DPDPA 2023 — All 44 Sections, 22 Rules

DPDPA Lawyers in India

Q: When should an organisation engage a DPDPA lawyer?

An organisation should engage DPDPA counsel before the enforcement deadline of 13 May 2027. However, compliance readiness requires structural changes — consent re-architecture, vendor governance frameworks, breach response protocols, and documentation systems — that take 6 to 12 months to implement properly. Engaging DPDPA counsel early allows a phased, evidence-ready implementation rather than a rushed, documentation-only exercise.

Q: Does DPDPA apply to foreign companies operating in India?

Yes. Section 3(b) of DPDPA gives the Act extraterritorial reach — it applies to processing of personal data outside India if such processing is in connection with any activity related to offering goods or services to Data Principals within India. Foreign companies with Indian customers, employees, vendors, or operations must comply with DPDPA regardless of where their servers or processing infrastructure are located.

India\'s Digital Personal Data Protection Act, 2023 imposes statutory obligations on every entity that determines the purpose and means of processing personal data. AMLEGALS provides counsel-led advisory across the full statutory landscape — from gap analysis through evidence-ready implementation.

Data FiduciaryConsentBreach ResponseSDFCross-BorderChildren's DataDPODPA

01 — Definition

What is the Digital Personal Data Protection Act, 2023?

AMLEGALS DPDPA advisory team in boardroom

Counsel-led DPDPA advisory — 27+ years of regulatory practice across 10 offices

The Digital Personal Data Protection Act, 2023 (DPDPA) is India\'s first comprehensive legislation governing the processing of digital personal data. Enacted on 11 August 2023 and operationalised through the DPDP Rules, 2025 (notified 21 March 2025), the Act establishes a consent-based framework with statutory obligations on Data Fiduciaries, rights for Data Principals, and enforcement through the Data Protection Board of India.

The Act comprises 44 Sections across 8 Chapters, supplemented by 22 Rules that prescribe operational detail for consent management, breach notification, children\'s data protection, Significant Data Fiduciary obligations, and cross-border transfers.

The enforcement deadline is 13 May 2027. Entities that process personal data of individuals within India — regardless of where the processing occurs — must achieve compliance by this date.

Sections across 8 Chapters

Rules (DPDP Rules, 2025)

Rs 250 Cr

Maximum penalty under the Schedule

13 May 2027

Enforcement deadline

02 — Legal Obligation

What the Law Requires of a Data Fiduciary

Every entity that determines the purpose and means of processing personal data is a Data Fiduciary under Section 2(i) of the DPDPA. The Act imposes the following categories of obligation:

Section 4

Lawful Processing

Personal data may be processed only for a lawful purpose with the consent of the Data Principal, or for certain legitimate uses under Section 7.

Sections 5-6

Notice & Consent

Data Fiduciaries must provide an itemised notice describing each purpose before or at the time of seeking consent. Consent must be free, specific, informed, unconditional, and unambiguous.

Section 8(1)

Security Safeguards

Reasonable security safeguards to protect personal data — technical and organisational measures proportionate to the volume, sensitivity, and risk profile of processing.

Section 8(2)-(3)

Processor Governance

Data Fiduciaries remain responsible for processing by Data Processors. Contractual frameworks (DPAs) must impose equivalent obligations.

Section 8(6), Rule 7

Breach Notification

Notify the Data Protection Board and each affected Data Principal in the prescribed form and manner upon becoming aware of a personal data breach.

Sections 11-14

Data Principal Rights

Right to access, correction, erasure, grievance redressal, and nomination. Each right has prescribed response timelines under the Rules.

Section 9, Rules 10-12

Children's Data

Verifiable parental consent before processing children's data. Prohibition on tracking, behavioural monitoring, and targeted advertising directed at children.

Section 16

Cross-Border Transfers

Personal data may be transferred outside India to any country except those restricted by the Central Government through notification.

Section 10, Rules 11-15

SDF Obligations

Significant Data Fiduciaries face enhanced obligations: DPO appointment, independent Data Auditor, periodic DPIA, and algorithmic risk assessment.

Data protection analysis using compliance technology

DPDPA compliance control framework visualisation

03 — Business Risk

Why Non-Compliance is Not an Option

The DPDPA creates a regulatory architecture where non-compliance produces cascading consequences. The Data Protection Board has adjudicatory power to impose penalties specified in the Schedule, but financial exposure is only part of the risk landscape.

An organisation that cannot demonstrate compliance controls — consent records, breach response logs, vendor DPAs, security documentation — faces the burden of proving its defence before the Board. The absence of evidence is itself evidence of non-compliance.

Regulatory Penalty

Penalties up to Rs 250 Cr under the Schedule. Separate penalties for each category of contravention.

