India's approach to personal data protection has reached a defining moment, and if your organisation processes the data of Indian residents, you need to understand the rules now taking effect. The Digital Personal Data Protection Act, passed in 2023, has moved from legislative text to operational reality, with enforcement timelines extending into 2026 and 2027. Whether you are a multinational corporation with Indian customers, a domestic startup collecting user information, or a privacy professional preparing your compliance programme, the stakes are significant. Penalties can reach up to ₹250 crore (approximately £24 million) for serious violations, and the Data Protection Board of India is poised to begin adjudicating complaints. This guide provides a clear, practical breakdown of what the DPDPA is, how it works, where it applies, and what steps your organisation should be taking right now to meet its obligations.
Digital Personal Data Protection Act (DPDPA): Quick Definition
The Digital Personal Data Protection Act (DPDPA) is India's comprehensive data privacy law, enacted in August 2023, that governs the collection, storage, processing, and transfer of personal data in digital form. It establishes rights for individuals (called Data Principals), imposes obligations on organisations handling their data (called Data Fiduciaries), and creates the Data Protection Board of India to enforce compliance and adjudicate grievances.
Digital Personal Data Protection Act (DPDPA) Explained
The DPDPA represents India's first standalone data protection legislation, filling a gap that privacy advocates and industry leaders had identified for over a decade. The law draws on principles found in global frameworks such as the EU's GDPR and Brazil's LGPD, but it is distinctly tailored to India's digital economy, which serves over 800 million internet users.
At its core, the Act applies to personal data that is collected in digital form or that is digitised after collection. It covers processing carried out within India, as well as processing outside India if it relates to offering goods or services to individuals in India. This extraterritorial reach means that businesses worldwide must prepare for compliance if they handle the data of Indian residents.
The legislation introduces several key roles. A Data Principal is any individual whose personal data is being processed. A Data Fiduciary is the entity that determines the purpose and means of processing. Significant Data Fiduciaries, a subset designated by the government based on volume and sensitivity of data handled, face heightened obligations including mandatory data protection impact assessments and the appointment of a Data Protection Officer based in India.
The DPDPA also addresses children's data with particular care, requiring verifiable parental consent before processing data of individuals under 18. The healthcare and medtech sectors face especially complex requirements given the sensitive nature of patient information and the growing use of connected devices.
How the Digital Personal Data Protection Act (DPDPA) Works
Understanding the DPDPA's mechanics becomes simpler when you break it into five operational pillars.
The first pillar is consent. Before processing personal data, a Data Fiduciary must obtain free, specific, informed, and unambiguous consent from the Data Principal. Consent requests must be presented in clear, plain language, and the individual must be able to withdraw consent as easily as they gave it.
The second pillar is purpose limitation. Organisations may only process data for the specific purpose communicated at the time of collection. If you collect an email address to deliver a purchase receipt, you cannot later use that address for marketing without obtaining fresh consent.
The third pillar concerns Data Principal rights. Individuals have the right to access their data, request corrections, demand erasure, and nominate another person to exercise their rights in the event of death or incapacity. Organisations must respond to these requests through a structured grievance redressal mechanism.
The fourth pillar is data transfer. The DPDPA permits cross-border data transfers to most jurisdictions by default, but the central government retains the power to restrict transfers to specific countries through notification. This approach differs from GDPR's adequacy-based model and gives the Indian government considerable flexibility.
The fifth pillar is enforcement. The Data Protection Board of India operates as a digital-first adjudicatory body, receiving complaints, conducting inquiries, and imposing penalties. Penalties are tiered: up to ₹50 crore for failure to implement security safeguards, and up to ₹250 crore for breaches involving children's data or repeated non-compliance.
Think of the DPDPA as a contract between individuals and organisations: you may use someone's data, but only on terms they have agreed to, only for the stated purpose, and only for as long as necessary.
Digital Personal Data Protection Act (DPDPA) Examples
Real-world scenarios help illustrate how the DPDPA affects day-to-day operations across industries.
- An e-commerce platform based in Bengaluru collects customer names, addresses, and payment details to fulfil orders. Under the DPDPA, it must present a clear consent notice at checkout, allow customers to request deletion of their accounts, and ensure its payment processor (a Data Processor) handles data under a valid contract with appropriate security measures.
