India's data privacy landscape changed forever on 11 August 2023 when the Digital Personal Data Protection Act (DPDPA) received Presidential assent. Then on 13 November 2025, the DPDP Rules 2025 were officially notified — putting the Act into full force with a phased implementation timeline ending 13 May 2027.
If your business collects, processes, or stores digital personal data of Indian residents, this law applies to you. Non-compliance carries penalties of up to ₹250 crore per violation. This guide covers everything you need to know.
What is the DPDPA 2023?
The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law. It replaces the outdated IT (Reasonable Security Practices) Rules 2011 and brings India in line with global privacy frameworks like the EU's GDPR.
At its core, DPDPA does two things:
The law applies to any organisation processing digital personal data — whether collected digitally or subsequently digitised from physical records.
Key Definitions You Must Know
Data Principal — the individual whose personal data is being processed (your employees, customers, users).
Data Fiduciary — any person or organisation that determines the purpose and means of processing personal data. If you collect customer data, you are a Data Fiduciary.
Data Processor — a third party that processes data on behalf of the Data Fiduciary (your CRM vendor, payroll software, cloud provider).
Significant Data Fiduciary (SDF) — organisations handling large volumes of sensitive data, designated by the government. SDFs face additional obligations including appointing a Data Protection Officer (DPO) and conducting annual Data Protection Impact Assessments (DPIA). SDF provisions are expected to come into force on 13 May 2027.
Consent Manager — a registered intermediary through which Data Principals can manage their consent across multiple Data Fiduciaries.
What Data Does DPDPA Cover?
DPDPA applies exclusively to digital personal data — any data about an individual that can identify them, collected or processed in digital form. This includes:
It does not cover personal data processed for purely personal or household purposes, or data that has been made publicly available by the Data Principal themselves.
8 Core Compliance Obligations Every Business Must Meet
1. Lawful Basis and Consent
You must have a clear, lawful reason to process personal data. For most businesses, this means obtaining free, specific, informed, and unambiguous consent from individuals before collecting their data. Generic tick-box consent forms no longer suffice — consent must be granular and purpose-driven.2. Privacy Notice
Before collecting data, you must provide individuals with a plain-language notice explaining what data you are collecting, why you are collecting it, how it will be used, and how they can exercise their rights. No legal jargon. The notice must be clear enough for an ordinary person to understand.3. Data Principal Rights
Every individual whose data you hold has the following rights under DPDPA:You must respond to these requests within a reasonable time and have a functional grievance redressal mechanism.
4. Data Security Safeguards
You are legally required to implement reasonable technical and organisational measures to protect personal data from breaches, unauthorised access, and accidental loss. The specific measures are not prescriptive — but you must be able to demonstrate they are adequate.This is where employee security awareness training becomes a compliance requirement, not just good practice.
5. Breach Notification
In the event of a personal data breach, you must notify:The notification must include the nature of the breach, categories of data affected, likely consequences, and remedial measures taken. The draft Rules suggest a 72-hour notification window, aligning with GDPR practice.
6. Children's Data
Processing personal data of children (under 18) requires verifiable parental consent. You must implement age verification mechanisms. Additionally, you may not process children's data in a manner that is detrimental to their wellbeing or involves behavioural monitoring or targeted advertising.7. Cross-Border Data Transfers
Personal data may only be transferred to countries or territories specified by the Government of India. You must maintain contractual relationships with your data processors and ensure their compliance.8. Grievance Redressal Mechanism
You must establish a clear, accessible mechanism through which Data Principals can raise complaints. Each complaint must be resolved in a timely, fair, and transparent manner.Penalties — What's at Stake
The DPDPA introduces a tiered penalty structure enforced by the Data Protection Board of India:
| Violation | Maximum Penalty |
| Failure to implement adequate data security safeguards | ₹250 crore |
| Failure to notify a data breach | ₹200 crore |
| Non-compliance with children's data provisions | ₹200 crore |
| Failure to fulfil Data Principal rights | ₹50 crore |
| General non-compliance | ₹50 crore |
Implementation Timeline
| Phase | Date | What Happens |
| Data Protection Board established | November 2025 | ✅ Already in force |
| DPDP Rules 2025 notified | 13 November 2025 | ✅ Already in force |
| Core compliance obligations active | 18 months after Rules | May 2027 |
| Consent manager regulations | 12 months after finalisation | TBD |
| Significant Data Fiduciary provisions | 13 May 2027 | Forthcoming |
How DPDPA Compares to GDPR
| Aspect | DPDPA | GDPR |
| Scope | Digital personal data only | Digital and physical records |
| Territorial reach | India and cross-border processing of Indian residents' data | EU residents' data globally |
| Maximum penalty | ₹250 crore (~€27M) | €20M or 4% of global turnover |
| Breach notification | 72 hours (proposed) | 72 hours |
| Children's age threshold | Under 18 | Under 16 (varies by member state) |
| DPO requirement | Only for Significant Data Fiduciaries | When processing at scale or high-risk data |
What Your Employees Must Know
One area where many organisations fall short is employee awareness. Under DPDPA, ignorance is not a defence. Your employees are the most common cause of data breaches — through phishing attacks, accidental sharing, or improper data handling.
A compliant DPDPA programme must include:
CyberSek's DPDPA compliance training module covers all of these requirements in under 15 minutes, with auto-generated certificates that serve as audit evidence.
Your DPDPA Compliance Roadmap
- Immediately:
- Audit all personal data your organisation collects and processes
- Map data flows — where does data come in, where does it go, who has access?
- Review and update your privacy notice
- Implement a Data Principal rights request mechanism
- Train all employees on DPDPA obligations
- Within 3 months:
- Update data processing agreements with all vendors and processors
- Implement a breach detection and notification workflow
- Review age verification mechanisms if you serve consumers
- Establish a grievance redressal process
- Before May 2027:
- Assess whether you qualify as a Significant Data Fiduciary
- If yes: appoint a DPO, prepare for annual DPIAs and audits
- Review cross-border data transfer practices against government whitelist
The Bottom Line
DPDPA 2023 is not a future concern — it is a present legal obligation. The Data Protection Board is operational. Penalties are real. And the most common source of data breaches — your employees — remains unaddressed at most Indian organisations.
The organisations that act now will be audit-ready when enforcement begins in 2027. Those that wait will face rushed compliance, potential penalties, and the reputational damage of a breach under a law they had years to prepare for.
Written by Namita Kumari | Security Awareness Specialist at CyberSek
CyberSek offers AI-powered DPDPA compliance training for Indian enterprises. Start your free 7-day trial — no credit card required.