Penalties up to ₹250 crore · 72-hour breach window · Full enforcement: May 2027
850M+ Internet users in India protected | ₹250 Cr Max penalty per violation | 72 hrs Breach notification window | 18 months Compliance window (Nov 2025 – May 2027) |
⏱ DEADLINE ALERT: The DPDP Rules 2025 were notified on 13 November 2025. Full compliance is required by 13 May 2027. The Data Protection Board of India is already operational. Non-compliance attracts fines up to ₹250 crore per violation. |
1. What is India's DPDP Act?
The Digital Personal Data Protection (DPDP) Act, 2023 is India's first standalone data protection law. It received Presidential assent on 11 August 2023, and its implementing framework, the DPDP Rules 2025 was notified by the Ministry of Electronics and Information Technology (MeitY) on 13 November 2025.
Together, they form a citizen-centred legal regime that governs how every organisation collects, processes, stores, and deletes the personal data of individuals in India. The law's origins trace back to the landmark 2017 Supreme Court judgment in Justice K.S. Puttaswamy v. Union of India, which recognised the right to privacy as a fundamental right.
💡 Quick distinction: Unlike the EU's GDPR, the DPDP Act applies only to digital personal data, not physical records unless those records are later digitised. All personal data is treated with the same standard of care; there is no 'sensitive personal data' sub-category. |
2. Why It Matters for Your Business
If your organisation collects, stores, or processes any digital personal data from individuals in India, through a website, mobile app, SaaS platform, e-commerce store, or CRM you are almost certainly a Data Fiduciary under this law. The Act has broad extraterritorial reach, meaning it applies even if your company is headquartered outside India.
The consequences of inaction are significant: the penalty framework is already active as of November 2025. A 2024 study by the Esya Centre found that while around 85% of data fiduciaries had begun preliminary deliberations on DPDP compliance, preparation was largely stalled due to the absence of finalised rules. With the rules now in force, the clock has formally started.
⚠️ Who must comply: Global SaaS platforms with Indian customers, e-commerce retailers shipping to India, mobile app developers with Indian users, HR teams processing employee data, and marketing agencies targeting Indian consumers all fall under the DPDP Act's scope. |
3. Key Definitions You Must Know
Personal Data
Any data about an individual who is identifiable by or in relation to that data. The Act covers digital personal data and digitised records, but not purely physical/offline records that were never digitised.
Data Fiduciary
Any person, company, or government entity that alone or with others determines the purpose and means of processing personal data. This is functionally equivalent to a 'controller' under GDPR.
Significant Data Fiduciary (SDF)
Certain Data Fiduciaries may be classified as Significant Data Fiduciaries based on the volume of data processed, sensitivity, risk to national security, or impact on sovereignty. SDFs carry additional obligations: appointment of a Data Protection Officer (DPO) and Data Protection Impact Assessments.
Data Principal
The individual to whom the personal data relates your customers, users, and employees. For children, the parent or lawful guardian acts as the Data Principal.
Data Processor
Any entity that processes personal data on behalf of a Data Fiduciary, following instructions. Data Fiduciaries must ensure processor compliance through written Data Processing Agreements (DPAs).
Consent Manager
A new role under DPDP Rules 2025: a registered intermediary enabling Data Principals to grant, manage, and withdraw consent for data processing. Must be India-incorporated with a minimum net worth of ₹2 crore.
4. DPDP Compliance Timeline
The DPDP Rules 2025 introduce a phased compliance structure across three horizons:
◆ 13 November 2025 - Immediate (Data Protection Board Operational)
MeitY notified the DPDP Rules 2025. The Data Protection Board of India (DPBI) became operational with a fully digital grievance portal and mobile app for citizen complaints. The penalty framework was simultaneously activated.
◆ 13 November 2026 - 12 Months (Consent Manager Registration Opens)
Only India-incorporated entities with ₹2 crore minimum net worth can register as Consent Managers. Foreign platforms are excluded from this role.
◆ 13 May 2027 - 18 Months (Full Substantive Compliance Mandatory)
Every privacy notice, consent mechanism, breach protocol, data deletion workflow, children's data protection measure, and data subject rights infrastructure must be fully operational. No grace period after this date.
✅ Good news: The old IT (Reasonable Security Practices) Rules 2011 remain in force until the end of the phased implementation. Your existing data security frameworks are not immediately redundant. |
5. What Are the 7 Principles of DPDPA 2023?
The Digital Personal Data Protection Act, 2023 (DPDPA) is built on seven core principles that define how organizations in India must collect, process, store, and protect personal data. These principles guide compliance for every Data Fiduciary under the Act.
Below is a clear breakdown of the 7 principles of DPDPA.
1. Lawful, Fair, and Transparent Processing
Personal data must be processed in a lawful and fair manner. Organizations must inform individuals about:
What data is being collected
Why it is being collected
How it will be used
Clear notices and valid consent are essential under DPDPA.
2. Purpose Limitation
Data can only be collected for a specific, lawful purpose. It cannot be reused for unrelated activities unless fresh consent is obtained from the Data Principal.
3. Data Minimization
Organizations must collect only the data that is necessary to fulfill the stated purpose. Excessive or irrelevant data collection is not permitted under DPDPA.
