DPDPA Compliance Requirements
in India
Every obligation the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 place on a Data Fiduciary — notice, consent, rights, breach, children’s data, Significant Data Fiduciary duties and cross-border transfers — mapped to the precise statutory provision. Built for compliance teams, General Counsel and Boards that need certainty, not summaries.
Sections of DPDPA
DPDP Rules 2025
Maximum Penalty (Schedule)
Target Enforcement
What DPDPA Actually Requires of You
DPDPA does not regulate documents — it regulates conduct. Compliance is not the act of publishing a privacy policy; it is the ability to prove, at any moment, that every item of personal data you hold was collected on a lawful basis, used only for a notified purpose, secured against breach, and erased when its purpose ended. The requirements below are the operating system of that proof.
There is no revenue threshold and no small-business exemption in the Act. Whether you are a startup, a global enterprise, or a foreign company offering goods or services to users in India under Section 3(b), the same statutory obligations attach. What differs is scale and risk — not whether the law applies.
Enforcement defence depends on contemporaneous evidence. The organisations that survive a Data Protection Board inquiry are not the ones with the best intentions — they are the ones with the records.
The Eight Pillars of DPDPA Compliance
Notice to Data Principals
Before or at the time of collecting personal data, every Data Fiduciary must give an itemised notice describing the personal data collected, the purpose of processing, the manner of exercising rights, and the manner of complaining to the Data Protection Board. Where consent was obtained before commencement, a fresh notice must be issued.
- •Itemised description of personal data
- •Specified purpose for each item
- •Mechanism to withdraw consent
- •Mechanism to complain to the Board
- •Available in English and the Eighth Schedule languages
Lawful Basis — Consent or Legitimate Use
Processing requires consent that is free, specific, informed, unconditional and unambiguous with a clear affirmative action, or reliance on a defined legitimate use under Section 7 (such as a voluntarily provided purpose, employment, or a medical emergency). Consent must be as easy to withdraw as to give.
- •Granular, purpose-specific consent capture
- •Withdrawal as easy as giving consent
- •Consent records and audit trail
- •Legitimate-use justification where consent is not used
- •Consent Manager integration where applicable
Data Fiduciary General Obligations
The Data Fiduciary is accountable for compliance even when a processor handles the data. It must ensure accuracy where data is used for decisions affecting the Data Principal, implement reasonable security safeguards, erase data once the purpose is served or consent is withdrawn, and maintain records demonstrating compliance.
- •Accountability for processors
- •Data accuracy and completeness
- •Reasonable security safeguards
- •Purpose-limitation and erasure
- •Demonstrable compliance records
Personal Data Breach Notification
On becoming aware of a personal data breach, the Data Fiduciary must notify the Data Protection Board and every affected Data Principal in the form and manner prescribed by Rule 7 of the DPDP Rules, 2025, including the nature of the breach, likely consequences, and mitigation measures taken.
- •Intimation to affected Data Principals
- •Intimation to the Data Protection Board
- •Description, consequences and mitigation
- •Breach register and incident playbook
- •Detection and escalation procedures
Data Principal Rights
Data Fiduciaries must enable Data Principals to obtain access to a summary of their data and processing, seek correction, completion, updating and erasure, access a readily available grievance redressal mechanism, and nominate another individual to exercise rights in case of death or incapacity.
- •Right to access information
- •Right to correction and erasure
- •Grievance redressal mechanism
- •Right of nomination
- •Defined response timelines
Children’s Data Protection
For Data Principals below 18, the Data Fiduciary must obtain verifiable consent of a parent or lawful guardian and must not undertake processing likely to cause detrimental effect, tracking, behavioural monitoring, or targeted advertising directed at children, subject to the exemptions prescribed under Rule 12.
- •Verifiable parental consent
- •Age-verification mechanism
- •No behavioural tracking of children
- •No targeted advertising to children
- •Rule 12 exemptions where applicable
Significant Data Fiduciary Duties
Where the Central Government notifies an entity as a Significant Data Fiduciary based on volume and sensitivity of data and risk to Data Principals, additional obligations apply: appointment of an India-based DPO, an independent data auditor, and periodic Data Protection Impact Assessments and audits.
