The DPDP Act explained simply: the Digital Personal Data Protection Act, 2023 is India’s first dedicated personal data protection law, and it governs how any organisation collects, uses, stores and shares the digital personal data of people in India. It gives individuals (Data Principals) enforceable rights, and it puts hard obligations on the businesses that process their data (Data Fiduciaries), enforced by the Data Protection Board of India with penalties up to ₹250 crore. The Act became fully operational when the DPDP Rules, 2025 were notified on 13 November 2025, and most obligations carry a deadline of around 13 May 2027.

That is the whole law in one paragraph. Now here is what it actually means for your business.

What is the DPDP Act?

The DPDP Act, 2023 (Act No. 22 of 2023) received Presidential assent on 11 August 2023. For two years it sat as a framework without operational detail. That changed when the Ministry of Electronics and Information Technology (MeitY) notified the DPDP Rules, 2025, which fill in the “how”: the content of notices, the mechanics of consent, security standards, breach reporting, retention triggers, and the duties of larger players.

The Act and the Rules read together. The Act sets the principles and the rights. The Rules tell you how to comply. Neither works without the other.

Who the DPDP Act applies to

If you handle the personal data of people in India, assume it applies to you. Under Section 3, the Act covers:

  • Processing of digital personal data within India, whether collected in digital form or digitised later.
  • Processing outside India that is connected with offering goods or services to people in India. This is the extraterritorial reach, and it means a foreign company with Indian users is in scope regardless of where its servers or headquarters sit.

It does not apply to two things: personal data processed by an individual for purely personal or domestic purposes, and personal data the individual has made publicly available themselves (or that someone else was under a legal duty to make public).

One important point of design: the DPDP Act does not split data into “sensitive” and “non-sensitive” categories the way some older Indian rules did. Sensitivity still matters as a factor, for example in deciding security measures or who gets designated a larger fiduciary, but there is no separate legal tier for sensitive data.

The three players you need to know

  • Data Principal: the individual the data is about. For a child under 18, this includes the parent or lawful guardian. For a person with a disability, it includes the lawful guardian.
  • Data Fiduciary: the organisation that decides why and how personal data is processed. If you make those calls, this is you.
  • Data Processor: a vendor that processes data on behalf of a Data Fiduciary, only under a contract.

The accountability sits with the Data Fiduciary. You can hand the work to a processor. You cannot hand over the responsibility.

The two lawful grounds for processing

This is where teams coming from GDPR get tripped up, so read it twice. Under Section 4, there are exactly two grounds on which you may process personal data. There is no third option.

  1. Consent (Section 4(a), with Sections 5 and 6).
  2. Certain legitimate uses (Section 4(b), listed in Section 7).

Consent under Section 6 must be free, specific, informed, unconditional and unambiguous, with a clear affirmative action. Pre-ticked boxes, bundled permissions and “by using this site you agree” banners do not clear that bar. Before or alongside the consent request, Section 5 requires an itemised notice: what data you collect, the specific purpose, and a clear way to withdraw consent, exercise rights, and complain to the Board. Withdrawal must be as easy as giving consent.

Legitimate uses

Section 7 lists a closed set of nine legitimate uses where you may process without consent. Unlike GDPR’s “legitimate interests”, there is no balancing test. If your use case fits one of the nine, you are covered. If it does not, no amount of reasonableness rescues it, and you need consent. The nine grounds:

  1. Data the individual voluntarily provided for a specified purpose, where they have not objected to that use.
  2. The State providing a subsidy, benefit, service, certificate, licence or permit, as prescribed.
  3. Performance of a State function under law, or in the interest of the sovereignty, integrity and security of India.
  4. Compliance with a legal obligation to disclose information.
  5. Compliance with a court judgment, decree or order.
  6. Responding to a medical emergency involving a threat to life or health.
  7. Providing medical treatment or health services during an epidemic or threat to public health.
  8. Ensuring safety or providing assistance during a disaster or breakdown of public order.
  9. Employment purposes, including safeguarding the employer from loss or liability, protecting trade secrets and intellectual property, and providing services or benefits sought by an employee.

A subtle but useful trap to avoid: the “voluntarily provided” ground in Section 7(a) is the broadest and the most argued-over. The Act’s own illustration is a customer who hands a pharmacy her number and asks for a receipt. But if the pharmacy asks for the number first, many readings say you are back to needing consent. The practical rule is simple. When in doubt, get consent. Section 7 changes the consent question, not the rest of your obligations: security, retention, rights and grievance handling all still apply.

