HomeResourcesBlogDPDP Act 2023 Explained
🇮🇳 DPDP Act🔒 Data Privacy📖 Plain English GuideFounders · CEOs · Operators

DPDP Act 2023 Explained in Plain English

India finally has a data privacy law that means business. If your company collects, stores, or processes personal data of Indian users, you are now inside a legally enforceable privacy framework — with penalties that can reach ₹250 crore per violation. Here is what it means, who it applies to, and what to do right now.

SC
SecComply
🏢 SecComply Compliance Team·📖 7 min read
📅 March 2026·🇮🇳 India Compliance
India data protection privacy law DPDP Act 2023

India's DPDP Act 2023 — with DPDP Rules notified by MeitY in November 2025 — creates a legally enforceable privacy framework covering 850 million internet users and every company that touches their data.

DPDP Act 2023 — Key Facts at a GlanceKEY MILESTONESAug 2023Presidential AssentNov 2025DPDP Rules notified by MeitY2026DPB fully constitutedTBDConsent Manager registryTBDSignificant Data Fiduciary listTBDEnforcement beginsPENALTY SCHEDULESecurity safeguard failure → breach₹250 CrFailure to notify DPB + users after breach₹200 CrViolation of children's data obligations₹200 CrFailure to meet SDF obligations₹150 CrFailure to honour user rights₹50 Cr⚠ Penalties can stack — a single breach can trigger multiple categories simultaneously5 CORE OBLIGATIONS1Lawful BasisConsent or legitimate use2Notice22 Indian languages required3User RightsAccess · Correct · Erase · Nominate4Security SafeguardsProportionate to risk — highest penalty5Breach NotificationNotify DPB + users ASAP

DPDP Act 2023 at a glance — key milestones from Presidential Assent to enforcement, the full penalty schedule up to ₹250 crore, and the five core obligations every Data Fiduciary must satisfy.

In This Article
What Is the DPDP Act?Who Does It Apply To?4 Terms You Must KnowYour 5 Core ObligationsThe Penalty ScheduleYour First 30 DaysFAQ
0M
internet users in India whose personal data is now governed by the DPDP Act
TRAI 2024
₹0 Cr
maximum penalty per violation for security safeguard failures leading to a breach
DPDP Act 2023, Schedule
0
Indian languages in which consent notices must be made available
DPDP Act 2023, Section 5

What Is the DPDP Act?

The DPDP Act is India's first comprehensive, standalone data privacy law. Before it, India relied on Section 43A of the IT Act, 2000 — written before smartphones and cloud computing existed. For a country with 850 million internet users, that was never going to be enough.

The Act received Presidential assent in August 2023, and the DPDP Rules were notified by MeitY in November 2025. With the Rules in place, the compliance obligations are no longer theoretical — they are enforceable.

"The Act's core philosophy: personal data belongs to the individual, not the company that collects it. When your user gives you their phone number, they're granting a conditional licence — not ownership."

💡
DPDP vs GDPR — Key Differences

DPDP draws from the EU's GDPR but is distinctly Indian. Key differences: a Consent Manager infrastructure with no GDPR equivalent, an 18-year threshold for children's data (vs 16 in GDPR), the Data Protection Board of India as the regulator (vs national DPAs in Europe), and a penalty structure denominated in crore rather than percentage of global turnover.

Who Does It Apply To?

Any entity — Indian or foreign — that processes digital personal data of individuals located within India. It doesn't matter where your company is registered or where your servers sit. If you process personal data of Indian users, you are in scope.

✓ In Scope

  • Indian startup collecting any user data
  • Foreign SaaS with Indian users
  • B2B company processing client employee data
  • 5-person startup — no size threshold
  • App collecting name, email, or phone

✗ Out of Scope

  • Processing only anonymised data
  • Personal data processed for personal or domestic purposes
  • Data of non-Indian users (different rules apply)
⚠️
There Is No Size Threshold

Unlike some regulations that exempt small businesses, the DPDP Act has no minimum size or turnover threshold. A 5-person startup collecting user emails for a newsletter is a Data Fiduciary with the same core obligations as a large enterprise. The scale of penalties may differ, but the obligations do not.

Four Terms You Must Know

Before you can understand your obligations, you need to know which role you play. The DPDP Act defines four key parties — and your responsibilities depend entirely on which one you are.

Role 1

Data Principal

The individual whose personal data is being collected or processed. Your app user, your website visitor, your customer. They are the rights-holder under the Act — with rights to access, correction, erasure, and grievance redressal.

Role 2

Data Fiduciary

The entity that decides what personal data to collect, why, and how it is processed. Your company. As a Fiduciary you carry the primary compliance obligations — lawful basis, notice, security safeguards, and breach notification.

Role 3

Data Processor

A third party that processes personal data on your behalf — AWS, your CRM, your analytics tool. Processors carry contractual obligations from Fiduciaries but do not independently determine the purpose of processing.

Role 4 — India-Specific

Consent Manager

A registered intermediary that enables individuals to provide, manage, review, and withdraw consent across multiple platforms through a single interface. No direct GDPR equivalent. Consent Managers must be registered with the Data Protection Board.

India legal compliance data protection

The DPDP Act creates a structured relationship between Data Principals (users), Data Fiduciaries (your company), Data Processors (your vendors), and the new Consent Manager infrastructure unique to India.

Your Five Core Obligations

As a Data Fiduciary, these are the five obligations you must satisfy. Each one has a specific failure mode — the trap that catches most organisations who don't plan for it.

