What is the DPDP Act, 2023? Complete Guide for Businesses in India

Quick answer

1.    The DPDP Act, 2023 is India’s new data privacy law covering digital personal data of Indian users. It sets strict rules on how businesses must collect, use, and safeguard personal data.

2.    It applies to any digital personal data processed in India, or abroad if you target Indian customers. It excludes purely personal/domestic use and data already public.

3.    Key business obligations: Obtain clear, explicit consent and give simple notices. Only collect data you actually need, use it for declared purposes, and protect it with reasonable security safeguards (e.g. encryption, audits). Promptly notify any breaches to affected users and the Data Protection Board.

4.    Individuals’ rights: Users can access a summary of their data, correct errors, request deletion, or raise grievances. Businesses must respond (usually within 90 days).

5.    Penalties: Violations carry heavy fines up to ₹250 crore for failing core duties like data security or breach notification. Others can be ₹50-₹200 crore depending on the breach.

6.    Timeline: The Act was passed in August 2023, and the Government set rules in Nov 2025. Companies have been given phased timelines (12-18 months after rules) to fully comply

Introduction

In today’s digital market, mishandling customer data can be a minefield of legal risk. Businesses are rightly asking: “Are we compliant with India’s new data law?” The Digital Personal Data Protection Act, 2023 (DPDP Act) sets out tough new rules on collecting and using personal data. If you collect email addresses, phone numbers, or any identifying information online, you need to pay attention to the non-compliance that can mean huge fines and loss of customer trust. This guide will walk you through what, why, and how of the DPDP Act in plain language. We’ll explain who must comply, what definitions and terms mean for your business, the main obligations you must meet, and the rights your users now have. By the end, you’ll know the steps to keep your business safe and respectful of privacy. For more visit another article on India’s New DPDP Rules Explained: What Startups and SMEs Must Do in the Next 18 Months.

Data protection matters now more than ever. India’s digital economy is booming but with growth comes scrutiny. Customers expect their data to be handled responsibly, and regulators worldwide (like Europe’s GDPR) have set high standards. India’s courts have confirmed that privacy is a fundamental right, and fragmented rules under older laws and sectoral guidelines were causing confusion. The DPDP Act 2023 was introduced to fix this. The government designed it to be SARAL (Simple, Accessible, Rational, and Actionable) so businesses can follow it without guesswork. Unlike previous drafts, the final Act uses plain language and examples, aiming to build trust in the digital ecosystem. In short, the DPDP Act replaces a patchwork of regulations with a single, citizen-centered law that balances individuals’ privacy with the needs of business

Background of Data Protection Law in India

India’s journey to a comprehensive data privacy law began with a landmark Supreme Court ruling in 2017. InK.S. Puttaswamy v. Union of India, a nine-judge bench unanimously held that the right to privacy (including information privacy) is a fundamental right under the Constitution. This verdict sets the stage for a data protection framework. In the years that followed, the government formed expert committees (like the B.N. Srikrishna committee in 2017) and drafted bills to flesh out what that framework would be.

The first major effort was the Personal Data Protection Bill, 2019, which proposed an EU-like approach with a powerful regulator and strict rules. It required consent for data use, purpose limitation, breach of notification, and even data portability. It was referred to Parliament but ultimately withdrawn. Instead, a new bill, the Digital Personal Data Protection Bill, 2022 was published for consultation. This bill took a simpler approach and became the DPDP Bill, 2023. The 2023 Bill moved quickly through Parliament and finally it was introduced and passed in August 2023 and received Presidential assent on 11 August 2023.

After Parliament’s approval, the final step was enforcement. The government notified the DPDP Rules in November 2025, making the law fully operational. Under these rules, companies have phased deadlines to comply, for example, 12-18 months to set up consent systems and appoint officials. Today, the Act and Rules together form India’s first independent data protection law, replacing the old Section 43A and sectoral guidelines. The big picture goal is to protect individual privacy while allowing legitimate use of data. This guide focuses on the Act as it applies to businesses.

Key Definitions under the DPDP Act

Before diving into compliance steps, it’s essential to know some key terms (each is defined in the Act). We’ll explain them in simple business terms, with examples:

1.    Personal Data: Any information that identifies an individual or can identify them. For example, names, email addresses, phone numbers, biometric IDs, or even unique online identifiers. If you can trace the data back to a customer (directly or indirectly), it’s personal data. Under the Act it’s sometimes called “digital personal data” if it’s in electronic form.

2.    Data Principal: This is the individual to whom the personal data belongs basically the person the data is about. If the person is a minor or has a disability, this includes their parent or guardian. In a business context, the data principal is usually your customer, user, or employee. For example, if you run an e-commerce site, the person buying or browsing products is the data principal with respect to their profile data.

3.    Data Fiduciary: This is you, the business (or any organization) that decides why and how to process (collect, use, share) the personal data. If you run an online shop and decide to collect customer emails for marketing, your company is the data fiduciary because it sets out the purpose (marketing emails) and means (collecting email addresses). Even if you process data jointly with a partner, if you determine the purpose, you are a data fiduciary for that data.

