DPDP Act 2023 Explained: Sections, Obligations, Timeline, and Penalties
The Digital Personal Data Protection Act, 2023 is India's core privacy law for digital personal data. It gives individuals rights over their data, places obligations on businesses that decide why and how personal data is processed, and creates penalties for serious failures such as weak security, breach-notification failures, children's data violations, and Significant Data Fiduciary non-compliance.
If you are an Indian business, SaaS company, ecommerce site, fintech, healthcare provider, HR platform, school-tech product, marketplace, agency, or global company offering goods or services to people in India, the DPDP Act should be on your implementation roadmap.
This guide explains the Act in business terms: who it applies to, the sections that matter, what Data Fiduciaries must do, what rights Data Principals have, how the DPDP Rules 2025 affect timelines, and what penalties are at stake.
Quick Answer: What Is The DPDP Act 2023?
The DPDP Act 2023 is India's digital personal data protection law. It regulates the processing of digital personal data, gives individuals rights such as access, correction, erasure, grievance redressal, and nomination, and requires Data Fiduciaries to provide notice, obtain valid consent where required, protect data, report breaches, honour rights, manage processors, and delete data when the purpose ends. Non-compliance can attract penalties up to Rs. 250 crore for serious security failures.
The DPDP Rules 2025 operationalise the Act and create the practical implementation timeline for businesses.
Who Does The DPDP Act Apply To?
The Act applies to digital personal data processed in India. It can also apply outside India when personal data processing is connected with offering goods or services to Data Principals in India.
In practical terms, the Act can apply if your business:
- collects personal data through a website, app, SaaS product, form, payment flow, CRM, support channel, or employee system
- digitises personal data collected offline
- offers goods or services to people in India
- uses processors or vendors to handle personal data
- stores user, customer, employee, lead, patient, student, vendor-contact, or applicant information digitally
The Act is not limited to large enterprises. Small businesses can fall within scope if they process digital personal data.
Key DPDP Definitions
| Term | Plain-English meaning |
|---|---|
| Data Principal | The individual to whom personal data relates. For children, this includes the parent or lawful guardian where relevant. |
| Personal data | Data about an individual who is identifiable by or in relation to that data. |
| Data Fiduciary | The person or organisation deciding the purpose and means of processing personal data. |
| Data Processor | A person or organisation processing personal data on behalf of a Data Fiduciary. |
| Consent Manager | A registered intermediary that enables Data Principals to manage consent through an interoperable platform. |
| Child | An individual below 18 years of age. |
| Significant Data Fiduciary | A Data Fiduciary or class of Data Fiduciaries notified by the Central Government under Section 10. |
| Processing | Operations performed on digital personal data, such as collection, storage, use, sharing, disclosure, erasure, or analysis. |
DPDP Act Section Map For Businesses
You do not need to memorise the full Act to start implementation. You do need to understand how the key sections fit together.
| Section | What it covers | Why businesses care |
|---|---|---|
| Section 3 | Applicability | Determines whether your processing is in scope. |
| Section 4 | Grounds for processing | Processing must be for consent or certain legitimate uses. |
| Section 5 | Notice | You need clear notice before or with consent. |
| Section 6 | Consent | Consent must be free, specific, informed, unconditional, unambiguous, and clear affirmative action. |
| Section 7 | Legitimate uses | Specific cases where processing can happen without consent. |
| Section 8 | General obligations | Core duties: compliance, security, breach notification, processor controls, erasure, grievance contact. |
| Section 9 | Children's data | Parental consent and restrictions on harmful processing, tracking, behavioural monitoring, and targeted ads. |
| Section 10 | Significant Data Fiduciaries | Extra governance obligations for notified SDFs. |
| Sections 11-14 | Data Principal rights | Access, correction, erasure, grievance redressal, and nomination. |
| Section 15 | Duties of Data Principals | Individuals also have duties, such as not filing false complaints or impersonating others. |
| Section 16 | Cross-border processing | Personal data may be restricted from transfer to notified countries or territories. |
| Section 17 | Exemptions | Certain processing may be exempt in specified circumstances. |
| Sections 18-32 | Data Protection Board | Establishment, powers, procedure, appeals, voluntary undertakings. |
| Section 33 and Schedule | Penalties | Maximum penalties for major categories of non-compliance. |
The Core Compliance Model: Consent Or Legitimate Use
Section 4 is the core processing rule: personal data should be processed for a lawful purpose for which the Data Principal has given consent, or for certain legitimate uses listed in Section 7.
That creates two practical questions for every processing activity:
- Do we have valid consent for this specific purpose?
