A statute with no revenue threshold, no employee-count exemption, and no small-business carve-out
"The Act applies to the processing of digital personal data within the territory of India — whether collected online or collected offline and subsequently digitised. Crucially, it also applies to processing outside India if that processing is in connection with offering goods or services to data principals within India."
This means a SaaS company in Delaware that accepts Indian customers, a Singaporean fintech that on-boards Indian KYC data, or an EU e-commerce platform shipping to Mumbai — all fall within the Act's jurisdictional reach. There is no revenue threshold. No employee-count exemption. No "small business" carve-out.
Section 2(n) defines personal data as any data about an individual who is identifiable by or in relation to such data. Section 2(h) clarifies that "digital personal data" means personal data in digital form. This is deliberately broad — IP addresses, device identifiers, biometric templates, email addresses, phone numbers, transaction records, and behavioural analytics data all qualify if they relate to an identifiable natural person.
Personal data processed by an individual for any personal or domestic purpose is excluded (Section 3 proviso). The Act also does not apply to data that has been effectively anonymised — though the statute conspicuously avoids defining anonymisation standards, leaving this to future rule-making.
Four dimensions of business impact that every organisation must assess
Universal Jurisdiction
No size exemption and extraterritorial reach means every entity processing Indian personal data falls within scope — including overseas processors and cloud service providers.
Consent Granularity
Bundled consents are impermissible. Each processing purpose requires a distinct, itemised consent request — transforming how CRM, marketing, and analytics systems must operate.
Severe Penalties
Up to ₹250 crore per instance with cumulative liability. A single breach affecting multiple categories of non-compliance can attract compounding penalties under The Schedule.
Operational Mandate
72-hour breach notification, multilingual privacy notices in 22+ languages, verifiable parental consent for children's data — these are not aspirational. They are statutory requirements.
Every material DPDPA obligation, mapped to its statutory provision
The following obligations apply to every Data Fiduciary operating within DPDPA's jurisdiction. Significant Data Fiduciaries face additional requirements under Section 10. Each obligation below is traced to the exact statutory provision that creates it.
Consent Architecture — Section 6
Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action (Section 6(1)). Each purpose of processing requires a distinct, itemised consent request. Bundled consents — the practice of seeking a single blanket authorisation for multiple purposes — are impermissible.
Data principals can withdraw consent at any time, with the same ease with which consent was given (Section 6(4)). Withdrawal does not affect prior processing, but the Data Fiduciary must cease processing and erase the data within a reasonable period.
DPDPA introduces Consent Managers (Section 6(8)–(9)) — registered entities enabling data principals to manage consents across multiple Data Fiduciaries through a single interface. The DPDP Rules 2025 prescribe ₹2 crore minimum net worth, interoperability standards, and audit obligations for Consent Managers.
Notice Obligations — Section 5
Before or at the time of collecting personal data, the Data Fiduciary must provide a notice containing: a description of personal data being collected, the specific purpose of processing, and the manner in which the data principal may exercise rights including the right to file a complaint with the Data Protection Board.
For legacy data (collected before commencement), the notice must be provided "as soon as it is reasonably practicable" (Section 5(2)). Rule 3 prescribes that such notice must be given within a reasonable time not exceeding the date notified by the Central Government.
The notice must be available in English and all 22 languages specified in the Eighth Schedule to the Constitution (Section 5(3)) — a significant localisation cost for organisations that have not previously maintained multilingual privacy disclosures.
Breach Notification — Section 8(6) & Rule 7
Upon a personal data breach, the Data Fiduciary must notify the Data Protection Board and each affected data principal "without delay" (Section 8(6)). Rule 7 requires notification within 72 hours of becoming aware of the breach.
Section 2(e) defines a "personal data breach" broadly — covering not just exfiltration, but also accidental data loss, ransomware encryption, and insider misuse. The notification must describe the nature of the breach, approximate number of data principals affected, possible consequences, and measures taken.
A 72-hour window demands incident response playbooks, pre-approved notification templates, established escalation hierarchies, and automated breach detection systems. "Awareness" is construed objectively based on when a reasonable organisation, maintaining adequate safeguards, ought to have detected the incident.
Data Protection Officer — Section 10(2)
Every Significant Data Fiduciary must appoint a Data Protection Officer (DPO) based in India who shall represent the SDF before the Board and be responsible for ensuring compliance. The DPO serves as the point of contact for the Data Protection Board and for data principals.
Unlike EU GDPR, DPDPA mandates a DPO only for Significant Data Fiduciaries. However, even non-Significant Data Fiduciaries would be well-advised to designate a privacy officer internally, given the compliance obligations and the penalty framework.
DPO responsibilities include: ensuring data processing compliance, serving as first escalation point for data principal grievances, coordinating with the Board during inquiries, and overseeing the DPIA process.
Significant Data Fiduciaries — Section 10(1)
The Central Government may designate certain Data Fiduciaries as Significant based on: volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order.
Significant Data Fiduciaries bear heightened obligations: appointing a DPO (Section 10(2)(a)), appointing an independent data auditor (Section 10(2)(b)), conducting periodic Data Protection Impact Assessments (Section 10(2)(c)), undertaking periodic audits, and publishing results in the prescribed manner.
If your organisation processes health data at scale, manages financial data for millions, operates a social media platform with significant Indian user-base, or handles government data under contract — building DPIA capability and appointing a qualified DPO should be an immediate priority.
Children's Data — Section 9
Processing personal data of a child (any individual under 18) requires verifiable consent of the parent or lawful guardian (Section 9(1)). The Data Fiduciary shall not undertake processing reasonably likely to cause any detrimental effect on the well-being of a child.
