India DPDP Act 2023: Digital Personal Data Protection Compliance

India's Digital Personal Data Protection Act 2023 (DPDP Act), enacted on August 11, 2023, represents a landmark shift in India's approach to privacy regulation. After nearly a decade of legislative deliberation — including the Justice Srikrishna Committee report (2017), multiple draft Personal Data Protection Bills, and a Supreme Court judgment affirming privacy as a fundamental right (Justice K.S. Puttaswamy vs. Union of India, 2017) — India now has a comprehensive, enforceable data protection framework.

The DPDP Act introduces concepts such as "data fiduciary," "data principal," and "consent manager," establishes the Data Protection Board of India (DPBI) as the enforcement authority, and sets financial penalties of up to ₹250 crore (~$30 million USD) per violation. The Act is now in force, and its implementing rules are expected to be finalised and notified in 2025–2026.

Key Takeaways

• The DPDP Act 2023 applies to digital personal data processing in India and extraterritorially for services offered to Indian individuals
• Consent is the primary legal basis, supplemented by "legitimate uses" for specific purposes (employment, legal proceedings, public interest)
• "Significant Data Fiduciaries" face heightened obligations including DPIA requirements and appointment of an independent Data Auditor
• The Data Protection Board of India (DPBI) is the enforcement authority with powers to investigate, adjudicate, and impose penalties
• Maximum penalty is ₹250 crore (~$30 million) per violation; penalties are cumulative for multiple violations
• Cross-border data transfers are permitted to all countries except those specifically restricted by Central Government notification
• Data principals (individuals) have rights to access, correction, erasure, nomination, and grievance redressal
• Implementing rules (yet to be finalised) will specify key operational requirements including consent notice format, retention periods, and Significant Data Fiduciary criteria

---

DPDP Act 2023: Framework Overview

Key Terminology

The DPDP Act introduces its own terminology distinct from GDPR-influenced frameworks:

• Personal data: Any data about an individual who is identifiable by or in relation to such data
• Digital personal data: Personal data in digital form, or non-digital personal data subsequently digitised
• Data principal: The individual to whom the personal data relates (equivalent to GDPR's "data subject")
• Data fiduciary: Any person who alone or in conjunction with others determines the purpose and means of processing (equivalent to GDPR's "data controller")
• Data processor: A person who processes personal data on behalf of a data fiduciary
• Significant data fiduciary (SDF): A data fiduciary designated by the Central Government based on volume/sensitivity of data, risk to data principals, national security considerations, and other criteria

Scope

The DPDP Act applies to:

1. Processing of digital personal data within India
2. Processing of digital personal data outside India — if it is for the purpose of offering goods or services to data principals in India

Exemptions: Processing for personal or domestic purposes; personal data made publicly available by the data principal themselves or for which the data principal is legally required to make public.

---

Consent as the Foundation

Unlike most global data protection laws with multiple equal legal bases, the DPDP Act makes consent the primary legal basis, supplemented by "legitimate uses" for specific enumerated categories. This is a fundamental design choice with significant practical implications.

Consent Requirements

Consent under the DPDP Act must be:

• Free: No coercion or conditionality
• Specific: For each described purpose
• Informed: Based on a clear consent notice
• Unconditional: Not contingent on providing more data than necessary
• Unambiguous: Clear affirmative action

Consent notice requirements (Section 5 and 7): Before seeking consent, data fiduciaries must provide a notice containing:

• Description of personal data to be processed
• Purpose of processing
• Manner in which data principal can exercise rights
• Manner in which grievances can be raised with the data fiduciary
• Manner in which complaints can be made to the DPBI

Notices must be in English and the languages specified in the Eighth Schedule of the Constitution (22 official languages) — a significant operational requirement for consumer-facing businesses.

Consent managers: The DPDP Act introduces consent managers — registered entities who act as intermediaries managing consent on behalf of data principals. Data principals can manage their consents across multiple data fiduciaries through a single consent manager. This is an innovative mechanism unique to India's framework.

Legitimate Uses (Section 7)

Processing without consent is permitted for specific "legitimate uses":

1. State functions: Processing by state instrumentalities for providing subsidies, benefits, services, certificates, licences
2. Medical emergency: Treatment of medical emergency threatening life or immediate health risk
3. Epidemic/disaster: Response to epidemics, pandemics, or disasters
4. Employment purposes: Processing for performing obligations or exercising rights under law in relation to employment (including pre-employment vetting)
5. Court orders: Processing required by court orders
6. Research and statistics: Processing for prevention/detection of fraud, credit scoring, legal research, statistical purposes — within prescribed standards
7. Fair and reasonable purposes: Processing for purposes specified by Central Government as fair and reasonable

---

Data Principal Rights

The DPDP Act grants data principals the following rights (Sections 11–14):

Notable absence: The DPDP Act does not include explicit rights to portability, restriction, or objection to automated decision-making in the same form as GDPR. The Central Government's implementing rules may address some of these through prescribed standards.

