The DPDP Act 2023: A Complete Guide for Indian Businesses
Everything Indian businesses need to know about the Digital Personal Data Protection Act 2023 — consent, data principal rights, breach reporting, penalties, and how to become compliant before the 2025 Rules deadline.
The Digital Personal Data Protection Act 2023 is India's first comprehensive data privacy law. Every business that collects personal data from individuals in India must obtain clear consent, honour data principal rights, and report breaches within 72 hours — or face penalties of up to ₹250 crore. This guide explains exactly what the law requires and how to become compliant.
#What is the DPDP Act 2023?
The DPDP Act establishes a consent-based framework for processing the personal data of individuals (called Data Principals) in India. It applies to any organisation (a Data Fiduciary) that determines why and how personal data is processed, whether that processing happens inside India or abroad in connection with offering goods or services to Indian residents.
Unlike sector-specific rules that came before it, the DPDP Act is horizontal: it covers banking, healthcare, e-commerce, edtech, and every other industry that touches personal data.
#Who must comply?
You are a Data Fiduciary — and therefore subject to the Act — if your business:
- Collects names, email addresses, phone numbers, or any other personal data from individuals in India.
- Uses cookies or trackers that identify website visitors.
- Processes employee or customer records digitally.
- Engages vendors or processors to handle data on your behalf.
Larger organisations handling high volumes of sensitive data may be classified as Significant Data Fiduciaries, which carry additional obligations such as appointing a Data Protection Officer (DPO) and conducting Data Protection Impact Assessments.
#The seven core obligations
#1. Provide a clear notice
Before or at the time of collecting consent, you must give the Data Principal a notice describing what data you collect, the purpose, and how they can exercise their rights. The notice must be available in English and the 22 languages of the Eighth Schedule of the Constitution.
#2. Obtain valid consent
Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. Pre-ticked boxes and bundled consent are not valid. You must also maintain a record (an artefact) proving when and how consent was obtained.
#3. Honour data principal rights
Data Principals have the right to access, correct, update, and erase their data, the right to grievance redressal, and the right to nominate someone to exercise their rights after death or incapacity.
#4. Enable easy consent withdrawal
Withdrawing consent must be as easy as giving it. Once consent is withdrawn, you must stop processing and ensure your processors do the same.
#5. Report breaches within 72 hours
A personal data breach must be reported to the Data Protection Board and affected Data Principals without undue delay. Maintaining a breach response runbook is essential.
#6. Protect children's data
You must obtain verifiable parental consent before processing the data of anyone under 18, and you may not track, profile, or serve targeted advertising to children.
#7. Implement reasonable security safeguards
You are legally required to protect personal data with appropriate technical and organisational measures. Failure to do so — if it leads to a breach — attracts the highest penalty under the Act.
#Penalties at a glance
| Violation | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards | ₹250 crore |
| Failure to notify a breach | ₹200 crore |
| Breach of children's data obligations | ₹200 crore |
| Non-fulfilment of Significant Data Fiduciary duties | ₹150 crore |
| General violations | ₹50 crore |
#How to become compliant
- Map your data. Document what personal data you collect, where it lives, and who you share it with.
- Deploy a consent management platform. Capture itemised, recorded consent for every purpose.
- Publish a compliant privacy notice. Make it multilingual and easy to understand.
- Stand up a grievance and rights desk. Give Data Principals a simple way to exercise their rights with SLA tracking.
- Prepare a breach response plan. Be ready to detect, contain, and report within 72 hours.
Compliance is not a one-time project. It is an ongoing operating discipline that touches marketing, engineering, legal, and customer support.
#Conclusion
The DPDP Act 2023 fundamentally changes how Indian businesses handle personal data. The organisations that win customer trust will be those that treat privacy as a feature, not a checkbox. Start mapping your data and operationalising consent today — the cost of waiting is measured in crores.
Frequently asked questions
When does the DPDP Act 2023 come into force?
The Digital Personal Data Protection Act was enacted in August 2023. The operational Rules were notified in 2025, and most obligations for businesses become enforceable on a phased timeline running through 2026. Organisations should treat compliance as required now rather than waiting for the final deadline.
What are the penalties for non-compliance with the DPDP Act?
Penalties can reach up to ₹250 crore per instance for failure to take reasonable security safeguards that result in a personal data breach. Other violations — such as failing to notify a breach or breaching children's data obligations — carry penalties up to ₹200 crore.
Who is a Data Fiduciary under the DPDP Act?
A Data Fiduciary is any person or organisation that, alone or with others, determines the purpose and means of processing personal data. In practice, almost every business that collects customer data online is a Data Fiduciary and must comply with consent, notice, and security obligations.
Does the DPDP Act apply to small businesses and startups?
Yes. The Act applies to all Data Fiduciaries regardless of size, though certain Startups may receive relaxed obligations through government notification. Even small businesses must obtain valid consent and honour data principal rights.