework for how organisations in India (and offshore organisations dealing with Indian residents) must collect, store, use, share, and erase personal data.

Unlike the older IT Act 2000 / SPDI Rules 2011 regime — which covered only a narrow slice of “sensitive personal information” — the DPDP Act applies to all personal dataprocessed digitally. The bar is no longer sensitivity; the bar is identifiability. If a piece of data can identify an individual, alone or in combination with other data, it's personal data and the Act applies.

The Act is structured as a horizontal law: the same rules apply whether you're a bank, a hospital, a school, a SaaS company, an e-commerce platform, an NGO, or a government department. There are no sector-specific exemptions in the Act itself, though some sectoral regulators may add their own layered obligations on top.

Who it applies to

Three roles, defined precisely

Section 2(j)

Data Principal

The individual the personal data is about. In other privacy laws this is called the Data Subject. The Act gives them a set of enforceable rights and a path to complain to the Data Protection Board if those rights are violated.

Section 2(i)

Data Fiduciary

The person, company, or other entity that determines the purpose and means of processing personal data. If you decide why and how data is processed, you are a Data Fiduciary for that processing — and you carry the legal accountability.

Section 2(k)

Data Processor

Any third party that processes personal data on behalf of a Data Fiduciary, under contract. Cloud providers, payroll services, SaaS vendors, and outsourced support all fall here. The Act applies to Processors too, but the heaviest obligations sit with the Fiduciary.

How it's organised

Nine chapters, in order

The Act is short by global standards — about 44 sections across 9 chapters. Here's what each chapter covers in one paragraph.

I

Preliminary

Sections 1-3

Defines the Act's scope and the key terms — Data Principal, Data Fiduciary, Data Processor, personal data, processing. Sets the territorial reach (India + offshore activities aimed at India).

II

Obligations of Data Fiduciaries

Sections 4-10

The core operating clauses — when and how a Fiduciary may process personal data, the requirement for itemised notice and consent, lawful uses without consent, security safeguards, breach notification, and the special obligations of a Significant Data Fiduciary.

III

Rights and duties of Data Principals

Sections 11-15

What individuals can demand: access to a summary of their data, correction, completion, updating, erasure, and grievance redressal. Also their corresponding duties — including not making frivolous complaints.

IV

Special provisions

Sections 16-17

Cross-border transfer restrictions and the central government's power to exempt certain processing activities (research, journalism, statutory functions).

V

Data Protection Board of India

Sections 18-26

Establishes the Data Protection Board, its powers, its composition, the process for appointing members, and how complaints are received and investigated.

VI

Appeal and Alternate Dispute Resolution

Sections 29-32

Appeals from the Board go to the Telecom Disputes Settlement and Appellate Tribunal. Alternate dispute resolution is encouraged for civil claims arising from violations.

VII

Penalties and adjudication

Sections 33-34

The teeth of the Act. Penalty schedule going up to ₹250 crore per instance for the most serious violations, factors the Board must weigh, and the deposit-and-disposal mechanism for collected penalties.

VIII-IX

Miscellaneous

Sections 35-44

Rule-making powers, repeals, savings clauses, and transitional provisions.

What you actually have to do

Nine operating obligations

The bulk of the work for a Data Fiduciary lives in these nine clauses. If you're looking at a checklist for a programme, this is roughly the order to tackle them.

Sections 5, 6

Itemised notice and consent

Before or at the time of collection, the Data Principal must receive a notice that itemises every purpose of processing in clear, simple language. Consent must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action — and as easily withdrawable as it was given.

Section 7

Limited lawful uses without consent

A narrow set of cases where processing is permitted without consent — voluntary disclosures by the Principal, government services, employment, medical emergencies, breakdown of public order, and a handful of others. The list is exhaustive, not illustrative.

Section 8(5)

Security safeguards

Reasonable security safeguards to prevent personal data breaches. The Act doesn't specify which safeguards — that's the Fiduciary's call, on a risk-proportionate basis. Failure here is the highest-penalty violation in the Act.

Section 8(6)

Breach notification within 72 hours

On becoming aware of a breach, the Fiduciary must notify the Data Protection Board and (where applicable) the affected Data Principals. The 2025 Rules pin the Board notification at 72 hours from awareness.

Section 8(7)

Erasure when purpose is fulfilled

Personal data must be erased when the purpose for which it was collected is no longer being served, unless retention is required by law. Practically, this means a defined retention schedule per data category.

Section 9

Children's data special protections

Verifiable parental consent before processing children's data. No tracking, behavioural monitoring, or targeted advertising directed at children. Penalties up to ₹200 crore per instance.

Section 10

Significant Data Fiduciary obligations

If designated by the Government, an SDF must appoint an India-based Data Protection Officer, an independent data auditor, and conduct periodic Data Protection Impact Assessments and audits.

Sections 11-13

Data Principal rights workflow

A workflow to receive, verify, and fulfil access, correction, erasure, and grievance requests within statutory timelines. Must be advertised on the Fiduciary's website or notice.

Section 16

Cross-border transfer awareness

The central government can restrict transfers of personal data to specific countries by notification. Fiduciaries must track which countries their vendors operate from and respond to notification changes.

The penalties

What it costs to get it wrong

From Section 33. The Data Protection Board can impose these penalties per instance — meaning a single incident can attract the maximum if the Board considers it severe enough.

ViolationSectionMaximum penalty
Failure to take reasonable security safeguards8(5)₹250 crore
Failure to notify a personal data breach8(6)₹200 crore
Failure to fulfil children's data obligations9₹200 crore
Failure of Significant Data Fiduciary obligations10₹150 crore
Failure of duties of a Data Principal15₹10,000
Other violations of the Act or RulesCatch-all₹50 crore

Penalty calculation under Section 33 is adversarial. The Board starts at the maximum and subtracts factors that the Fiduciary can demonstrate (good-faith compliance, remediation, evidence, self-disclosure). Organisations with no evidence start at the maximum.

Where to go next

See where you stand against the Act

Run our free 5-minute applicability + readiness assessment. 40 questions across 13 categories, every one mapped to a specific section of the Act. You get a posture score and a prioritised gap list at the end.

Take the assessment Read the glossary