Response timeline: The Act does not specify timelines — these are expected to be prescribed in implementing rules. Data fiduciaries must acknowledge complaints within a prescribed period and resolve them within another prescribed period.

---

Data Fiduciary Obligations

General Obligations (Section 8)

All data fiduciaries must:

• Maintain data accuracy (completeness, accuracy, consistency with purpose)
• Implement data security safeguards including encryption, access controls, and incident response
• Delete personal data when purpose is fulfilled or consent is withdrawn (unless legal obligation requires retention)
• Have a grievance officer (or officer/mechanism) for data principal complaints
• Not process children's data without verifiable parental consent (for children under 18)
• Not track or monitor children's behaviour or target advertising at children

Children's Data Protection

The DPDP Act has strict provisions for children's data (individuals below 18):

• Processing requires verifiable parental consent
• Prohibition on tracking, behavioural monitoring, and targeted advertising directed at children
• No processing of children's data harmful to their well-being

The implementing rules will specify the technical mechanism for verifiable parental consent — this is a significant UX and technical challenge for consumer apps.

Significant Data Fiduciaries (SDFs)

The Central Government will designate certain data fiduciaries as Significant Data Fiduciaries based on factors including:

• Volume and sensitivity of personal data processed
• Risk to rights of data principals
• Potential impact on sovereignty and integrity of India
• Risk to electoral democracy
• Security of the state
• Public order

SDFs face additional obligations (Section 10):

• Data Protection Impact Assessment (DPIA): Conduct and document DPIAs for high-risk processing activities
• Data Audit: Periodic audit by an independent data auditor
• Data Protection Officer (DPO): Appoint a DPO based in India as a key managerial personnel
• Other measures: As prescribed by the Central Government

The criteria for SDF designation are not yet finalised — implementing rules will specify thresholds. Based on international precedents, technology companies with millions of Indian users, social media platforms, and large e-commerce businesses are likely candidates.

---

Cross-Border Data Transfers

Section 16 of the DPDP Act takes a notable approach: personal data may be transferred to any country outside India except those specifically restricted by Central Government notification.

This is a positive list/negative restriction approach — the default is that transfers are permitted, but the government can restrict transfers to specific countries for national security, strategic, or other reasons.

Practical implications:

• Businesses can transfer data internationally without per-transfer assessment (subject to country restrictions)
• The Central Government will publish a list of restricted countries — businesses must monitor and implement restrictions
• Sector-specific localisation requirements (financial data under RBI, health data under NMC/Ministry of Health) continue to apply alongside the DPDP Act

Current status: As of early 2026, no country-restriction notifications have been issued. The implementing rules will establish the framework for publishing and updating the restricted list.

---

Data Protection Board of India (DPBI)

Section 18 establishes the DPBI as an independent adjudicatory body with powers to:

• Receive and investigate complaints from data principals
• Conduct inquiries into alleged breaches
• Pass orders including financial penalties
• Issue directions to data fiduciaries and processors
• Refer matters to the Central Government for policy action

DPBI Structure: Chaired by a Chairperson appointed by the Central Government; members include experts in technology, law, and public policy. The DPBI is not yet constituted — its operational readiness will depend on implementing rules and government appointments.

Investigation process: Data principals can complain to the DPBI after exhausting the data fiduciary's internal grievance mechanism. The DPBI can investigate, seek documents, summon witnesses, and issue show cause notices. Entities have the right to be heard before a penalty order.

Penalties

The DPDP Act establishes a penalty schedule (Schedule of DPBI):

Penalties are per violation and can be cumulative — a single data breach involving security failure and notification failure could theoretically attract ₹450 crore total.

---

Breach Notification

Section 8 requires data fiduciaries to notify the DPBI (and data principals through prescribed means) of any personal data breach. Unlike GDPR's risk-based threshold (only "likely to result in high risk"), the DPDP Act appears to require notification of all breaches affecting digital personal data. The implementing rules will specify:

• Timeline for notification
• Form and content of notification
• Manner of notifying affected data principals

In the absence of specified timelines, best practice is to align with GDPR's 72-hour standard for DPBI notification and notify data principals without undue delay for high-risk breaches.

---

DPDP Act Implementation Timeline

August 2023: DPDP Act enacted and received Presidential assent

2024: Government consultation on implementing rules; stakeholder feedback periods

2025–2026: Implementing rules expected to be notified, specifying:

• Consent notice format and language requirements
• Data retention periods
• SDF designation criteria and thresholds
• Verifiable parental consent mechanism
• Consent manager registration requirements
• DPBI constitution and operational procedures
• Data auditor qualification requirements

Current situation: The Act is in force but many operational requirements depend on implementing rules. Businesses should design compliance programmes assuming GDPR-level rigour while monitoring rule developments.

