Everything you need to know about the Digital Personal Data Protection Act 2023: who it covers, what is required, and how to get compliant before enforcement begins.
Check Your Compliance FreeThe Digital Personal Data Protection Act 2023 (DPDP Act) is India's first comprehensive data protection law, enacted on 11 August 2023. It governs how organisations collect, use, store, and process the personal data of Indian residents, both within India and from overseas.
The DPDP Rules 2025, released in January 2025, provide detailed implementation requirements: consent notice formats, consent manager specifications, data localisation categories, and timelines for Data Protection Board enforcement.
Unlike GDPR which covers the EU, the DPDP Act applies specifically to digital personal data: data collected or stored in digital form. This includes names, email addresses, phone numbers, payment data, health records, location data, and any identifier that can be linked to an individual.
The DPDP Act applies to any Data Fiduciary: any person or entity that determines the purpose and means of processing personal data of Indian residents.
Significant Data Fiduciaries (SDFs) face additional obligations including appointment of a Data Protection Officer, periodic Data Protection Impact Assessments, and data audits, if designated by the Central Government based on volume and sensitivity of data processed.
Before collecting personal data, you must provide a clear consent notice specifying: what data is collected, the purpose, how long it is retained, with whom it is shared, and how users can withdraw consent. The DPDP Rules 2025 specify the notice must be in plain language and available in scheduled Indian languages.
Consent must be freely given, specific, informed, unconditional, and unambiguous. Pre-ticked checkboxes, bundled consents, or making services conditional on unrelated data collection are not valid. Users must be able to withdraw consent as easily as they gave it.
Indian residents have rights to: access a summary of their data, correct or erase inaccurate data, nominate another person to exercise rights on their behalf, and file grievances. You must acknowledge rights requests within 48 hours and resolve within 7 days (unless extended by the Board).
Only collect data necessary for a specified purpose. Do not use it for other purposes without fresh consent. Delete personal data when the purpose is complete and retention is no longer legally required.
Implement reasonable security measures to prevent unauthorised access, disclosure, alteration, or loss of personal data. The Act does not prescribe specific technical standards but cross-references CERT-In guidelines.
If a data breach is likely to cause harm to Data Principals, you must notify the Data Protection Board and affected individuals within 72 hours. Notification must describe the nature of the breach, data affected, and remedial action taken.
Every Data Fiduciary must appoint a Grievance Officer (for Indian entities, this must be based in India) and publish their contact details on the website. The Grievance Officer handles complaints from Data Principals and liaises with the Data Protection Board.
The Data Protection Board has the authority to investigate and levy financial penalties. Violations are adjudicated on a per-instance basis, meaning a single incident involving many users could result in compounding penalties.
| Violation | Maximum Penalty |
|---|---|
| Failure to implement adequate security safeguards leading to a data breach | ₹250 crore |
| Failure to notify the Board of a personal data breach | ₹200 crore |
| Processing children's data without verifiable parental consent | ₹200 crore |
| Non-fulfilment of additional obligations for Significant Data Fiduciaries | ₹150 crore |
| Failure to fulfil obligations as a Data Fiduciary | ₹50 crore |
| Breach of voluntary undertaking given to the Board | Amount specified in undertaking |
| Any other provision of the Act or Rules | ₹10,000 per instance |
Use this baseline checklist to assess where you stand. Each item is verifiable and actionable.
CompliSeal is built specifically for the DPDP Act 2023. Scan your website, generate required documents, and manage ongoing compliance, all in one platform.
Automatically checks your website for privacy policy, consent notice, Grievance Officer details, cookie controls, and 12 other DPDP requirements. Results in 2 minutes.
Drop-in JavaScript SDK for DPDP-compliant consent collection. SHA-256 audit log, per-purpose granular consent, withdrawal portal. Ready in under an hour.
Public intake form for access, correction, erasure, and nomination requests. Automated 7-day SLA tracking, email notifications, and audit trail.
Board notification draft, internal escalation template, and affected user notice, all structured to meet DPDP Act requirements. Ready in minutes.
DPDP-specific policy template covering all 7 mandatory disclosure requirements. Generated in 60 seconds, exported as HTML or PDF.
Live score across all DPDP checkpoints, upcoming deadlines, and remediation tracking so you always know where you stand.
Yes. The Act does not have a size or turnover threshold. Any entity that processes digital personal data of Indian residents must comply. The Central Government may grant relaxations to certain categories through future rules, but no such exemptions have been notified yet.
The Act was notified in August 2023. The DPDP Rules 2025 were released in January 2025. The Data Protection Board is being constituted and enforcement timelines are expected to be notified in 2025. Businesses should treat compliance as urgent; the Board can look back at past violations.
A DPO is mandatory only for Significant Data Fiduciaries designated by the Central Government. Most SMBs will not be classified as SDFs initially. However, every Data Fiduciary must appoint a Grievance Officer, which is a lighter-weight role any employee or director can fulfil.
No. DPDP and GDPR share principles (consent, data minimisation, rights) but differ significantly in scope, obligations, and penalties. GDPR covers all personal data including offline data; DPDP covers only digital personal data. DPDP penalties are lower than GDPR (max ₹250 crore vs 4% global turnover) but apply specifically to Indian residents' data.
With CompliSeal, most SMBs can reach baseline compliance within 1 to 3 working days: scan your site (2 minutes), generate your privacy policy and consent notice (30 minutes), install the consent banner SDK (1 hour), set up the data rights workflow (1 hour), and publish your Grievance Officer contact. Complex organisations may need 2 to 4 weeks for full documentation.
Free scan across 13 DPDP checkpoints. No credit card needed. Results in under 2 minutes.