DPDP Act 2023: What Indian Businesses Need to Know

India's first comprehensive data protection law is now in effect. Here is what the Digital Personal Data Protection Act 2023 and the DPDP Rules 2025 require from your business, explained without legalese.

Background: Why India Needed a Data Protection Law

India had no sector-neutral personal data protection law before 2023. The IT Act 2000 and its 2011 rules provided limited coverage. After a 2017 Supreme Court ruling affirmed privacy as a fundamental right, Parliament spent six years drafting a comprehensive framework. The Digital Personal Data Protection Act 2023 was enacted on 11 August 2023.

The DPDP Rules 2025 were published in January 2025, providing detailed implementation requirements for consent notices, consent managers, and data localisation categories. Enforcement timelines are being set as the Data Protection Board is constituted.

Core Concepts

Data Fiduciary vs Data Principal

These are the two key roles in the DPDP framework:

• Data Fiduciary: any person or entity that determines the purpose and means of processing personal data. This is the business collecting customer or employee data.
• Data Principal: the individual whose personal data is being processed, such as your customer, user, or employee.
• Data Processor: any entity that processes data on behalf of the Data Fiduciary (for example, a CRM, analytics provider, or cloud vendor). You are responsible for your processors.

What Counts as Personal Data?

The DPDP Act defines personal data as any data about an identifiable individual, including name, email, phone number, address, payment details, IP address, device identifiers, health records, location data, and photos. Unlike GDPR, it covers only digital personal data: data collected or stored in digital form, or subsequently digitised.

Territorial Scope

The Act applies to:

• Processing of personal data of Indian residents within India
• Processing of personal data of Indian residents outside India where goods or services are offered to Indian residents

This means foreign companies, including SaaS vendors, e-commerce platforms, and mobile app developers serving Indian users, must comply regardless of where they are incorporated.

Key Obligations for Data Fiduciaries

Consent Notice (Section 5)

Before collecting personal data, you must provide a clear consent notice. The DPDP Rules 2025 specify it must include: what data is collected, the purpose, how long it is retained, who it is shared with, and how consent can be withdrawn. The notice must be in plain language and accessible in scheduled Indian languages.

Lawful Bases for Processing

The Act recognises two primary lawful bases:

1. Consent: freely given, specific, informed, unconditional, and unambiguous. Pre-ticked boxes and bundled consents are invalid.
2. Legitimate Uses: a prescribed list including employment-related processing, medical emergencies, judicial orders, and safety functions. This is a narrower carve-out than GDPR's "legitimate interests".

Data Principal Rights

Right	What It Means for Your Business
Right to Access	Provide a summary of data held and a list of processors it has been shared with
Right to Correction	Correct inaccurate or incomplete data on request
Right to Erasure	Delete personal data when consent is withdrawn or purpose is complete (subject to legal retention requirements)
Right to Grievance Redressal	Grievance Officer must respond within 48 hours and resolve within 7 days
Right of Nomination	Individual can nominate another person to exercise their rights in case of death or incapacity

Security Safeguards (Section 8)

Implement reasonable security measures proportionate to the volume and sensitivity of data processed. The Act does not mandate specific technical standards but cross-references CERT-In guidelines, which include incident response timelines and security controls for critical organisations.

Breach Notification (Section 8)

If a personal data breach is likely to adversely affect Data Principals, you must notify the Data Protection Board and affected individuals within 72 hours. The notification must describe the breach, data affected, and remedial steps taken.

Grievance Officer (Section 13)

Every Data Fiduciary must appoint a Grievance Officer whose name and contact details are published on the website. For Indian-incorporated businesses, the Grievance Officer must be based in India. The role can be fulfilled by a founder, director, or senior employee. No specific qualification is required.

What Changed with the DPDP Rules 2025

The Rules, published in January 2025, added important implementation details:

• Consent Notice format: Itemised format specified; must be easily readable on mobile; plain language mandatory
• Consent Managers: A new intermediary role for entities that help individuals give, manage, and withdraw consent across multiple fiduciaries. Subject to Board registration.
• Data Localisation: Specific categories of data must be processed only within India. Exact categories are pending government notification.
• Children's Data: Verifiable parental consent required for anyone under 18. Age verification mechanism specifications provided. Behavioural tracking and targeted advertising for minors are prohibited.
• Significant Data Fiduciaries: Obligations include a Data Protection Officer resident in India, periodic DPIA, data audit, and restrictions on cross-border data transfers.

DPDP vs GDPR: Key Differences

Dimension	DPDP Act 2023	GDPR
Scope	Digital personal data only	All personal data (digital and offline)
Lawful bases	Consent and limited legitimate uses	6 lawful bases including legitimate interests
Max penalty	₹250 crore (approx. €28M)	€20M or 4% global turnover
DPO requirement	Only for Significant Data Fiduciaries	When mandatory processing is large scale
Data subject rights	Access, correction, erasure, nomination, grievance	8 rights including portability and restriction
Breach notification	72 hours to Board and individuals	72 hours to supervisory authority; individuals without undue delay

Where to Start: A Practical Sequence

1. Run a compliance scan: identify which DPDP checkpoints your website currently fails. This takes 2 minutes and gives you a prioritised remediation list.
2. Publish a Consent Notice: before your data collection forms, checkout pages, or sign-up flows. This is the most commonly missing item.
3. Appoint a Grievance Officer: document the name and contact details and publish them on your website. A founder or director qualifies.
4. Update your Privacy Policy: ensure it covers all 7 DPDP mandatory disclosures including data retention, processor list, and Data Principal rights.
5. Install a consent banner: for cookie-based tracking and marketing analytics. Consent must be purpose-specific.
6. Set up a data rights request process: a web form or email address where users can request access, correction, or erasure. Acknowledge within 48 hours.
7. Prepare a breach response plan: know who to notify, how quickly, and what information is required.

Summary

The DPDP Act 2023 is India's most significant data regulation since the IT Act 2000. It applies to virtually every Indian business that collects digital personal data. Baseline compliance is achievable quickly with the right tools. The risk of inaction, including penalties up to ₹250 crore and reputational damage once the Board begins enforcement, is significant.