India’s Digital Personal Data Protection Act 2023 (DPDPA) came into force on 11 August 2023 when it received Presidential assent. It is the country’s first comprehensive data privacy law — replacing the patchwork of IT Act provisions that governed data handling since 2000.
If your organisation collects, processes, or stores personal data of Indian residents, DPDPA applies to you. This guide explains what the law requires, which organisations are most at risk, and what compliance looks like in practice.
The Digital Personal Data Protection Act 2023 (Act No. 22 of 2023) establishes legal obligations for any entity that processes the personal data of individuals in India — whether you are an Indian company or a foreign company targeting Indian users.
The Act is built around a simple principle: individuals have a right to know how their personal data is used, and organisations must obtain meaningful consent before using it.
Key definitions:
The Act applies to:
Exemptions include:
In practice, DPDPA applies to virtually every B2C and B2B company operating in India — banks, hospitals, e-commerce platforms, SaaS companies, HR software providers, and more.
You must obtain free, specific, informed, unconditional, and unambiguous consent before processing personal data. Consent must be obtained through a clear notice that explains:
Pre-ticked checkboxes, bundled consent, or vague “by using our service you agree” clauses are not valid under DPDPA.
Before or at the time of collecting personal data, you must provide a notice to the Data Principal in clear, plain language (and in all 22 scheduled languages if requested).
The notice must describe:
Personal data may only be processed for the purpose specified in the consent notice. You cannot collect data “just in case” or repurpose it for secondary uses without fresh consent.
The Act grants individuals the following rights:
| Right | What it means |
|---|---|
| Right to Information | Know what personal data you hold about them |
| Right to Correction | Request correction of inaccurate data |
| Right to Erasure | Request deletion of personal data when purpose is served |
| Right to Grievance Redressal | Make complaints to the Data Fiduciary |
| Right to Nominate | Nominate someone to exercise rights on death or incapacity |
As a Data Fiduciary, you must:
The government will notify certain organisations as Significant Data Fiduciaries based on the volume and sensitivity of personal data processed, potential risk to Data Principals, and national security implications.
SDFs face additional obligations:
The DPDPA introduces significant financial penalties enforced by the Data Protection Board of India:
| Violation | Maximum Penalty |
|---|---|
| Failure to implement adequate security safeguards | ₹250 crore |
| Failure to notify breach to Data Protection Board | ₹200 crore |
| Breach of obligations related to children’s data | ₹200 crore |
| Non-compliance with Board’s orders | ₹150 crore |
| Other violations | ₹50 crore |
Unlike GDPR (which calculates fines as a percentage of global revenue), DPDPA sets fixed monetary caps. For many Indian SMEs, ₹50–250 crore penalties are existential.
| Aspect | DPDPA 2023 | GDPR |
|---|---|---|
| Applies to | Indian residents’ data | EU residents’ data |
| Legal bases for processing | Consent + legitimate uses | Consent + 5 other lawful bases |
| Breach notification | As soon as possible (no 72-hour window specified yet) | Within 72 hours |
| Right to data portability | Not included | Included |
| Cross-border transfers | Whitelisted countries (to be notified) | Adequacy decisions / SCCs |
| Penalty basis | Fixed cap (up to ₹250 crore) | % of global revenue (up to 4%) |
Compliance is not a one-time checkbox — it requires building data protection into your processes. Here is a practical starting point:
Identify all personal data your organisation collects, where it is stored, who processes it, and for what purpose. You cannot protect data you cannot locate.
Audit all consent mechanisms — registration forms, cookie banners, marketing opt-ins, HR onboarding documents. Replace bundled or vague consent with specific, granular consent notices.
Rewrite your privacy policy and in-product notices to meet DPDPA standards — plain language, specific purposes, rights clearly stated.
Build a mechanism to receive and respond to requests for information, correction, and erasure. Document your response timelines.
Establish a data breach response procedure: how you detect a breach, how you assess its scope, and how you notify the Data Protection Board and affected individuals.
Review contracts with processors (cloud providers, payroll vendors, CRM platforms, analytics tools) to ensure they include appropriate data protection obligations.
Implement reasonable security safeguards. The Act does not prescribe specific controls, but ISO 27001 provides a widely accepted framework that satisfies the “reasonable safeguards” standard.
ISO 27001 certification does not make you automatically DPDPA compliant — but it provides a strong foundation. ISO 27001 Annex A controls cover:
For organisations pursuing DPDPA compliance, combining ISO 27001 with ISO 27701 (Privacy Information Management System) is the most comprehensive path.
Crewtec’s DPDPA compliance practice covers:
DPDPA compliance is not optional — and the Data Protection Board will have enforcement powers once fully constituted. The time to build your compliance programme is before the breach, not after.
Tags
Navigate to sections as you read.
Need Help?
Get personalised guidance on implementing strategies discussed in this article for your enterprise.
Book Free Consultation