What is the DPDP Act?
The Digital Personal Data Protection Act 2023 (DPDP Act) is India's comprehensive data privacy law, enacted on 11 August 2023. It governs how organisations — called Data Fiduciaries — collect, process, and store personal data of Indian citizens (Data Principals).
Unlike earlier sector-specific regulations (like RBI or SEBI guidelines), the DPDP Act applies broadly across industries — making it the most significant data compliance obligation for Indian businesses since the IT Act of 2000.
Key fact
The DPDP Act applies to personal data processed in India AND to personal data of Indian citizens processed outside India if it involves offering goods or services to Indian residents.
Who must comply?
If your organisation processes any personal data of Indian citizens — including employees, customers, patients, students, or guests — you are likely a Data Fiduciary under the DPDP Act.
The law defines two categories:
- Data Fiduciaries: Any entity that determines the purpose and means of data processing. Most businesses fall in this category.
- Significant Data Fiduciaries (SDFs): Large-scale processors or those handling sensitive categories of data. SDFs face additional obligations including Data Protection Impact Assessments and Data Protection Officers.
- Data Processors: Third parties that process data on behalf of Data Fiduciaries (e.g., payroll vendors, cloud providers). They are bound by the Fiduciary's obligations.
In practical terms, compliance is required for hotels, hospitals, schools, manufacturing companies, startups, enterprises — any organisation that handles employee or customer personal data.
Key obligations under the DPDP Act
1. Consent Management
Personal data can only be processed with the Data Principal's free, specific, informed, unconditional, and unambiguous consent. Consent must be in plain language, and Data Principals must be able to withdraw consent at any time. Organisations must maintain records of all consents obtained.
2. Notice Requirements
Before collecting personal data, organisations must provide a clear notice to the Data Principal specifying: what data is being collected, the purpose of processing, the rights available to them, and how to file a complaint.
3. Data Principal Rights
Under the DPDP Act, every Indian citizen whose data you process has the right to:
- Access information about their personal data being processed
- Correct inaccurate personal data
- Erase their personal data (Right to Erasure)
- Nominate another person to exercise rights on their behalf
- File a grievance with the organisation or with the Data Protection Board
Organisations must have a defined process to fulfil these requests — typically within 30 days.
4. Data Minimisation & Purpose Limitation
You may only collect personal data that is necessary for the stated purpose. Using data collected for one purpose for a different purpose (without fresh consent) is a violation.
5. Security Safeguards
Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches. While the Act does not prescribe specific technical standards, alignment with ISO 27001 or NIST controls is recommended.
6. Data Breach Notification
In case of a personal data breach, Data Fiduciaries must notify both the affected Data Principals and the Data Protection Board of India. The Act does not prescribe a specific timeline in the base text, but draft rules suggest notification within 72 hours of becoming aware of a breach.
7. Data Processor Management
All third-party vendors that process personal data on your behalf must be bound by a Data Processing Agreement (DPA). You remain accountable for how your processors handle data.
8. Cross-Border Data Transfers
Personal data can be transferred to countries notified by the Government of India. Transfers to other jurisdictions require appropriate safeguards. The approved country list is still being finalised by the government.
Penalties for non-compliance
The DPDP Act prescribes substantial financial penalties. The Data Protection Board of India determines penalties after due process.
| Violation | Maximum Penalty |
|---|---|
| Failure to implement security safeguards leading to a breach | ₹250 crore |
| Failure to notify breach to Board or Data Principal | ₹200 crore |
| Non-fulfilment of Data Principal rights obligations | ₹150 crore |
| Failure to comply with Data Protection Board orders | ₹150 crore |
| Other violations of Act provisions | ₹50 crore |
8-Step DPDP Compliance Roadmap
Data Discovery & Inventory
Map all personal data you collect, process, and store. Identify data categories, sources, and storage locations across systems.
Consent Framework Design
Design DPDP-compliant consent notices for each data collection touchpoint. Implement consent management system to record and manage consents.
Data Principal Rights Process
Establish processes to receive, verify, and fulfil access, correction, erasure, and nomination requests from Data Principals.
Data Processor Management
Audit all third-party vendors. Execute Data Processing Agreements. Assess each processor's data security practices.
Security Controls Implementation
Implement encryption, access controls, monitoring, and vulnerability management to protect personal data against breaches.
Breach Response Plan
Develop a data breach detection, containment, and notification procedure aligned with DPDP Act requirements.
Privacy Governance & Policies
Update your Privacy Policy, Data Retention Policy, and internal data handling procedures. Train employees on DPDP obligations.
Ongoing Compliance Monitoring
Implement a compliance dashboard to track control status, manage expiring consents, log data requests, and generate audit reports.
DPDP Compliance Software
Managing DPDP compliance manually — across spreadsheets, emails, and documents — is operationally unsustainable for any organisation with more than a handful of employees. A purpose-built DPDP compliance management platform automates the critical workflows:
- Automated data inventory and classification
- Consent collection, storage, and withdrawal management
- Data Principal rights request workflow with audit trail
- Data processor register and DPA management
- Compliance score dashboard and board-ready reporting
- Breach notification workflow
NeevCore DPDP Compliance Platform
India's purpose-built DPDP compliance management platform. Built specifically for Indian organisations, with all 8 compliance workflows included out of the box.
Explore the platform