- If not, does a specific Section 7 legitimate use apply?
Do not treat "legitimate use" as a broad business-interest test. DPDP is not GDPR. Section 7 is a specific list, not a general balancing exercise.
For a deeper decision framework, see: Legitimate Uses Under DPDP.
What Data Fiduciaries Must Do
Most businesses in scope will operate as Data Fiduciaries. The obligations below are the practical core of DPDP compliance.
1. Provide Clear Notice
Before obtaining consent, provide a notice that explains what personal data is being processed and why. A broad privacy policy may not be enough if it does not clearly explain purposes and rights.
Good DPDP notices are:
- specific by purpose
- easy to understand
- connected to the point of data collection
- clear about rights and grievance contact
- versioned so the business can prove what the user saw
2. Obtain And Record Valid Consent
Consent should be specific, informed, unambiguous, and based on clear affirmative action. It should not be bundled, hidden, pre-ticked, or forced for unrelated purposes.
Maintain records showing:
- who consented
- what purpose they consented to
- which notice version they saw
- when they consented
- where consent was collected
- whether consent was withdrawn
3. Allow Consent Withdrawal
Withdrawal should be as easy as giving consent. It should also work downstream. If a user withdraws marketing consent, the marketing system, CRM, ad audience, and suppression lists may all need updates.
4. Use Processors Responsibly
If a vendor processes personal data on your behalf, the Data Fiduciary remains responsible for compliance. Contracts should cover instructions, confidentiality, security, breach assistance, rights support, deletion, sub-processors, and evidence.
5. Maintain Reasonable Security Safeguards
Security is not optional. Businesses should be able to show access controls, encryption or equivalent safeguards, logging, monitoring, incident response, vendor controls, and internal governance appropriate to the risk.
6. Notify Personal Data Breaches
The Act and Rules require breach notification to the Data Protection Board and affected Data Principals. Current implementation planning should treat the 72-hour Board notification window under the Rules as a hard operational requirement.
7. Delete Data When The Purpose Ends
Personal data should not live forever because the business never built deletion. When the purpose is no longer being served, or consent is withdrawn, the Data Fiduciary should erase the data unless retention is required by law or another valid basis applies.
8. Honour Data Principal Rights
Businesses should be ready to handle access, correction, erasure, grievance, and nomination workflows. Rights handling is operational: intake, verification, system search, vendor action, response, and evidence.
For a deeper workflow, see: Data Principal Rights Under DPDP.
Children's Data Under DPDP
DPDP defines a child as an individual under 18. Businesses that process children's personal data need a more careful compliance model.
Key obligations and restrictions include:
- obtain verifiable consent from the parent or lawful guardian where required
- avoid processing likely to cause detrimental effect on the well-being of a child
- avoid tracking, behavioural monitoring, and targeted advertising directed at children, subject to the framework and exemptions
- design age and parental-verification processes proportionate to the product
If your product is used by students, minors, family accounts, gaming users, edtech users, or under-18 community members, do not assume the children provisions are irrelevant.
Significant Data Fiduciaries
Section 10 creates a higher compliance tier. The Central Government may notify a Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciaries based on factors such as data volume, sensitivity, risk to Data Principal rights, sovereignty and integrity of India, electoral democracy, security of the State, public order, and other relevant factors.
Additional SDF obligations include:
- appointing a Data Protection Officer
- appointing an independent data auditor
- conducting DPIA-style assessments
- undergoing periodic audits
- implementing other prescribed measures
SDF status depends on notification. Do not claim a business is or is not an SDF unless that position is properly supported. High-risk businesses should prepare.
For a deeper readiness guide, see: Significant Data Fiduciary Under DPDP.
DPDP Rules 2025 Timeline
The DPDP Rules 2025 operationalise the Act and phase implementation.
| Timeline | Business significance |
|---|---|
| November 2025 | Foundational rules and Data Protection Board framework begin. |
| November 2026 | Consent Manager registration framework begins. |
| May 2027 | Main Data Fiduciary obligations become enforceable in current implementation planning. |
The safest approach is to build and test before the final deadline. Consent, withdrawal, erasure, vendor action, rights requests, and breach response all require product and engineering work.
For the implementation plan, see: DPDP Rules 2025 Explained.
