Every DPDP term, in plain English

The legal obligation to inform the Data Protection Board (and where applicable, the affected Data Principals) when a personal data breach occurs. The 2025 Rules pin the Board notification at 72 hours from awareness.

An entity registered with the Data Protection Board that helps Data Principals manage consent across multiple Fiduciaries through a single accessible interface. Acts as a trusted intermediary between the Principal and the Fiduciary.

Sending personal data outside India. The Act allows transfers freely by default, but the central government can restrict transfers to specific countries or territories by notification. Fiduciaries must monitor the notification list.

Personal data of individuals under 18 years of age. The Act prohibits behavioural monitoring and targeted advertising directed at children. Verifiable parental consent is required before processing.

The Data Principal's right to revoke previously-given consent at any time. Withdrawal must be as easy as the original consent — no “contact us at this email and we'll get back to you in 30 days” theatre.

The individual the personal data is about. In other privacy laws this is called the Data Subject. The Act gives them enforceable rights — access, correction, erasure, and grievance redressal — and a path to escalate to the Data Protection Board if those rights are violated.

The person, company, or other entity that decides why and how personal data is processed. The legally accountable party. If your organisation chose to collect this data and what to do with it, you are the Data Fiduciary for that processing.

A third party that processes personal data on behalf of a Data Fiduciary, under contract. Cloud providers, payroll services, SaaS vendors, and outsourced support all fall here. Processors don't get to make their own decisions about purpose — they execute the Fiduciary's decisions.

The bundle of rights the Act gives every Data Principal: right to information about processing, right to correction and erasure, right to grievance redressal, and right to nominate another person to exercise rights on their behalf.

The regulatory body the Act establishes to handle complaints, conduct investigations, and impose penalties for violations of the Act. Located in India, with members appointed by the central government.

Mandatory role for Significant Data Fiduciaries. Must be based in India. Acts as the single point of contact for grievances and the Data Protection Board. Authority to enforce DPDP compliance internally.

A structured risk assessment Significant Data Fiduciaries must perform periodically to evaluate the privacy risks of their processing activities. Identifies risks, mitigations, and residual risk; signed off by the DPO and (where required) an independent auditor.

The right to have personal data deleted when its purpose is fulfilled or consent is withdrawn, subject to retention obligations under other laws. The Fiduciary must also instruct any processors holding the data to erase it.

Financial penalties the Board can impose per instance of violation, ranging from ₹10,000 (failure of Data Principal duties) to ₹250 crore (failure of security safeguards). Calculated adversarially — the Board starts at maximum and subtracts factors the Fiduciary can demonstrate.

The process by which a Data Principal complains to a Data Fiduciary about a privacy issue and gets a response within a defined timeline. If the Fiduciary doesn't respond satisfactorily, the Principal can escalate to the Data Protection Board.

The transitional period after the Act's notification during which Fiduciaries must operationalise compliance. The DPDP Rules 2025 set staggered timelines for different categories of obligations — most pinned at days or months, not years.

A non-consent ground for processing personal data. Narrowly defined and exhaustive: voluntary disclosure by the Principal, government services, employment-related processing, medical emergencies, public order, etc. Not a free pass — has to be one of the listed cases.

The disclosure a Data Fiduciary must give to a Data Principal before or at the time of collecting personal data. Must be itemised, in clear and plain language, in the language of the Principal's choice, listing each purpose and the corresponding lawful basis.

Any data about an individual who is identifiable from that data, or in combination with other information. The bar is identifiability, not sensitivity. Names, emails, phone numbers, IP addresses, device IDs, and combinations thereof all qualify.

Any operation on personal data — collection, storage, use, disclosure, structuring, alignment, retention, erasure. The definition is broad enough that almost every interaction with data counts as processing.

Any unauthorised processing, accidental disclosure, alteration, or loss of personal data. Includes both deliberate attacks (hacks, exfiltration) and accidents (misconfigured S3 buckets, support agents handing out account info).

Not explicitly named in the Act but operationally required by the Section 8 obligations. A documented inventory of every processing activity in the organisation: what data, why, who has access, where it's stored, retention period, vendors involved.

The obligation on every Data Fiduciary to implement security measures proportionate to the risk of the personal data being processed. The Act doesn't specify which safeguards — that's the Fiduciary's call. Failure here attracts the highest penalty in the Act.

A Data Fiduciary the central government has classified as “significant” based on data volume, sensitivity, processing risk, impact on Indian sovereignty, or risk to electoral democracy. SDFs have extra obligations: an India-based DPO, an independent data auditor, and periodic DPIAs.

Consent obtained from a parent or lawful guardian before collecting a child's personal data, with reasonable measures to verify that the consenting party actually is the parent or guardian. The 2025 Rules detail acceptable verification methods.