---

DPDP Act Compliance Checklist

• Applicability analysis completed (India operations, Indian customers)
• Personal data inventory completed for all processing activities
• Consent notice developed meeting Section 5 and 7 requirements
• Consent mechanism implemented (affirmative, specific, unconditioned)
• Consent notice translation into applicable Indian languages planned
• Legitimate uses analysis completed for processing without consent
• Children's data identification completed — parental consent mechanism planned
• Data principal rights procedures documented (access, correction, erasure, nomination)
• Grievance officer designated and contact information published
• Security safeguards implemented (encryption, access control, incident response)
• Breach notification procedure documented (align with DPBI reporting requirements)
• Data retention and deletion procedures documented and automated
• Cross-border transfer assessment — restricted country list monitoring planned
• SDF designation assessment — prepare for additional obligations if likely to qualify
• DPIA process established for high-risk processing
• Employee training on DPDP Act obligations completed

---

Frequently Asked Questions

Is the DPDP Act 2023 fully in force?

The DPDP Act was enacted and received Presidential assent in August 2023. However, many provisions depend on implementing rules (called rules under the Act) that specify operational requirements. As of early 2026, implementing rules have not been fully notified. The Act itself is in force — meaning its principles and some obligations apply — but the detailed compliance requirements (consent notice format, SDF criteria, DPBI procedures) await rules. Businesses should prepare compliance frameworks now and update them as rules are published.

How does the DPDP Act differ from GDPR?

Several significant differences: (1) DPDP Act uses consent as the primary basis, with limited "legitimate uses" — GDPR has six equal legal bases; (2) DPDP Act permits cross-border transfers by default (with government-restricted countries exception) — GDPR restricts transfers unless adequate protection exists; (3) DPDP Act does not include explicit rights to data portability or restriction in processing; (4) DPDP Act introduces consent managers — a unique innovation; (5) DPDP Act's penalty structure (₹250 crore max) is lower than GDPR's potential maximums for large multinationals; (6) DPDP Act applies only to digital personal data — GDPR applies to all personal data regardless of format.

Who is likely to be designated a Significant Data Fiduciary?

The criteria in Section 10 suggest SDFs will include: major social media platforms operating in India, large e-commerce companies with substantial Indian user bases, companies processing sensitive data (health, financial) at scale, technology companies with significant processing volumes. Based on GDPR's analogous "large-scale systematic monitoring" threshold and India's size (1.4 billion population), companies with millions of Indian users, particularly in consumer internet, fintech, and health-tech sectors, should assess SDF likelihood and prepare for heightened obligations.

What are the consent manager provisions?

Consent managers are entities registered with the DPBI that maintain interoperable platforms through which data principals can give, manage, review, and withdraw consent across multiple data fiduciaries. Data fiduciaries are accountable for processing based on consent obtained through a consent manager. This is designed to give individuals a centralised view and control of their consent across the digital ecosystem. The registration requirements and technical standards for consent managers will be specified in implementing rules.

How does DPDP Act apply to employee data?

Employment data is addressed through the "legitimate uses" provision (Section 7(f)) — processing for the purpose of performing obligations or exercising rights under law in relation to employment (including pre-employment verification, background checks, payroll, benefits) qualifies as a legitimate use without requiring consent. However, employee data beyond employment purposes would require consent. The implementing rules are expected to clarify the scope of employment-related legitimate uses.

Are there sector-specific data localisation requirements that still apply?

Yes. The DPDP Act's cross-border transfer provisions do not supersede sector-specific localisation requirements. The Reserve Bank of India (RBI) requires financial data storage within India (Payment System Data Storage Direction, 2018). The National Medical Commission and Ministry of Health have health data localisation requirements. IRDAI (insurance) has data localisation requirements for insurance companies. Businesses in regulated sectors must satisfy both DPDP Act and sector-specific requirements.

---

Next Steps

India's DPDP Act represents a significant regulatory development for any business with Indian operations, customers, or employees. While implementing rules are still being finalised, building your compliance programme now — particularly around consent mechanisms, data principal rights, and security safeguards — positions you to achieve compliance efficiently when rules are notified.

ECOSIRE's technology implementation team helps businesses design DPDP-compliant data architectures, consent management systems, and privacy operations workflows tailored to the India market.

Get started: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. The DPDP Act's implementing rules are pending; requirements will evolve as rules are notified. Consult qualified Indian legal counsel for advice specific to your organisation.