What the Digital Personal Data Protection Act, 2023 Means for Your Business
India's first comprehensive data protection statute redefines how every organisation — from a two-person startup to a multinational conglomerate — must collect, process, store, and delete personal data. Non-compliance carries penalties up to ₹250 crore per instance. This analysis maps every material obligation to the specific statutory provision that creates it.
Contents
Scope & Applicability (Section 3)
The Act applies to the processing of digital personal data within the territory of India — whether collected online or collected offline and subsequently digitised. Crucially, it also applies to processing outside India if that processing is in connection with offering goods or services to data principals within India (Section 3(b)). There is no revenue threshold, no employee-count exemption, and no "small business" carve-out.
This means a SaaS company in Delaware that accepts Indian customers, a Singaporean fintech that on-boards Indian KYC data, or an EU e-commerce platform shipping to Mumbai — all fall within the Act's jurisdictional reach.
What Qualifies as "Digital Personal Data"
Section 2(n) defines personal data as any data about an individual who is identifiable by or in relation to such data. Section 2(h) clarifies that "digital personal data" means personal data in digital form. This is deliberately broad — IP addresses, device identifiers, biometric templates, email addresses, phone numbers, transaction records, and behavioural analytics data all qualify if they relate to an identifiable natural person.
Key Exclusion
Personal data processed by an individual for any personal or domestic purpose is excluded (Section 3 proviso). The Act also does not apply to data that has been effectively anonymised — though the statute conspicuously avoids defining anonymisation standards, leaving this to future rule-making.
Consent Architecture (Section 6)
Consent under DPDPA must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action (Section 6(1)). This is not a "browse-wrap" or "implied consent" regime. Each purpose of processing requires a distinct, itemised consent request. Bundled consents — the practice of seeking a single blanket authorisation for multiple purposes — are impermissible.
Granularity Requirement
The consent request must be accompanied by an itemised description of personal data sought and the purpose of processing. If your organisation processes data for marketing, analytics, and service delivery, three separate consent items are needed. A single "I agree" checkbox covering all three would violate Section 6.
Withdrawal of Consent (Section 6(4)–(6))
Data principals can withdraw consent at any time, with the same ease with which consent was given. Withdrawal does not affect the lawfulness of processing done prior to withdrawal, but the Data Fiduciary must cease processing and, absent any other lawful basis, erase the data within a reasonable period. This creates an operational mandate: your systems must support granular consent withdrawal and cascading data deletion.
Consent Managers (Section 6(8)–(9))
DPDPA introduces the concept of Consent Managers — entities registered with the Data Protection Board that act as intermediaries enabling data principals to manage their consents across multiple Data Fiduciaries through a single interface. The DPDP Rules 2025 prescribe detailed requirements for Consent Manager registration, including a minimum net worth of ₹2 crore, interoperability standards, and audit obligations.
Notice Obligations (Section 5)
Before or at the time of collecting personal data, the Data Fiduciary must provide a notice containing: a description of the personal data being collected, the specific purpose of processing, and the manner in which the data principal may exercise rights under the Act including the right to file a complaint with the Data Protection Board.
For data collected before the commencement of the Act (legacy data), the Data Fiduciary must provide the notice "as soon as it is reasonably practicable" (Section 5(2)). The DPDP Rules 2025 (Rule 3) prescribe that such notice must be given within a reasonable time not exceeding the date notified by the Central Government.
Language & Accessibility
The notice must be available in English and all 22 languages specified in the Eighth Schedule to the Constitution (Section 5(3)). This is an operational requirement with significant localisation cost implications for organisations that have not previously maintained multilingual privacy disclosures.
Breach Notification (Section 8(6) & Rule 7)
Upon a personal data breach, the Data Fiduciary must notify the Data Protection Board and each affected data principal in the prescribed form and manner "without delay" (Section 8(6)). Rule 7 of the DPDP Rules 2025 further requires notification within 72 hours of becoming aware of the breach.
What Constitutes a "Breach"
Section 2(e) defines a "personal data breach" as any unauthorised processing, accidental or unlawful disclosure, use, alteration, destruction, or loss of access to personal data that compromises its confidentiality, integrity, or availability. This is significantly broader than many international counterparts — it captures not just exfiltration, but also accidental data loss, ransomware encryption, and insider misuse.
