DPDP Rules 2025 are now in effect. How ready is your business? Most Indian companies don't know yet.Find out in 10 minutes — free →
SaralPrivacy emblem
DPDPA Guide

What Is DPDPA? Practical India Guide

The Digital Personal Data Protection Act, 2023 governs how digital personal data is collected, used, stored, shared, and deleted in India. With the DPDP Rules, 2025 now notified and phased implementation underway, businesses should focus on fixing notices, consent, rights handling, retention, and vendor controls. This guide explains what the law covers, who it applies to, and what practical steps matter first.

Why Was DPDPA Enacted?

India is the world's third-largest internet user base with over 900 million online users. As digital transactions, e-commerce, fintech, and digital services grew rapidly, it became clear that India needed a modern legal framework to protect citizens' personal data. The DPDPA was passed by Parliament in August 2023 after years of deliberation, multiple draft versions, and extensive consultations.

The Act replaces fragmented data protection provisions across existing laws (like the Information Technology Act, 2000) with a dedicated, comprehensive framework.

What Does DPDPA Govern?

The DPDPA governs the processing of "digital personal data" — any personal data that is collected digitally or collected in non-digital form and later digitised. It applies to:

  • Data collected within India — any personal data collected from individuals located in India
  • Data processed outside India — if the processing is in connection with offering goods or services to individuals in India

Key Principles

The DPDPA is built on several core principles:

  • Consent-based processing — Personal data can generally only be processed with valid, informed consent
  • Purpose limitation — Data can only be used for the purpose it was collected for
  • Data minimisation — Only collect what you genuinely need
  • Accuracy — Keep data accurate and up to date
  • Storage limitation — Do not retain data longer than necessary
  • Security — Implement appropriate technical and organisational safeguards
  • Accountability — Businesses are responsible for compliance and must demonstrate it

Regulatory Authority

The Act establishes the Data Protection Board of India (DPBI) as the regulatory authority. The Board is responsible for adjudicating complaints, conducting inquiries, and imposing penalties. The Data Protection Board of India is established under the Act.

When Does It Come Into Effect?

The DPDP Rules, 2025 were notified on 14 November 2025. India is implementing the regime in phases — certain rules took effect immediately on notification, while others take effect 12 and 18 months later. Businesses should treat this period as operational rollout time, not wait-and-watch time.

The practical question is no longer whether to prepare — it is what to fix first and in what sequence. Focus on notices, consent flows, rights-handling processes, retention policies, and vendor agreements.

Last reviewed: March 2026

Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.

This page is for educational purposes and does not constitute legal advice.

Educational content only. This guide is for educational purposes and does not constitute legal advice. Please consult a qualified data protection lawyer for formal legal opinions specific to your business situation.
DPDP Rules 2025Who It Applies To