What you must do as a Data Fiduciary

The full working list lives in our DPDP compliance checklist. In short, every Data Fiduciary must:

  • Serve a clear, standalone, itemised notice and obtain valid consent (or rely on a legitimate use).
  • Honour Data Principal rights (access, correction, erasure, grievance, nomination).
  • Implement reasonable security safeguards (encryption, access controls, logging, one-year log retention).
  • Run breach notification to affected individuals and the Board, with a detailed Board report within 72 hours.
  • Apply retention and erasure limits, deleting data once the purpose is served.
  • Resolve grievances within 90 days.
  • Bind every processor by contract.
  • Obtain verifiable parental consent before processing the data of anyone under 18.

The rights the law gives individuals

The Act puts the Data Principal at the centre. Under Sections 11 to 14, every individual has the right to:

  • Access a summary of the personal data you hold and how you process it.
  • Correct, complete, update and erase their data.
  • Grievance redressal through an accessible channel.
  • Nominate someone to exercise their rights in the event of death or incapacity.

Build the workflows to honour these on request, with identity checks and a clear service level. Rights you cannot fulfil are rights you are violating.

Bigger players, bigger duties

The Act creates a second tier called the Significant Data Fiduciary (SDF), designated by the Central Government for organisations whose scale or sensitivity creates heightened risk. SDFs carry extra duties: an India-based Data Protection Officer, an independent auditor, an annual Data Protection Impact Assessment, algorithmic due diligence, and possible data localisation. If that might be you, read our guide to Significant Data Fiduciaries.

The Board, and what non-compliance costs

The Data Protection Board of India is the enforcement body. It is digital-first: it receives breach notifications, investigates complaints, issues directions, and imposes penalties. It is already operational, and complaint mechanisms are live.

Penalties sit in the Schedule to the Act and can be applied per violation, so one incident can stack.

FailureMaximum penalty
Failure to take reasonable security safeguardsUp to ₹250 crore
Failure to notify a personal data breachUp to ₹200 crore
Breach of children’s-data obligationsUp to ₹200 crore
Breach of additional SDF obligationsUp to ₹150 crore
Any other breach of the Act or RulesUp to ₹50 crore
Breach of a Data Principal’s own dutiesUp to ₹10,000

When it all kicks in

The Rules switch on in phases from the 13 November 2025 notification:

  • Immediate: definitions, the Data Protection Board, Board procedures.
  • November 2026: Consent Manager registration.
  • Around 13 May 2027: the substantive obligations, notice, consent, security, breach, retention, rights, grievance, SDF duties and cross-border rules.

Treat 2026 as your build year. There is no confirmed extension.

How to get ready

Knowing the law is the easy part. Knowing where your business stands against it is what actually moves you forward. The free Axiom DPDP readiness assessment takes a few minutes and shows you exactly which obligations you already meet and which need work. If you would rather have it handled, Axiom’s DPDP compliance service takes you from gap assessment to working controls.

FAQs

Is the DPDP Act in force now?

Yes, in phases. The DPDP Rules, 2025 were notified on 13 November 2025, which fully operationalised the Act. Some provisions, including the Data Protection Board, are already live. Most substantive obligations apply from around 13 May 2027, with Consent Manager registration opening in November 2026.

Does the DPDP Act apply to small businesses and startups?

Yes. The Act applies to any Data Fiduciary processing the personal data of people in India, with no general turnover or size exemption. Smaller organisations face the same baseline duties, though only those designated as Significant Data Fiduciaries carry the extra tier. Certain narrow exemptions exist, including the government’s power to exempt notified classes of fiduciaries, so check your specific position.

What is the difference between the DPDP Act and the DPDP Rules?

The DPDP Act, 2023 sets the principles, rights and obligations. The DPDP Rules, 2025 provide the operational detail: how notices must read, how consent works, what security measures are expected, and how breaches are reported. You comply with both, read together.

How is the DPDP Act different from GDPR?

The biggest practical difference is lawful basis. GDPR offers six, including a flexible “legitimate interests” test. The DPDP Act offers only two: consent, or one of nine closed legitimate uses, with no balancing test. India’s penalty ceilings are also high in absolute terms, up to ₹250 crore, and the State enjoys broader processing grounds than under GDPR.

What happens if my business does not comply?

The Data Protection Board can investigate and impose financial penalties after inquiry, up to ₹250 crore for security failures and ₹200 crore for breach-reporting failures, applied per violation. A single incident can attract more than one penalty at once. The Board weighs the nature, gravity and duration of the breach and any prior history.

See where you actually stand

The free Axiom DPDP readiness assessment turns this guide into your number, your gaps, and your next move, in a few minutes.

Take the free assessment

Related articles

DPDP Act DPDP Compliance Checklist: What Indian Businesses Must Do Before May 2027 Read more DPDP Act Significant Data Fiduciary Under the DPDP Act: Are You One, and What It Means Read more DPDP Act The 72-Hour DPDP Breach Notification Playbook for Indian Businesses Read more