Notification Content
The notification must describe the nature of the breach, the approximate number of data principals affected, possible consequences, and measures taken or proposed. The Data Protection Board may, upon receiving notification, direct the Data Fiduciary to take specific remedial actions, publish the breach on its website, or adopt additional safeguards.
Operational Imperative
A 72-hour window demands that organisations maintain incident response playbooks, pre-approved notification templates, established escalation hierarchies, and automated breach detection systems. Discovering a breach six months after it occurred does not reset the clock — "awareness" is construed objectively based on when a reasonable organisation, maintaining adequate safeguards, ought to have detected the incident.
Data Protection Officer (Section 10(2))
Every Significant Data Fiduciary must appoint a Data Protection Officer (DPO) based in India who shall represent the Significant Data Fiduciary before the Board and be responsible for ensuring compliance. The DPO serves as the point of contact for the Data Protection Board and for data principals.
Unlike the EU GDPR, DPDPA does not currently mandate a DPO for all Data Fiduciaries — only for those designated as "Significant." However, even non-Significant Data Fiduciaries would be well-advised to designate a privacy officer internally, given the compliance obligations and the penalty framework.
DPO Responsibilities
The DPO must ensure that the organisation's data processing activities comply with the Act, serve as the first point of escalation for data principal grievances, coordinate with the Data Protection Board during inquiries or breach investigations, and oversee the Data Protection Impact Assessment process for Significant Data Fiduciaries.
Significant Data Fiduciaries (Section 10)
The Central Government may notify certain Data Fiduciaries as Significant Data Fiduciaries based on criteria including: volume and sensitivity of personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order (Section 10(1)).
Additional Obligations
Significant Data Fiduciaries bear heightened obligations: appointing a DPO based in India (Section 10(2)(a)), appointing an independent data auditor (Section 10(2)(b)), conducting periodic Data Protection Impact Assessments (Section 10(2)(c)), undertaking periodic audits, and publishing the results in the prescribed manner. The DPDP Rules 2025 detail the DPIA methodology and audit frequency.
If your organisation is likely to be designated — whether because you process health data at scale, manage financial data for millions, operate a social media platform with significant Indian user-base, or handle government data under contract — building DPIA capability and appointing a qualified DPO should be an immediate priority.
Children's Data (Section 9)
Processing personal data of a child (any individual under 18 years) requires verifiable consent of the parent or lawful guardian (Section 9(1)). The Data Fiduciary shall not undertake processing that is reasonably likely to cause any detrimental effect on the well-being of a child.
Prohibitions
Tracking, behavioural monitoring, and targeted advertising directed at children are expressly prohibited (Section 9(3)–(4)). This impacts ed-tech platforms, gaming companies, social media platforms, and any digital service that knowingly engages minor users.
Exemptions for Certain Classes
The Central Government may exempt certain Data Fiduciaries from the verifiable parental consent requirement and the tracking prohibition if the processing is verifiably safe and in the interest of the child (Section 9(5)). The DPDP Rules 2025 provide a framework for applying for such exemptions, particularly relevant for educational institutions and healthcare providers.
Cross-Border Data Transfers (Section 16)
DPDPA adopts a negative-list approach: personal data may be transferred to any country or territory outside India, except those specifically restricted by the Central Government (Section 16). This is fundamentally different from the EU GDPR's adequacy-based system and is considerably more permissive in its default posture.
Practical Implications
Until the Central Government publishes a restricted list, transfers to all jurisdictions are permissible. However, organisations should not treat this as carte blanche. The Data Fiduciary remains responsible for ensuring that the overseas recipient provides a comparable degree of data protection. Moreover, sector-specific regulations (such as RBI data localisation directives for financial data) continue to apply independently.
Interaction with Other Laws
The negative-list model must be read alongside existing localisation mandates: RBI's 2018 directive requires that payment system data be stored exclusively in India; IRDAI and SEBI have their own data residency expectations. A compliant cross-border transfer strategy under DPDPA must therefore be layered with sectoral compliance.
For a detailed comparison of cross-border mechanisms across jurisdictions, see our Data Adequacy Matrix and Global Compliance Landscape analysis.
Legitimate Uses & Exemptions (Sections 7, 17)
Not all processing requires consent. Section 7 provides for certain legitimate uses where processing is deemed lawful without consent:
- Voluntary provision — where the data principal has voluntarily provided data and has not indicated unwillingness to consent (Section 7(a)).