- •India-based Data Protection Officer
- •Independent data auditor
- •Data Protection Impact Assessment
- •Periodic compliance audit
- •Enhanced due-diligence measures
Cross-Border Data Transfers
DPDPA permits transfer of personal data outside India except to countries or territories the Central Government restricts. Data Fiduciaries must map international data flows, monitor the restricted-territory position, and ensure any sector-specific localisation rules continue to be met.
- •International data-flow mapping
- •Restricted-territory monitoring
- •Sectoral localisation alignment
- •Intra-group transfer framework
- •Processor and sub-processor controls
From Requirements to Readiness
Data Discovery & Records of Processing
Build a complete inventory of personal data — what you collect, why, where it resides, who it is shared with, and how long it is retained. This record is the evidentiary foundation for every other requirement.
Lawful Basis & Consent Architecture
Map each processing activity to a lawful basis under Sections 6 or 7, then design notice and consent flows that are granular, withdrawable, and logged with an auditable trail.
Rights, Grievance & Nomination
Stand up operational workflows for access, correction, erasure, grievance redressal and nomination under Sections 11 to 14, with defined ownership and response timelines.
Security, Breach & Vendor Governance
Implement reasonable security safeguards, a tested breach-response playbook satisfying Section 8(6) and Rule 7, and processor agreements that pass accountability obligations down the chain.
SDF Readiness & Continuous Assurance
Prepare for Significant Data Fiduciary obligations, conduct periodic impact assessments and audits, and maintain a living compliance record that evolves with guidance and enforcement.
Map Your DPDPA Compliance Requirements
Tell us about your processing activities. A senior practitioner will return a scoped requirement map and gap view within one working day.
Request a Compliance Assessment
A senior practitioner will respond within one working day.
What practitioners and boards are asking
What are the core compliance requirements under the DPDPA 2023?
A Data Fiduciary must satisfy eight statutory pillars: serve an itemised notice (Section 5); obtain free, specific, informed, unconditional and unambiguous consent or rely on a legitimate use (Sections 6 and 7); implement reasonable security safeguards (Section 8(4)); notify every personal data breach to the Data Protection Board and affected Data Principals (Section 8(6) read with Rule 7); honour Data Principal rights of access, correction, erasure and grievance redressal (Sections 11 to 14, with Rule 13 prescribing the response timeline); obtain verifiable parental consent and refrain from tracking or targeted advertising to children (Section 9 read with Rule 10); discharge Significant Data Fiduciary obligations including appointing an India-based DPO, conducting DPIAs and annual audits (Section 10 read with Rule 12); and comply with cross-border transfer restrictions (Section 16).
Is DPDPA compliance mandatory yet, and what is the timeline?
The Act received Presidential assent on 11 August 2023 and the Digital Personal Data Protection Rules, 2025 (22 Rules) were notified on 21 March 2025. The Rules adopt a phased commencement: the Data Protection Board provisions took effect on notification, while the substantive obligations on Data Fiduciaries become enforceable after an eighteen-month transition window, with the operative compliance date falling in 2027. Organisations should treat the present period as the build window, because remediation of consent systems, processor contracts and breach machinery cannot be completed at short notice.
What is the penalty for failing the DPDPA compliance requirements?
The Schedule to the DPDPA prescribes financial penalties up to Rs 250 crore per instance, with failure to implement reasonable security safeguards carrying the highest exposure. A single breach event can trigger multiple, cumulative penalty heads. The Data Protection Board determines quantum on a case-by-case basis, weighing the nature and gravity of the contravention, its duration, whether it is repetitive, and the mitigation steps taken.
Do the compliance requirements apply to foreign companies?
Yes. Section 3(b) extends the Act extraterritorially to any entity, anywhere, that processes digital personal data in connection with offering goods or services to individuals in India. The full compliance stack — notice, consent, security, breach notification and cross-border rules — applies identically to offshore entities, and the penalty exposure is the same as for domestic Data Fiduciaries.