India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the DPDP Rules, 2025 represent a significant shift in how organisations must manage personal data. This overview explains what the law covers, who it applies to, what it requires, and what the consequences of non-compliance are.

Is the DPDP Act Applicable to Your Organisation?

If your organisation uses any of the following in the course of its activities, the DPDP Act is very likely applicable to you:

  • Electronic devices such as computers, laptops, tablets or smartphones to collect, store or process information about individuals.
  • Software applications such as databases, spreadsheets or word processors to manage or analyse information about individuals.
  • Cloud services such as Google Drive, Dropbox or OneDrive to store or access information about individuals.
  • Digital tools such as scanners, cameras or printers to convert information about individuals from non-digital to digital form.
  • Online platforms such as websites, apps, social media or email to communicate with or provide services to individuals.

In practice, almost every business today collects and processes some form of personal data digitally — whether it is customer contact details, employee records, vendor information or visitor data. The DPDP Act is therefore broadly applicable across sectors and organisation sizes.

Legislation and Effectiveness

The DPDP Act was notified on 11 August 2023. The DPDP Rules were notified on 13 November 2025. The law comes into force in three stages, with full operational compliance required by 13 May 2027.

What is Personal Data?

Personal data means any information that can directly or indirectly identify an individual. This includes:

  • Basic identity information: Name, date of birth, gender, address, email, phone number.
  • Government identifiers: Passport number, Aadhaar, PAN, driving licence.
  • Financial identifiers: Bank account details, card numbers, salary information, transaction records.
  • Online and technical identifiers: IP address, device ID, cookies, login credentials.
  • Employment and education identifiers: Employee ID, academic transcripts, performance reviews.
  • Biometric and health identifiers: Fingerprints, facial recognition data, medical records.

Even a vehicle number collected at a gate of entry constitutes personal data under the Act.

Key Concepts

Data Principal

The individual to whom the personal data relates. Includes parents or lawful guardians of children under 18 years of age.

Data Fiduciary

Any person who alone or in conjunction with others determines the purpose and means of processing personal data. Your organisation is likely a Data Fiduciary.

Data Processor

A person who processes personal data on behalf of a Data Fiduciary — such as a cloud service provider or payroll vendor.

Personal Data Breach

Any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromises its confidentiality, integrity or availability.

Applicability of the DPDP Act

The Act applies to processing of digital personal data:

  • Within India — for data collected in digital form, or collected offline and subsequently digitised.
  • Outside India — where the processing is in connection with offering goods or services to individuals in India.

The Act does not apply to processing by an individual for personal or domestic purposes, or to personal data made publicly available by the Data Principal or under a legal obligation.

Obligations of a Data Fiduciary

Lawful Purpose & Consent

Process personal data only for a lawful purpose with the Data Principal's consent, or under a defined legitimate use.

Notice Before Consent

Provide a clear notice before seeking consent. Consent must be free, specific, informed, unambiguous and unconditional.

Data Accuracy

Take reasonable steps to ensure the accuracy and completeness of personal data, particularly where it is used in decision-making.

Security Safeguards

Implement reasonable security safeguards to prevent personal data breaches.

Breach Notification

Notify the Data Protection Board of India and every affected Data Principal in the event of a personal data breach.

Data Erasure

Erase personal data when the purpose of retention is no longer served or upon withdrawal of consent by the Data Principal.

Grievance Redressal

Establish a grievance redressal procedure and publish contact information of the Data Protection Officer, where applicable.

Data Processor Contracts

Engage data processors only under a valid contract that binds them to appropriate data protection obligations.

Consent — Key Requirements

Consent under the DPDP Act must be:

  • Free, specific, informed, unambiguous and unconditional.
  • Sought through a clear request in plain language — in English or another scheduled language.
  • Capable of being withdrawn by the Data Principal at any time.
  • Not sought for purposes that would infringe the Act or any other law.

The Act also provides for certain legitimate uses where consent is not required — such as processing for medical emergencies, state functions, employment-related purposes, or compliance with court orders.

Rights of Data Principals

Right to Information

A summary of the personal data being processed, the processing activities undertaken, and identities of other Data Fiduciaries or Processors with whom data has been shared.

Right to Correction & Erasure

The right to seek correction, completion or erasure of personal data in accordance with applicable law.

Right of Grievance Redressal

Readily available means to register a grievance with a Data Fiduciary, and to approach the Data Protection Board in case of dissatisfaction.

Right to Nominate

The right to nominate another individual to exercise data rights in the event of death or incapacity.

Penalties for Non-Compliance

Non-Compliance Maximum Penalty
Failure to take reasonable security safeguards to prevent a personal data breach ₹ 200 Crore
Failure to notify the Board and affected Data Principals in the event of a breach ₹ 200 Crore
Non-fulfilment of additional obligations in relation to children ₹ 150 Crore
Non-fulfilment of additional obligations of a Significant Data Fiduciary ₹ 50 Crore
Other non-compliances with the Act or Rules ₹ 250 Crore

When determining penalties, the Data Protection Board will consider factors including the nature, gravity and duration of the breach, the type of personal data affected, whether the breach was repetitive, whether any gain was made or loss avoided, and the steps taken to mitigate harm.

Broad Framework of Implementation

Organisations may be required to undertake the following activities to implement the DPDP Act:

  • Conduct a data audit and identify all processing activities of personal data.
  • Review and update data protection policies and privacy notices.
  • Implement strong data governance structures.
  • Enhance IT and data security measures.
  • Conduct employee training and awareness programmes.
  • Send notices and obtain valid consent from data principals.
  • Establish Data Protection Agreements with vendors and processors.
  • Develop mechanisms for managing Data Principal rights.
  • Establish vendor and digital asset management processes.
  • Develop a breach response plan.
  • Maintain Records of Processing Activities (RoPA).
  • Stay updated on regulatory developments and seek appropriate advice.

How RPAL Can Support You

We assist organisations across the full range of DPDP implementation — from gap analysis and data mapping to policy development, consent mechanisms, vendor assessments and ongoing compliance support.

Get in Touch