- State functions — processing by or on behalf of the State for subsidies, benefits, services, licences, or permits (Section 7(b)).
- Legal obligations — compliance with any judgement, order, or decree (Section 7(c)).
- Medical emergencies — responding to a medical emergency involving a threat to the life or health of the data principal or another individual (Section 7(d)).
- Employment — processing necessary for the purpose of employment, including safeguarding the employer from loss or liability (Section 7(e)).
- Public interest — processing in the interest of prevention, detection, investigation, or prosecution of offences (Section 7(f)).
Government Exemptions (Section 17)
Section 17 grants sweeping exemption powers to the Central Government. Processing may be exempted from the provisions of the Act in the interest of: sovereignty and integrity of India, security of the State, friendly relations with foreign states, maintenance of public order, or preventing incitement to any cognisable offence. The breadth of these exemptions has been a subject of significant academic and judicial commentary.
Penalty Framework (Section 33 & Schedule)
The penalty structure under DPDPA is among the most stringent in the world for a developing economy:
| Violation | Maximum Penalty |
|---|---|
| Failure to take reasonable security safeguards (breach) | ₹250 Crore |
| Failure to notify the Board and data principals of a breach | ₹200 Crore |
| Non-fulfilment of obligations regarding children's data | ₹200 Crore |
| Failure to comply with DPO/DPIA/audit obligations (Significant Data Fiduciaries) | ₹150 Crore |
| Any other non-compliance with the Act or Rules | ₹50 Crore |
| Data principal provides false information / suppresses material information | ₹10,000 |
These are per-instance penalties, not aggregate caps. A single breach affecting multiple categories of non-compliance can attract cumulative penalties. The Board determines the quantum based on the nature, gravity, and duration of the breach; the type and nature of personal data affected; repetitive nature of the default; and whether the Data Fiduciary made financial gain or avoided loss.
Data Protection Board of India (Section 18–32)
The Data Protection Board of India (DPBI) is established as an independent adjudicatory body under Section 18. It is not a regulator in the traditional sense — it does not issue binding guidance or conduct proactive audits. Its primary function is to adjudicate complaints filed by data principals and impose penalties.
Complaint Mechanism
A data principal must first exhaust the grievance redressal mechanism of the Data Fiduciary before approaching the Board (Section 13). Only after the Data Fiduciary fails to respond within the prescribed period or provides an unsatisfactory response may the data principal file a complaint with the Board.
Powers of the Board
The Board may inquire into complaints, direct urgent remedial or mitigation measures during an ongoing data breach, impose monetary penalties, and issue directions for compliance. Appeals against the Board's decisions lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 29.
The Board is designed to be a "digital office" — operating as a virtual body with proceedings conducted primarily through digital means. This signals an intent toward swift, technology-driven adjudication.
Compliance Roadmap
The Act received Presidential assent on 11 August 2023 and was published in the Gazette of India. The DPDP Rules 2025 were published in draft form in January 2025. The Central Government will notify the date of commencement — various provisions may be brought into force on different dates (Section 1(2)).
Immediate Action Items
- Data mapping — Inventory every category of personal data collected, processed, and stored. Identify data flows including cross-border transfers and third-party processors.
- Consent audit — Evaluate existing consent mechanisms against Section 6 requirements. Identify where bundled consents need to be unbundled, where additional granularity is required, and where legacy data requires retrospective notice.
- Privacy notice overhaul — Draft or revise privacy notices in English and all 22 scheduled languages as required by Section 5.
- Breach response preparedness — Establish a 72-hour incident response framework including detection, escalation, notification templates, and Board communication protocols.
- Vendor contracts — Review and amend all Data Processor agreements to include statutory obligations, breach notification pass-through, and audit rights.
- Children's data assessment — If your platform is accessed by users under 18, implement verifiable parental consent and disable tracking/behavioural advertising for minor users.
Medium-Term Priorities
- Evaluate whether your organisation is likely to be designated a Significant Data Fiduciary and, if so, begin building DPIA and audit infrastructure.
- Appoint or designate a DPO (mandatory for SDFs, advisable for all).
- Implement automated data retention and deletion workflows aligned with purpose limitation.
- Train all personnel who handle personal data on DPDPA obligations.
Need a DPDPA Compliance Assessment?
Our data protection team conducts end-to-end DPDPA readiness assessments — from data mapping and consent audits to breach response frameworks and Board representation.