What Is DPDPA? Practical India Guide

Why Was DPDPA Enacted?

India is the world's third-largest internet user base with over 900 million online users. As digital transactions, e-commerce, fintech, and digital services grew rapidly, it became clear that India needed a modern legal framework to protect citizens' personal data. The DPDPA was passed by Parliament in August 2023 after years of deliberation, multiple draft versions, and extensive consultations.

The Act replaces fragmented data protection provisions across existing laws (like the Information Technology Act, 2000) with a dedicated, comprehensive framework. Before DPDPA, Indian businesses had no single, enforceable set of rules governing how personal data must be handled. That gap has now been closed.

What Does DPDPA Govern?

The DPDPA governs the processing of "digital personal data" — any personal data that is collected digitally or collected in non-digital form and later digitised. It applies to:

• Data collected within India — any personal data collected from individuals located in India
• Data processed outside India — if the processing is in connection with offering goods or services to individuals in India

Processing covers everything you do with data: collection, storage, use, sharing, disclosure, deletion, and transmission. If your business does any of these with personal data belonging to Indian residents, the Act applies to you.

Key Principles

The DPDPA is built on seven core principles that define how personal data must be handled:

• Consent-based processing — Personal data can generally only be processed with valid, informed consent from the individual
• Purpose limitation — Data collected for one purpose cannot be silently repurposed for something else
• Data minimisation — Only collect what you genuinely need for the stated purpose
• Accuracy — Keep data accurate and up to date; correct it when individuals request it
• Storage limitation — Do not retain data longer than necessary; delete it when the purpose is fulfilled
• Security — Implement appropriate technical and organisational safeguards against breaches
• Accountability — Businesses are responsible for compliance and must be able to demonstrate it

These principles are not aspirational. They are the basis on which the Data Protection Board will evaluate complaints and determine penalties.

Regulatory Authority

The Act establishes the Data Protection Board of India as the regulatory authority. The Board is responsible for adjudicating complaints, conducting inquiries, and imposing financial penalties. It operates digitally — complaints can be filed online, and proceedings are conducted through a digital platform, making it accessible to individuals across the country.

DPDPA Implementation Timeline

The DPDP Rules, 2025 were notified on 14 November 2025. Implementation is phased:

• Immediate (on notification) — Rules related to the Board's constitution, appointments, and procedures
• 12 months from notification — Consent Manager registration requirements
• 18 months from notification — Operational rules including notice requirements, consent flows, rights processing, security safeguards, and breach notification

The 18-month window means full operational compliance is expected by May 2027. However, waiting until the deadline is a risk — building compliance infrastructure takes time, and early regulatory attention typically focuses on visible gaps.

How DPDPA Compares to GDPR

Many Indian businesses are familiar with GDPR (Europe's General Data Protection Regulation). DPDPA takes inspiration from it but is a simpler, India-specific framework:

| Aspect | DPDPA | GDPR |

|--------|-------|------|

| Primary legal basis | Consent (with defined exceptions) | Multiple bases including legitimate interest |

| Sensitive data category | Not separately defined as a class | Special category data with stricter rules |

| Right to portability | Not included | Included |

| DPO requirement | Only for Significant Data Fiduciaries | Mandatory for certain controllers |

| Maximum penalty | ₹250 crore per instance | €20 million or 4% of global turnover |

If your business already complies with GDPR, you have a strong foundation — but DPDPA has different mechanics and you should not assume the two are identical.

What Happens If You Don't Comply?

Penalties under DPDPA are substantial. The Schedule to the Act sets out maximum penalties by breach category:

• Failure to implement adequate security safeguards — up to ₹250 crore
• Failure to notify the Board of a personal data breach — up to ₹200 crore
• Breach of children's data obligations — up to ₹200 crore
• Breach of Significant Data Fiduciary obligations — up to ₹150 crore
• Breach of any other provision — up to ₹50 crore

The Data Protection Board determines the actual penalty after considering factors including the nature of the breach, the harm caused, the business's history, and whether it took remedial action.

Your First Three Steps

If you are new to DPDPA and do not know where to begin, start here:

• Map where personal data exists — List every system, tool, folder, and process that holds personal data of customers, employees, or prospects. You cannot protect what you have not located.
• Audit your consent and notice mechanisms — Check every form, app screen, and data collection point. Do they have clear, specific, unchecked consent boxes and plain-language notices? If not, that is your first fix.
• Designate an internal owner — Someone must be responsible for data protection in your business. Without ownership, nothing else happens. This does not have to be a full-time role at first — but it must be a named person with authority to make decisions.

The practical question is no longer whether to prepare — it is what to fix first and in what sequence.