What is the Digital Personal Data Protection Act, 2023?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection legislation. It received Presidential assent on 11 August 2023 and governs the processing of digital personal data — information about identifiable individuals — in India, and processing of such data outside India if it relates to offering goods or services to individuals within India. It establishes a consent-based framework, defines Data Fiduciary and Data Principal rights and obligations, and creates the Data Protection Board of India for adjudication of complaints.

What are the maximum penalties under the DPDP Act?

The DPDP Act provides for penalties up to Rs. 250 crore for failure to take reasonable security safeguards resulting in a personal data breach. Failure to notify the Data Protection Board and affected individuals of a breach can attract penalties up to Rs. 200 crore. Non-fulfilment of obligations in relation to children's data can attract penalties up to Rs. 200 crore. Breach of any other provision of the Act attracts penalties up to Rs. 50 crore. These are per-instance penalties assessed by the Data Protection Board.

Who qualifies as a Data Fiduciary under the DPDP Act?

A Data Fiduciary is any person who determines the purpose and means of processing personal data — essentially any business, organisation, or individual that collects and uses personal data of Indian citizens as part of their operations. This includes websites that collect user information, apps that process location data, e-commerce platforms, healthcare providers, educational institutions, and financial service providers. Significant Data Fiduciaries — large-scale processors of sensitive data — will face additional obligations specified in Rules.

Data Privacy & Technology Law — India

Digital Personal Data Protection Act, 2023 — Business Compliance in India

India's first comprehensive data protection law is in force. If your business collects or processes personal data of Indian citizens — online or offline — the DPDP Act applies to you. Penalties reach Rs. 250 crore per instance of breach.

Digital Personal Data Protection Act, 2023 | Presidential Assent: 11 August 2023

The Core Framework — Data Fiduciary and Data Principal

The DPDP Act establishes a consent-based framework for processing digital personal data. The two central parties are:

Data Principal: The individual whose personal data is being processed — the person the data is about
Data Fiduciary: Any person or entity that determines the purpose and means of processing personal data — essentially any business that collects and uses personal information
Data Processor: An entity that processes data on behalf of a Data Fiduciary (under contract)

The Act applies to: processing of digital personal data within India; and processing of personal data outside India if it relates to offering goods or services to Data Principals within India. Cross-border applicability is significant for NRI-focused businesses and international companies serving Indian customers.

Obligations of a Data Fiduciary

Obtain valid consent

Consent must be free, specific, informed, unconditional and unambiguous. Pre-ticked boxes, bundled consent, and dark patterns are not valid. A notice must explain what data is collected, why, and how it will be used — in clear, plain language.

Purpose limitation

Data may only be used for the purpose for which consent was obtained. Using customer data collected for one purpose to market a new product without fresh consent is a violation.

Data minimisation

Only data that is necessary for the stated purpose may be collected. Collecting additional data "just in case" it may be useful later violates the minimisation principle.

Storage limitation

Personal data must be deleted once the purpose for which it was collected has been fulfilled and there is no legal requirement to retain it. Indefinite retention is prohibited.

Security safeguards

Reasonable security safeguards must be implemented to prevent data breaches — encryption, access controls, and security audits. The standard will be specified in Rules.

Breach notification

In the event of a personal data breach, the Data Protection Board of India and all affected Data Principals must be notified — timeline and procedure to be specified in Rules.

Rights of the Data Principal

Right to information: Access to what personal data is held and how it is being processed
Right to correction and erasure: Correct inaccurate data; erase data when no longer needed
Right to grievance redressal: Mechanism to raise complaints against the Data Fiduciary
Right to nominate: Nominate another individual to exercise rights in the event of death or incapacity

Penalties Under the DPDP Act

Violation	Maximum Penalty
Breach due to failure to implement reasonable security safeguards	Rs. 250 crore
Failure to notify Board and Data Principals of a breach	Rs. 200 crore
Non-fulfilment of obligations regarding children's data	Rs. 200 crore
Non-fulfilment of Significant Data Fiduciary obligations	Rs. 150 crore
Breach of any other provision of the Act or Rules	Rs. 50 crore

Adjudication: Penalties are assessed by the Data Protection Board of India — an independent digital adjudicatory body. Appeals lie to the High Court. The Board may also direct the Data Fiduciary to take corrective action, and repeated violations attract higher penalties.

Children's Data — Elevated Obligations

The DPDP Act imposes significantly stricter obligations for processing data of children (under 18 years). A Data Fiduciary must obtain verifiable parental consent before processing a child's personal data. Additionally, tracking or behavioural monitoring of children and targeted advertising directed at children is prohibited. Penalties for violation reach Rs. 200 crore — reflecting the legislature's strong policy position on protecting minors' data.

What Businesses Must Do Now

Audit all personal data currently collected — what is it, why, and what is the legal basis
Review and redraft privacy policies and consent mechanisms for DPDP compliance
Implement a data subject rights response process (information, correction, erasure requests)
Establish a data breach response procedure — internal escalation, Board notification, Principal notification
Review data processor agreements with third-party vendors and cloud providers
Appoint a Data Protection Officer if required for Significant Data Fiduciary classification

Related Services

Frequently Asked Questions — DPDP Act

What is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection law. It received Presidential assent on 11 August 2023. It governs processing of digital personal data in India, and processing of data outside India relating to offering goods or services to individuals in India. It establishes a consent framework, Data Fiduciary obligations, Data Principal rights, breach notification requirements, and the Data Protection Board of India for adjudication.

Who is a Data Fiduciary under the DPDP Act?

Any person or entity that determines the purpose and means of processing personal data. This covers virtually every business with a website form, app, customer database, or employee HR system. E-commerce platforms, healthcare providers, educational institutions, financial services, and SaaS companies are all Data Fiduciaries. Significant Data Fiduciaries — large-scale processors of sensitive data — face additional obligations to be specified in Rules.

What are the maximum penalties?

Rs. 250 crore for a data breach resulting from failure to implement reasonable security safeguards. Rs. 200 crore for failure to notify the Data Protection Board and affected individuals of a breach. Rs. 200 crore for non-fulfilment of children's data obligations. Rs. 50 crore for breach of any other provision. Penalties are assessed by the Data Protection Board — appeals lie to the High Court.

Is Your Business DPDP-Compliant?

The DPDP Rules, once notified, will activate the full compliance regime. Businesses that begin the compliance audit and documentation process now will be significantly better positioned than those who wait. The office advises on DPDP compliance frameworks, drafts privacy policies and consent mechanisms, and advises on data breach response.

Contact the Office Corporate & Technology Law