Tracking, behavioural monitoring, and targeted advertising directed at children are expressly prohibited (Section 9(3)–(4)). This impacts ed-tech platforms, gaming companies, social media platforms, and any digital service that knowingly engages minor users.
The Central Government may exempt certain Data Fiduciaries from verifiable parental consent and tracking prohibition if processing is verifiably safe and in the interest of the child (Section 9(5)).
Cross-Border Transfers — Section 16
DPDPA adopts a negative-list approach: personal data may be transferred to any country outside India, except those specifically restricted by the Central Government (Section 16). This is fundamentally different from the EU GDPR's adequacy-based system and is considerably more permissive in its default posture.
Until the Central Government publishes a restricted list, transfers to all jurisdictions are permissible. However, the Data Fiduciary remains responsible for ensuring comparable data protection. Sector-specific regulations (RBI data localisation directives, IRDAI and SEBI data residency expectations) continue to apply independently.
For detailed analysis, see our Data Adequacy Matrix and Cross-Border Transfers guidance.
Legitimate uses, the penalty structure, and how the Board operates
Not all processing requires consent. Section 7 provides for certain legitimate uses where processing is lawful without consent:
- Voluntary provision — where the data principal has voluntarily provided data and has not indicated unwillingness to consent (Section 7(a)).
- State functions — processing by or on behalf of the State for subsidies, benefits, services, licences, or permits (Section 7(b)).
- Legal obligations — compliance with any judgement, order, or decree (Section 7(c)).
- Medical emergencies — responding to a medical emergency involving a threat to life or health (Section 7(d)).
- Employment — processing necessary for the purpose of employment, including safeguarding the employer from loss or liability (Section 7(e)).
- Public interest — processing in the interest of prevention, detection, investigation, or prosecution of offences (Section 7(f)).
Section 17 grants sweeping exemption powers to the Central Government. Processing may be exempted in the interest of: sovereignty and integrity of India, security of the State, friendly relations with foreign states, maintenance of public order, or preventing incitement to any cognisable offence. The breadth of these exemptions has been a subject of significant academic and judicial commentary.
Among the most stringent penalty structures in the world for a developing economy
| Violation | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards (breach) | ₹250 Crore |
| Failure to notify the Board and data principals of a breach | ₹200 Crore |
| Non-fulfilment of obligations regarding children's data | ₹200 Crore |
| Failure to comply with DPO / DPIA / audit obligations (SDF) | ₹150 Crore |
| Any other non-compliance with the Act or Rules | ₹50 Crore |
| Data principal provides false information / suppresses material information | ₹10,000 |
These are per-instance penalties, not aggregate caps. A single breach affecting multiple categories of non-compliance can attract cumulative penalties. The Board determines the quantum based on the nature, gravity, and duration of the breach; the type and nature of personal data affected; repetitive nature of the default; and whether the Data Fiduciary made financial gain or avoided loss.
An independent adjudicatory body — not a traditional regulator
The Data Protection Board of India (DPBI) is established under Section 18. It does not issue binding guidance or conduct proactive audits. Its primary function is to adjudicate complaints filed by data principals and impose penalties.
A data principal must first exhaust the grievance redressal mechanism of the Data Fiduciary before approaching the Board (Section 13). Only after the Data Fiduciary fails to respond within the prescribed period or provides an unsatisfactory response may the data principal file a complaint.
The Board may inquire into complaints, direct urgent remedial measures during an ongoing breach, impose monetary penalties, and issue directions for compliance. Appeals lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 29.
The Board is designed as a "digital office" — operating as a virtual body with proceedings conducted primarily through digital means, signalling swift, technology-driven adjudication.
Immediate action items and medium-term priorities for every Data Fiduciary
The Act received Presidential assent on 11 August 2023 and was published in the Gazette of India. The DPDP Rules 2025 were published in draft form in January 2025. The Central Government will notify the date of commencement — various provisions may be brought into force on different dates (Section 1(2)).
Data Mapping
Inventory every category of personal data collected, processed, and stored. Identify data flows including cross-border transfers and third-party processors. Without this foundational step, nothing else in the compliance programme rests on solid ground.
Consent Audit
Evaluate existing consent mechanisms against Section 6 requirements. Identify where bundled consents need to be unbundled, where additional granularity is required, and where legacy data requires retrospective notice under Section 5(2).
Privacy Notice Overhaul
Draft or revise privacy notices in English and all 22 scheduled languages as required by Section 5. This is an operational requirement with significant localisation cost implications.
Breach Response Preparedness
Establish a 72-hour incident response framework including detection, escalation, notification templates, and Board communication protocols. Test it through tabletop exercises before you need it in a live event.
Vendor Contracts
Review and amend all Data Processor agreements to include statutory obligations, breach notification pass-through, and audit rights as required under Section 8(2).
Children's Data Assessment
If your platform is accessed by users under 18, implement verifiable parental consent and disable tracking and behavioural advertising for minor users as required under Section 9.
- Evaluate whether your organisation is likely to be designated a Significant Data Fiduciary and, if so, begin building DPIA and audit infrastructure.
- Appoint or designate a DPO (mandatory for SDFs, advisable for all).
- Implement automated data retention and deletion workflows aligned with purpose limitation.
- Train all personnel who handle personal data on DPDPA obligations.
Need a DPDPA compliance assessment?
Our data protection team conducts end-to-end DPDPA readiness assessments — from data mapping and consent audits to breach response frameworks and Board representation. Write to us at [email protected] or connect through our practice team.