4. Accuracy
Personal data must be accurate and kept up to date. If information is incorrect or outdated, organizations are responsible for correcting or erasing it when required.
5. Storage Limitation
Personal data cannot be stored indefinitely. Data must be deleted once the purpose for which it was collected is fulfilled, unless retention is required by law.
6. Reasonable Security Safeguards
Organizations must implement appropriate technical and organizational measures to protect personal data from breaches, unauthorized access, or misuse. This includes access controls, encryption, monitoring, and breach response mechanisms
7. Accountability
Data Fiduciaries are responsible for complying with DPDPA and must be able to demonstrate compliance when required. This includes maintaining documentation, implementing governance frameworks, and responding to regulatory oversight.
Why These 7 Principles Matter for Businesses
Understanding the 7 principles of DPDPA is essential for building a compliant data protection framework in India.
These principles form the foundation for consent management, data lifecycle management, security controls, and risk mitigation strategies.
If your organization processes personal data of Indian residents, aligning your policies and controls with these seven principles is a critical first step toward DPDPA compliance.
6. Rights of Data Principals
Chapter III of the DPDP Act establishes a robust set of rights for individuals that must be operationalised in your systems before May 2027:
✓ Right to Access: Request a summary of personal data processed, identities of all Data Fiduciaries with access, and details of processing activities.
✓ Right to Correction: Request correction of inaccurate, incomplete, or outdated personal data.
✓ Right to Erasure: Request deletion of personal data after consent withdrawal or when the processing purpose has been fulfilled.
✓ Right to Grievance Redressal: Raise complaints with the Data Fiduciary and escalate to the Data Protection Board of India.
✓ Right to Nominate: Nominate another person to exercise rights on their behalf in the event of death or incapacity.
📌 Response timeline: Data Fiduciaries must respond to all data principal requests within 90 days. Build this into your operational SLAs now. |
7. Children's Data - Stricter Rules Apply
The DPDP Act imposes significantly higher obligations when processing data of individuals under 18 years of age. These provisions carry some of the highest financial penalties in the Act.
Verifiable Parental Consent
Before processing any data related to a child, Data Fiduciaries must obtain verifiable consent from the parent or guardian. Verification may be achieved through existing account information, details provided by the parent, virtual tokens issued by authorised entities, or verification through Digital Locker service providers.
Exemptions for Essential Services
Verifiable parental consent is not required when processing children's data for essential services such as healthcare, education, or similar welfare-related purposes.
Prohibited Processing
The Act expressly prohibits processing children's data in a way that is detrimental to their wellbeing, or that involves tracking, behavioural monitoring, or targeted advertising directed at children.
🚫 High-risk area: Any mobile app or website accessible to minors must implement age verification and parental consent workflows. Non-compliance specifically related to children's data attracts penalties up to ₹200 crore. |
8. DPDP Penalty Framework
The DPDP Act's penalty framework is already active as of November 2025. The Data Protection Board of India can investigate complaints and impose financial penalties for violations. Appeals lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
Violation | Max Penalty |
Failure to implement reasonable data security safeguards | ₹250 crore |
Failure to notify a personal data breach (Board + individuals) | ₹200 crore |
Breach of obligations for children's data processing | ₹200 crore |
Non-fulfilment of Significant Data Fiduciary obligations | ₹150 crore |
Breach of any other DPDP Act/Rules provision | ₹50 crore |
Breach of duty by a Data Principal | ₹10,000 |
⚠️ 72-hour breach clock: All personal data breaches must be reported to the Data Protection Board and to affected individuals within 72 hours. The notification must include the nature and extent of the breach, timing, consequences, and mitigating measures taken. Failure to notify attracts penalties up to ₹200 crore. |
9. Your DPDP Compliance Roadmap
Given the 18-month window (November 2025 – May 2027), here is a practical, phased approach for businesses at any stage of readiness:
Phase 1: Discovery & Assessment (Now – 3 months)
Conduct a comprehensive data mapping exercise, catalogue every category of personal data your organisation collects, why, where it's stored, who can access it, and how long it's retained.
Identify all third-party data processors (vendors, cloud providers, analytics tools) and review existing contracts for DPDP compliance gaps.
Determine whether your organisation qualifies as a Significant Data Fiduciary and prepare for the associated additional obligations.
Assess your current breach detection and incident response capabilities against the 72-hour notification requirement.
Phase 2: Design & Build (Months 3–10)
Draft compliant consent notices for every data collection touchpoint. Ensure they are clear, specific, and translated into relevant Indian languages.
Build or integrate a consent management platform that allows data principals to grant, manage, and withdraw consent easily.
Implement automated data retention and deletion workflows aligned to stated processing purposes.
Establish data subject rights mechanisms access, correction, erasure, and grievance channels with 90-day response SLAs.
For products serving children: deploy age verification and verifiable parental consent systems.
Phase 3: Embed & Certify (Months 10–18)
Train all teams that handle personal data HR, marketing, engineering, customer support on DPDP obligations and internal procedures.
Execute a compliance audit against the full DPDP Rules 2025 requirements.
Update all vendor contracts with compliant Data Processing Agreements.
Publish your privacy notice and point of contact prominently across all products and services.
Run a full breach simulation drill to validate your 72-hour notification capability before the May 2027 deadline.