India's DPDP Act 2023: Everything an Enterprise DPO Needs to Know
A comprehensive guide to the Digital Personal Data Protection Act 2023 — from consent requirements and Data Principal rights to penalties, Significant Data Fiduciary obligations, and your compliance timeline.
India's Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent on 11 August 2023, making India one of the few countries with a comprehensive dedicated data protection law. The DPDP Rules 2025 followed in January 2025, adding critical implementation details. With enforcement expected from May 2027, Indian enterprises have a defined window — but the compliance workload is substantial.
Who Does the DPDP Act Apply To?
The DPDP Act applies to any organisation that processes digital personal data of Indian citizens — whether the processing happens in India or abroad. This means even global SaaS platforms with Indian users are in scope. Organisations are classified as “Data Fiduciaries” (those who determine the purpose and means of processing) and “Data Processors” (those who process on behalf of fiduciaries).
Key Obligations Under the DPDP Act
Consent (Section 6): Consent must be free, specific, informed, unconditional, and unambiguous. It must be obtained through a clear affirmative action. Bundled or pre-ticked consent boxes are not valid. Organisations must maintain consent records and allow Data Principals to withdraw consent at any time.
Privacy Notice (Section 5): Privacy notices must be in plain language — no legalese. They must be available in all 22 scheduled Indian languages on request. PrivacyLedger's Privacy Notice Builder handles this automatically across all digital touchpoints.
Data Principal Rights (Sections 11–14): Data Principals have the right to access information about their data, correct inaccurate data, erase data, and nominate a person to exercise their rights on death or incapacity. Organisations must respond within 30 days and maintain complete audit trails.
Penalties: Up to ₹250 Crore
The DPDP Act's penalty schedule is significant: ₹250 crore for failing to notify the Data Protection Board of a breach, ₹200 crore for inadequate children's data safeguards, and ₹50 crore for inadequate security measures. For Significant Data Fiduciaries, additional obligations apply. Understanding your risk exposure is the first step — PrivacyLedger's free DPDP Readiness Assessment gives you a full gap analysis in 48 hours.
Ananya leads privacy research at PrivacyLedger with 10+ years in Indian data protection law, regulatory compliance, and enterprise privacy programme design.