Reputational Damage

Board orders are public. Breach notifications reach affected Data Principals directly. No confidential settlement mechanism.

Operational Disruption

Board may direct cessation of specific processing activities. Consent withdrawal cascades can halt business-critical data flows.

Contractual Exposure

Enterprise clients and foreign counterparties increasingly require DPDPA compliance certifications. Non-compliance disqualifies vendors from procurement processes.

04 — AMLEGALS Capability

Counsel-Led DPDPA Advisory

AMLEGALS brings 27+ years of counsel-led regulatory practice to DPDPA compliance. The advisory covers every stage from initial gap analysis through Board-ready evidence systems, delivered by practitioners with statutory depth across all 44 Sections and 22 Rules.

DPDPA Gap Analysis & Compliance Assessment

Full-scope audit against all 44 Sections and 22 Rules. Maps current state to statutory requirements. Produces prioritised remediation roadmap with timeline and resource estimates.

All 44 Sections22 RulesGap Mapping

Consent Architecture Design

Designs granular consent flows that satisfy Section 6, withstand withdrawal cascades, and integrate with Consent Managers under Rules 3-4. Purpose-specific, itemised, freely given.

Section 5-7Rules 3-4Consent Manager

Data Processing Agreements

Drafts and negotiates DPAs that allocate Fiduciary-Processor obligations under Section 8(2). Covers sub-processor controls, audit rights, breach notification escalation, and data return/deletion.

Section 8(2)-(3)Vendor GovernanceSub-Processor

Breach Response Protocol

Builds incident classification, internal escalation, Board notification, and Data Principal communication protocols aligned to Section 8(6) read with Rule 7. Includes tabletop exercises.

Section 8(6)Rule 7Board Notification

Significant Data Fiduciary Advisory

Prepares organisations for SDF designation or proactive compliance. DPO appointment, DPIA process design, Data Auditor engagement, algorithmic risk assessment, and Board reporting frameworks.

Section 10Rules 11-15DPODPIA

Cross-Border Transfer Advisory

Maps data flows, assesses restricted jurisdiction exposure, designs contractual transfer mechanisms, and monitors Government notifications under Section 16.

Section 16Restricted JurisdictionsTransfer Mapping

AMLEGALS DPDPA compliance advisory session

Every engagement produces artefacts that serve as compliance evidence before the Data Protection Board

Evidence-Ready Methodology

Evidence-Ready Methodology: Every advisory engagement produces artefacts that serve as compliance evidence before the Data Protection Board — consent records, DPA registers, breach logs, DPIA documentation, training records, and Board-ready compliance reports. The distinction between paper compliance and evidence-ready compliance is the distinction that matters when enforcement begins.

05 — Obligation-Control-Evidence Matrix

DPDPA Compliance Control Matrix

Each statutory obligation maps to a specific compliance control and evidence artefact. This is how AMLEGALS structures every engagement — obligation by obligation, evidence by evidence.

Obligation	Section / Rule	Control	Evidence	Non-Compliance Risk
Consent Collection & Management	Section 5-6, Rules 3-4	Granular consent architecture with itemised purpose, withdrawal mechanism, and audit trail	Consent records, CMP configuration, withdrawal logs, Section 5 notice	Invalid processing basis — entire data estate potentially unlawful
Data Fiduciary Security	Section 8(1)	Reasonable security safeguards — technical and organisational measures proportionate to risk	Security policy, encryption standards, access control logs, penetration test reports	Penalties up to Rs 250 Cr (Schedule) for breach caused by inadequate safeguards
Breach Notification	Section 8(6), Rule 7	Incident detection, classification, and notification protocol to Board and Data Principals	Breach response plan, notification templates, incident log, Board submission records	Separate penalty for failure to notify — independent of breach itself
Data Processor Governance	Section 8(2)-(3)	Contractual framework (DPA) with processor obligations, sub-processor controls, audit rights	Executed DPAs, vendor register, audit reports, sub-processor approval records	Data Fiduciary remains responsible for processor failures — effectively non-delegable
Data Principal Rights	Section 11-14	Request intake, identity verification, response workflow within prescribed timelines	Rights request log, response records, correction/erasure confirmation, grievance resolution records	Complaint to Board triggers regulatory scrutiny of entire compliance programme
Children's Data	Section 9, Rules 10-12	Age verification, verifiable parental consent, prohibited processing restrictions	Age gate implementation, parental consent records, processing restriction configuration	Heightened penalties for contravention involving children's data under the Schedule
Cross-Border Transfers	Section 16	Transfer mechanism mapping, restricted jurisdiction monitoring, contractual safeguards	Transfer register, jurisdiction assessment, contractual clauses, Government notification tracking	Transfers to restricted jurisdictions render processing unlawful
SDF Enhanced Obligations	Section 10, Rules 11-15	DPO appointment, Data Auditor, DPIA process, algorithmic risk assessment, periodic audit	DPO appointment letter, audit reports, DPIA documentation, Board reporting records	Multiple concurrent penalty exposure for each unfulfilled enhanced obligation

06 — Frequently Asked Questions

DPDPA Compliance — Key Questions

What does a DPDPA lawyer do in India?