DPDP Penalties
The penalty schedule gives the Data Protection Board power to impose significant monetary penalties. The exact penalty depends on the breach, severity, mitigating factors, and Board process, but the maximum categories are important for risk planning.
| Non-compliance category | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent a personal data breach | Up to Rs. 250 crore |
| Failure to notify the Board or affected Data Principals of a personal data breach | Up to Rs. 200 crore |
| Breach of additional obligations relating to children's data | Up to Rs. 200 crore |
| Breach of additional obligations by a Significant Data Fiduciary | Up to Rs. 150 crore |
| Breach of Data Principal duties under Section 15 | Up to Rs. 10,000 |
| Breach of other provisions or voluntary-undertaking terms | Up to Rs. 50 crore |
Penalties are not the only risk. DPDP failures can also create customer trust issues, enterprise sales blockers, procurement friction, and incident-response costs.
DPDP Compliance Checklist
Use this as a first-pass implementation checklist.
| Area | What to build |
|---|---|
| Data inventory | Map personal data categories, systems, purposes, vendors, retention. |
| Notices | Create standalone, purpose-specific DPDP notices. |
| Consent | Capture consent by purpose and notice version. |
| Withdrawal | Let users withdraw consent and propagate withdrawal downstream. |
| Legitimate uses | Document exact Section 7 grounds where consent is not used. |
| Rights | Build access, correction, erasure, grievance, and nomination workflows. |
| Retention | Define deletion/anonymisation triggers and legal-retention exceptions. |
| Security | Maintain safeguards, access controls, monitoring, and incident response. |
| Breach | Build 72-hour Board notification and affected-user notification workflows. |
| Vendors | Update processor contracts and vendor action SLAs. |
| Children's data | Identify child-user journeys and parental-consent needs. |
| SDF readiness | Assess scale, sensitivity, rights risk, and governance maturity. |
How DPDP Differs From GDPR
Many Indian businesses will use GDPR as a reference point, but the laws are not identical.
| Topic | DPDP | GDPR |
|---|---|---|
| Lawful bases | Consent and specific legitimate uses | Six lawful bases, including legitimate interests |
| Legitimate interest | No broad general balancing basis | Broad lawful basis with balancing test |
| Children's age | Under 18 | Usually under 16, with Member State variation |
| SDF concept | Specific Indian significant fiduciary tier | No direct equivalent; some similar governance concepts |
| Nomination right | Explicit right to nominate | No direct equivalent in the same form |
| Penalty structure | Schedule-based maximum penalties in rupees | Administrative fines tied to turnover and fixed caps |
Do not copy a GDPR privacy programme and call it DPDP compliance. Use GDPR maturity where helpful, but implement the DPDP-specific pieces directly.
FAQ
Is the DPDP Act in force?
The DPDP Act has been enacted, and the DPDP Rules 2025 provide the operational framework and phased commencement. Businesses should treat DPDP readiness as an active implementation priority.
Does DPDP apply to offline data?
The Act focuses on digital personal data. It can cover personal data collected in non-digital form if it is later digitised.
Does DPDP apply to foreign companies?
Yes, it can apply outside India where processing is connected with offering goods or services to Data Principals in India.
Is consent always required under DPDP?
No. Consent is the main basis, but Section 7 lists legitimate uses where personal data can be processed without consent. Those grounds are specific and should be documented carefully.
What is the highest DPDP penalty?
The highest listed maximum penalty is up to Rs. 250 crore for failure to take reasonable security safeguards to prevent a personal data breach.
What should businesses do first?
Start with a data inventory. You cannot fix notice, consent, rights, erasure, vendor contracts, or breach response until you know what personal data exists, why it exists, where it is stored, and who receives it.
Bottom Line
The DPDP Act 2023 is not just a privacy policy project. It is a data operations project.
Businesses need to know what personal data they process, why they process it, how consent or Section 7 applies, where the data is stored, which vendors touch it, how individuals can exercise rights, how deletion works, and how breach response will happen under pressure.
The organisations that build those systems early will be better placed for enforcement, enterprise procurement, investor diligence, and customer trust as DPDP awareness rises.
Download the DPDP Act section map and timeline
Map the business-relevant sections of the Act to owners, evidence, and implementation timing.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
ComplyZero handles the complexity for you: consent management, privacy notices in 22 languages, DSR workflows, and audit-ready compliance records. Get your business DPDP-ready in minutes, not months.
Get Started FreeKeep Reading
Data Protection Board of India (DPBI): Powers, Functions, and What It Means for Your Business
A complete guide to the Data Protection Board of India: what it does, how it operates, how to file complaints, and what businesses need to know about India's privacy enforcement authority.
Legitimate Uses Under DPDP: Section 7 Examples and Boundaries
A practical Section 7 guide for deciding when personal data can be processed without consent under the DPDP Act, with examples, boundaries, and proof to keep.