- A global SaaS company headquartered in London processes employee data for its 500-person team in Mumbai. Because it determines the purpose and means of processing, it qualifies as a Data Fiduciary under the DPDPA's extraterritorial provisions. It must appoint a grievance officer, respond to data access requests within the prescribed timeframe, and ensure its HR systems comply with Indian data protection requirements. A platform like PrivacyEngine, trusted by over 80,000 users worldwide, can help such organisations centralise their Records of Processing Activities and manage Data Principal rights requests without building bespoke internal systems.
- A children's educational app offering maths tutoring to Indian students must obtain verifiable parental consent before collecting any personal data. The app cannot serve behavioural advertising to minors, and it must implement age-gating mechanisms that go beyond a simple checkbox.
- A hospital network that deploys connected health-monitoring devices processes highly sensitive patient data. The DPDPA requires explicit consent for each processing purpose, and if the government designates the network as a Significant Data Fiduciary, it must conduct regular data protection impact assessments and appoint a resident DPO.
- A fintech startup using AI-based credit scoring must ensure that its data processing activities align with India's new data protection rules, particularly around transparency in automated decision-making and the individual's right to understand how their data influences outcomes.
Digital Personal Data Protection Act (DPDPA) vs Related Concepts
Confusion often arises between the DPDPA and other regulatory frameworks, so clarity here is essential.
The DPDPA and GDPR share foundational principles like consent, purpose limitation, and data minimisation, but they differ in structure. The GDPR provides six lawful bases for processing, while the DPDPA primarily relies on consent and "certain legitimate uses" as its two bases. The GDPR's right to data portability has no direct equivalent in the DPDPA, and the Indian law's approach to cross-border transfers is more permissive by default.
The DPDPA should not be confused with the Information Technology Act, 2000 (IT Act), which remains in force and addresses cybercrime, electronic contracts, and intermediary liability. The IT Act's Section 43A and the SPDI Rules previously provided India's closest equivalent to data protection regulation, but the DPDPA now supersedes those provisions for personal data.
The DPDPA also differs from sector-specific regulations such as the RBI's data localisation requirements for payment data. Financial institutions must comply with both the DPDPA and RBI directives, and India's new data privacy rules create layered obligations that require careful mapping.
No two organisations are the same, and the interplay between these frameworks means your compliance programme must account for overlapping requirements rather than treating each regulation in isolation.
Why the Digital Personal Data Protection Act (DPDPA) Matters
The DPDPA matters because India is one of the world's largest digital markets, and any organisation that ignores this law risks both financial penalties and reputational harm. With the Data Protection Board expected to become fully operational in the coming months, the enforcement window is closing.
For privacy professionals and DPOs, the DPDPA creates a structured accountability framework that demands documented evidence of compliance. You need to demonstrate that consent was obtained properly, that data retention schedules are enforced, and that breach response procedures are tested and ready. This is precisely where practitioner-focused platforms prove their value: PrivacyEngine, recognised as a Data Privacy Management leader by G2, helps teams manage DPIAs, breach governance, vendor assessments, and programme visibility through a single operational dashboard.
For business leaders, DPDPA compliance is not merely a legal obligation but a competitive differentiator. Indian consumers are increasingly aware of their data rights, and organisations that demonstrate transparent data practices build stronger trust. A well-structured compliance programme also reduces the operational cost of responding to data subject requests and regulatory inquiries.
The DPDPA also signals India's intent to participate actively in global data governance conversations, which means organisations already compliant with GDPR or similar frameworks have a head start but should not assume automatic compliance.
Digital Personal Data Protection Act (DPDPA) FAQ
Who does the DPDPA apply to? The Act applies to any organisation that processes the digital personal data of individuals in India, regardless of where the organisation is based. If you collect data from Indian users through a website, app, or service, you are likely subject to the DPDPA.
What are the penalties for non-compliance? Penalties range from ₹10,000 for individual Data Principal violations (such as filing frivolous complaints) to ₹250 crore for organisations that fail to protect children's data or commit repeated breaches.
Do I need a Data Protection Officer? Only organisations designated as Significant Data Fiduciaries by the central government are required to appoint a DPO. However, establishing a privacy lead or responsible officer is strongly advisable for any organisation processing personal data at scale.
How does the DPDPA handle data breaches? Data Fiduciaries must notify both the Data Protection Board and affected Data Principals of any personal data breach. The Act does not specify a fixed notification window like GDPR's 72-hour rule, but organisations should prepare for prompt reporting obligations once the Board issues detailed procedural rules.
Can personal data be transferred outside India? Yes, by default. The DPDPA permits cross-border transfers except to countries specifically restricted by the central government through official notification. No restricted list has been published as of mid-2026, but organisations should monitor government announcements closely.