1
Lawful BasisYou must have a valid lawful basis before any processing begins. Under DPDP, the primary basis is consent — freely given, specific, informed, and unambiguous. Consent must be obtained through a clear affirmative action, not pre-ticked boxes or silence.⚠ The Trap: No lawful basis = no processing. Pre-ticked consent boxes are explicitly prohibited.
2
NoticeYou must provide a clear, plain-language notice explaining what data you collect, why, and how individuals can exercise their rights. The notice must be made available in all 22 scheduled Indian languages — not just English.⚠ The Trap: English-only notices are non-compliant. This is one of the most commonly missed requirements.
3
User RightsData Principals have five rights: the right to access their data, the right to correction, the right to erasure, the right to raise a grievance, and the right to nominate someone to exercise rights on their behalf after death. You must build workflows for all five.⚠ The Trap: Having a privacy policy without an operational mechanism to respond to rights requests is non-compliant.
4
Security SafeguardsYou must implement reasonable technical and organisational safeguards proportionate to the sensitivity of the data you process. This is the obligation with the highest penalty — ₹250 crore for failures that lead to a breach. Reasonable will be assessed by the Data Protection Board based on what was practicable given your risk profile.⚠ The Trap: Highest penalty under the Act. Having a firewall is not a defence if proportionate safeguards were not implemented.
5
Breach NotificationYou must notify the Data Protection Board and affected Data Principals as soon as practicable after becoming aware of a breach. There is no fixed timeline in the Act itself — the DPDP Rules specify the notification requirements. Concealing or delaying notification is a separate violation.⚠ The Trap: No hiding it, no delaying it. The notification obligation exists regardless of whether the breach was your fault.

The Penalty Schedule

The DPDP Act's penalties are structured by violation type — and critically, they can stack. A single breach incident can simultaneously trigger the security safeguards category, the breach notification category, and if any children's data was involved, the children's data category.

₹250 Cr
Security safeguard failure leading to a personal data breach
₹200 Cr
Failure to notify the Data Protection Board and affected users after a breach
₹200 Cr
Violation of children's data obligations (processing without parental consent, behavioural tracking of minors)
₹150 Cr
Failure to meet Significant Data Fiduciary (SDF) obligations — additional requirements for high-risk Fiduciaries
₹50 Cr
Failure to honour Data Principal rights (access, correction, erasure, grievance, nomination)
🚨
Penalties Stack

A single breach incident that involves children's data and is not notified on time could simultaneously attract ₹250 Cr (security), ₹200 Cr (notification), and ₹200 Cr (children's data) — a theoretical maximum of ₹650 Cr from one event. The Data Protection Board has discretion on the actual penalty amount, but the stacking mechanism is explicit in the Act.

Your First 30 Days

You don't need to build a complete DPDP compliance programme overnight. But you do need to start moving — and the order matters. Here is the right sequence:

Week 1
Assign a Privacy OwnerNothing moves without accountability. This person owns the programme, not just the policy document. For smaller organisations this is often the CISO, COO, or a senior founder.
Wk 1–2
Run a data inventoryMap every type of personal data you collect, where it is stored, who has access, and what it is used for. This is the foundation of your entire DPDP programme — you cannot satisfy any obligation without knowing what data you hold.
Wk 2–3
Audit and fix your consent flowsPre-ticked boxes, bundled consent, and vague consent notices are the most common gap right now. Audit every form, checkout, sign-up, and marketing opt-in. Fix consent collection before anything else — it is the most visible obligation to regulators and users.
Wk 3–4
Begin vendor DPA reviewEvery vendor that processes personal data on your behalf needs a Data Processing Agreement. Start with your highest-risk vendors (cloud infrastructure, CRM, analytics, payroll). This takes longest — begin early.
🛡️
SecComply: DPDP Compliance Made Practical

SecComply helps Indian startups and enterprises build DPDP-compliant programmes from scratch — data inventory, consent flow audit, privacy notices in all required languages, vendor DPAs, and Data Protection Board readiness. We run DPDP programmes in parallel with ISO 27001 and SOC 2 to maximise efficiency across your compliance investment.

Get DPDP-Ready Before the DPB Comes Knocking

SecComply maps your current data practices against DPDP obligations, identifies gaps, and builds your compliance programme — data inventory, consent flows, vendor DPAs, and breach response all included.

Book a Free DPDP Assessment →View Compliance Services

Frequently Asked Questions

Does the DPDP Act apply to B2B companies?

Yes. If you process personal data of Indian individuals — including your clients' employees or end users — you are in scope. B2B SaaS companies are often Data Processors for their clients' Fiduciary obligations, which comes with its own contractual and operational requirements. There is no B2B exemption in the DPDP Act.

Is DPDP compliance the same as ISO 27001?

No. ISO 27001 is an information security standard — it addresses how you protect data assets. DPDP is a privacy regulation — it addresses your legal right to process personal data and what rights individuals have over it. There is meaningful overlap but one does not substitute for the other. Many organisations run both programmes in parallel efficiently.

What is the Data Protection Board of India?

The Data Protection Board (DPB) is India's data privacy regulator — equivalent to the UK's ICO or France's CNIL. It can receive user complaints, investigate violations, and levy penalties up to ₹250 crore. It operates with the powers of a civil court and was formally constituted following the notification of the DPDP Rules in November 2025.

What is a Consent Manager under the DPDP Act?

A Consent Manager is a registered intermediary that enables individuals to provide, manage, review, and withdraw consent across multiple platforms through a single interface. This is a uniquely Indian concept with no direct GDPR equivalent. Consent Managers must be registered with the Data Protection Board and meet specific technical and operational standards under the DPDP Rules.

What are the maximum penalties under the DPDP Act 2023?

The maximum penalty is ₹250 crore for security safeguard failures that lead to a data breach. Failure to notify the Data Protection Board and affected users carries up to ₹200 crore. Violations of children's data obligations also carry up to ₹200 crore. Penalties can stack — a single breach incident can simultaneously trigger the security, notification, and children's data categories.