A DPDPA lawyer advises organisations on compliance with India's Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. This includes mapping Data Fiduciary obligations across all 44 Sections, designing consent architecture under Sections 5-7, drafting Data Processing Agreements under Section 8(2), establishing breach notification protocols under Section 8(6) read with Rule 7, advising on Significant Data Fiduciary obligations under Section 10, and preparing organisations for regulatory scrutiny by the Data Protection Board of India.

When should an organisation engage a DPDPA lawyer?

Before the enforcement deadline of 13 May 2027. However, compliance readiness requires structural changes — consent re-architecture, vendor governance frameworks, breach response protocols, and documentation systems — that take 6 to 12 months to implement properly. Engaging DPDPA counsel early allows a phased, evidence-ready implementation rather than a rushed, documentation-only exercise.

What is the penalty for non-compliance with DPDPA?

Penalties under the DPDPA are specified in the Schedule to the Act and may extend up to Rs 250 crore, determined by the Data Protection Board on a case-by-case basis. The Board considers factors including the nature of the contravention, seriousness, prior contraventions, and whether the entity took steps to mitigate the breach.

What is the difference between a Data Fiduciary and a Significant Data Fiduciary?

Every entity that determines the purpose and means of processing personal data is a Data Fiduciary under Section 2(i). A Significant Data Fiduciary (SDF) is notified by the Central Government under Section 10 based on volume and sensitivity of data, risk to Data Principals, and impact on sovereignty. SDFs face enhanced obligations including mandatory DPO, independent Data Auditor, periodic DPIA, and algorithmic risk assessment.

Does DPDPA apply to foreign companies operating in India?

Yes. Section 3(b) gives the Act extraterritorial reach — it applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals within India. Foreign companies with Indian customers, employees, vendors, or operations must comply regardless of server location.

How does AMLEGALS approach DPDPA compliance?

AMLEGALS follows an evidence-ready compliance methodology that maps every obligation under all 44 Sections and 22 Rules to specific controls and evidence artefacts. This includes gap analysis, consent architecture, vendor governance, breach response protocols, documentation systems, Board-ready compliance reporting, and ongoing advisory.

07 — Priority Action

Assess Your DPDPA Compliance Position

The enforcement deadline is 13 May 2027. Evidence-ready compliance takes 6 to 12 months. Confidential. Counsel-led. Statutory basis from the first engagement.

Request a Confidential Briefing

Our data privacy counsel will reach out within one working day.

Related Resources

DPDPA Compliance Checklist

8-phase implementation guide

DPDPA Deep Dive

All 44 Sections analysed

DPDP Rules 2025

Complete rules breakdown

SDF Compliance

Section 10 enhanced obligations

Breach Response

72-hour notification protocol

Consent Management

Section 5-7 consent architecture

DPO Services

Outsourced DPO advisory

Penalty Calculator

Schedule-based exposure assessment

Insights & Answers

What practitioners and boards are asking

What qualifies a law firm to advise on DPDPA compliance in India?

Effective DPDPA advisory requires statutory depth across all 44 Sections and 22 Rules, combined with practical experience in consent architecture, vendor governance, breach response, and regulatory engagement. The law firm should be able to map obligations to controls and produce evidence artefacts that withstand Data Protection Board scrutiny — not merely generate policy documents.

What is the timeline for DPDPA enforcement in India?

The enforcement deadline for the Digital Personal Data Protection Act, 2023 is 13 May 2027. The DPDP Rules, 2025 were notified on 21 March 2025. Organisations that process personal data of individuals within India must achieve compliance by the enforcement date. Evidence-ready implementation typically requires 6 to 12 months of structured effort.

How does the DPDPA penalty framework work?

Penalties are specified in the Schedule to the DPDPA and are determined by the Data Protection Board of India on a case-by-case basis. The maximum penalty may extend up to Rs 250 crore. Separate penalties apply for different categories of contravention — including failure to implement security safeguards, failure to notify breaches, and non-compliance with children’s data obligations. The Board considers factors such as nature of contravention, seriousness, and prior compliance history.

What is evidence-ready compliance under DPDPA?

Evidence-ready compliance means every statutory obligation is mapped to a specific control and supported by a documented evidence artefact — consent records, DPA registers, breach notification logs, DPIA documentation, training records, and Board-ready compliance reports. This approach ensures the organisation can demonstrate compliance when questioned by the Data Protection Board, rather than merely possessing policy documents that have never been operationalised.