DPDP Act 2023 Explained: What Every Indian Company Must Know

Background and Legislative Journey

India's Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent on 11 August 2023, making it the country's first dedicated data protection legislation. The road to this law was long — a Supreme Court ruling in 2017 (Justice K.S. Puttaswamy v. Union of India) established privacy as a fundamental right, which catalysed legislative action. Three earlier draft bills — in 2018, 2019, and 2022 — were withdrawn before the 2023 version was passed.

Unlike the IT Act 2000 and its Rules, which addressed data protection only partially and through delegated legislation, the DPDP Act is a standalone statute. It creates a rights-based framework modelled loosely on GDPR but calibrated for India's digital economy context, retaining flexibility for government to operationalise obligations through rules rather than embedding every detail in the Act itself.

As of April 2026, the DPDP Rules 2025 (draft) have been published for public consultation. Once the Rules are finalised and notified, the compliance clock starts ticking in earnest. Companies that wait for full notification before beginning will not have enough time.

Scope and Territorial Applicability

Section 3 of the DPDP Act defines its applicability. The Act applies to the processing of digital personal data where: (a) the data is collected within India in digital form, or collected in non-digital form and subsequently digitised; or (b) the processing takes place outside India but is connected with offering goods or services to Data Principals in India.

This extraterritorial reach — similar to GDPR's Article 3 — means a US-based SaaS company serving Indian enterprise customers must comply with the DPDP Act if it processes personal data of Indian residents. For Indian companies, virtually all data processing will fall within scope.

Importantly, the Act does not apply to personal data processed by an individual for personal or domestic purposes, or to data that has been made publicly available by the Data Principal themselves or under a legal obligation. Central and State Government processing is covered but the Central Government may grant exemptions through notification.

Key Definitions You Must Know

"Personal data" under Section 2(t) means any data about an identifiable individual — broader than the IT Act's "sensitive personal data." There is no separate "sensitive" category in the DPDP Act; the Act instead creates heightened obligations for children's data and for Significant Data Fiduciaries.

"Data Fiduciary" (Section 2(i)) is any person who, alone or in conjunction with others, determines the purpose and means of processing personal data. This is the primary obligated party — analogous to a "data controller" under GDPR. Every company that decides why and how personal data is used is a Data Fiduciary.

"Data Processor" (Section 2(k)) processes data on behalf of a Data Fiduciary. Unlike GDPR, the DPDP Act places almost no direct statutory obligations on Data Processors — their obligations flow contractually from the Data Fiduciary. "Data Principal" (Section 2(j)) is the individual to whom the data relates, including, in the case of children, their parents or guardians.

Core Obligations for Data Fiduciaries

Section 4 establishes the foundational rule: personal data may only be processed for a lawful purpose with the consent of the Data Principal, or for certain legitimate uses specified in the Act (e.g., employment, state functions, medical emergencies). Every processing activity must have a clear legal basis.

Section 5 requires a privacy notice — clear, standalone, and available in English or any of the 22 scheduled languages — that explains what data is collected, the purpose, and the Data Principal's rights. The notice must be given before or at the time of seeking consent.

Sections 8 and 9 impose obligations of data accuracy, security safeguards, and data erasure when the purpose is served. Section 10 creates the Significant Data Fiduciary category with extra obligations. Sections 11-13 codify Data Principal rights: right to access, right to correction and erasure, right to grievance redressal, and right to nominate.

Penalty Structure

Schedule 1 of the DPDP Act lays out financial penalties. The highest penalty — up to ₹250 crore — applies to breaches of obligations regarding children's data (Section 9) and breaches of consent obligations (Section 6). Failure to implement reasonable security safeguards leading to a data breach attracts a penalty of up to ₹250 crore.

Failure to notify the Data Protection Board and affected Data Principals of a breach (Section 8(6)) can attract a penalty of up to ₹200 crore. Non-fulfilment of Data Principal rights and grievance redressal obligations can attract up to ₹10,000 per instance. Breach of any other provision not specifically scheduled attracts up to ₹50 crore.

Penalties are assessed by the Data Protection Board after an inquiry. The Board considers factors including the nature, gravity, and duration of the breach; the type of personal data affected; the number of Data Principals affected; whether the breach was intentional; and what remediation steps were taken.

The Data Protection Board

Chapter VI of the DPDP Act establishes the Data Protection Board of India as the adjudicatory body. The Board will hear complaints from Data Principals, conduct inquiries, and impose financial penalties. It operates independently from the regulatory functions of MEITY (Ministry of Electronics and Information Technology).

The Board has powers to call for information, conduct hearings, and direct remediation. Appeals from Board orders go to the High Court. The Board is not yet fully constituted as of April 2026 — its formation is expected once the Rules are finalised — but companies should not use this as a reason to delay compliance.

What Indian Companies Must Do Now

Start with a data mapping exercise: catalogue every category of personal data you collect, where it is stored, who processes it, and for what purpose. This forms the foundation of your DPDP compliance programme and will feed your privacy notices, consent mechanisms, and security controls.

Review your existing consent flows, privacy policies, and third-party contracts. Most companies will need to update cookie consent banners, registration forms, and vendor agreements before the Act becomes enforceable. Appoint a point of contact for data protection — even if you are not yet classified as a Significant Data Fiduciary, having internal ownership is critical.

Platforms like AuditPath let you map DPDP obligations to controls, track evidence, and maintain the audit trail the Data Protection Board may request during an inquiry. Starting your compliance programme now, rather than waiting for the Rules to be finalised, means you will not be scrambling when enforcement begins.