4.    Data Processor: This is any entity that processes personal data on behalf of the Data Fiduciary. For instance, if your company hires a cloud service to store customer data, that cloud provider is acting as your data processor. Similarly, a payroll company processing employee data for HR would be a processor. Processors follow your instructions and do not decide the purpose of processing.

5.    Consent Manager: A unique feature of the DPDP Act is the idea of “Consent Managers”. These are registered platforms or services that help individuals give, manage, review, or withdraw consent in one place. You can think of them as a centralized consent app or portal. For example, a user might click an app that shows all their consents (like newsletter sign-ups) and easily toggle them on or off. Your business could link to a consent manager to make it simpler for customers. Right now, consent managers must register with the government for transparency. The Act encourages but does not always require using them, and you can also manage consent yourself by giving clear opt-in/opt-out options.

6.    Significant Data Fiduciary (SDF): Although not asked above, note this term. The government may notify certain data fiduciaries as Significant based on factors like volume of data, sensitivity, etc. If you are an SDF (often large tech platforms, social media, etc.), you will have extra duties (like appointing a DPO, doing audits, privacy impact assessments). Keep an eye on whether your business is classified as SDF.

All these terms form the framework of the law. In practice, most businesses will interact mainly with the first five: handling personal data (collected from a data principal) as a data fiduciary, possibly through a data processor, and potentially via a consent manager.

Scope of the DPDP Act

A key question: Who and what does this law apply to? The DPDP Act is focused on “digital personal data”, meaning personal data in electronic form. It definitely covers any digital personal data you handle within India’s borders. This includes data collected digitally (e.g. through your website or app) or physical data that is later digitized (e.g. scanning paper records). In short, if you gather customer data in India on a computer or phone, this Act likely applies.

Importantly, the Act also has an extraterritorial reach, and it can apply to data processing outside India if it’s related to “offering goods or services” to Indian residents. Concretely, this means that foreign companies processing data of Indian customers must comply too. For example, if an ecommerce site based in another country sells products to Indian users and collects their data, the Act covers that processing. If you advertise or market to Indians, or provide online services to them, assume you fall under DPDP rules.

Not all data is covered. The Act explicitly excludes some cases:

1.    Personal or domestic use: If someone processes personal data strictly for private/domestic reasons (say, an individual backing up family photos on a personal computer), the Act doesn’t apply. It’s aimed at organizations and business uses.

2.    Publicly available data: If the data is already public and people consented or it’s mandated by law (like a name and address on a public record), then most DPDP provisions won’t apply. For instance, personal details you freely post on social media are generally out-of-scope.

Examples of in-scope situations: An Indian SaaS company managing customer lists, an e-commerce platform collecting shopper info, a fintech app storing KYC data, an HR software that digitizes employee records. All these involve digital personal data in India, so they must follow the DPDP Act rules.

Brief exceptions: Some sectors may have transitional or sector-specific rules (e.g., banks still follow certain RBI rules), and the government can exempt categories via notifications. But the baseline is clear: if you process digital personal data of Indians in connection with your business, plan to comply.

Key Obligations of Businesses

As a data fiduciary (the entity deciding why/how data is processed), your business now has new legal duties under the DPDP Act and Rules. The Act lays out core principles and requirements; think of them as the do’s and don’ts for handling data. In practice, you’ll need to update your policies, notices, and systems. Here are the main obligations:

1.    Obtain explicit and informed consent: You must get clear consent from users before collecting or using their personal data. Consent must be free, specific, informed, unconditional and unambiguous with a clear affirmative action (like ticking a box). In simpler terms, tell people exactly what data you want and why, and make them actively agree (no pre-ticked boxes or vague language). The purpose for which you collect data must be stated clearly in your consent notice. For example, “We collect your email to send order updates and promotional offers.” After consent is given, allow users to withdraw it at any timeand it must be easy for them to say, “I change my mind”.

2.    Provide clear notices: Along with consent, give each data principal a written notice (a privacy notice or policy) about data collection. This notice should be simple and easy to understand (no legalese). It must cover: the identity of your business, what personal data you collect, why you need it, how you’ll use it, any third parties you’ll share it with, how long you’ll keep it, and how the user can exercise their rights. For example, if you run an app that collects location, your notice should explain that purpose plainly. Notices should also provide contact info for questions (see next point).

3.    Limit collection and purpose: Only collect data that is necessary for your stated purpose. Don’t ask for extras. For example, if you only need a customer’s email and name, don’t grab their home address or biometric data unless needed. This is called data minimization. Also, don’t use data for any purpose other than what you told the user. If you collected data for order delivery, you can’t suddenly start using it for unrelated marketing without fresh consent. This purpose limitation principle is key to earning trust.

4.    Data accuracy and retention: Keep the personal data accurate and up to date. If you become aware that data is wrong or outdated (e.g. a phone number changed), correct it. Also, don’t hold onto data longer than needed. Once the purpose is done (or required by law), delete or anonymize it. For instance, if a user closes their account, you should erase their personal data unless you need it to comply with legal obligations. The Act and Rules say you should inform the user before deletion butgenerally plan to wipe unnecessary data from your systems.

5.    Reasonable security safeguards: You must protect personal data with “reasonable security practices and procedures”. While the Act doesn’t list exact technologies, it does hint at measures like encryption, firewalls, access controls, and periodic audits. Think of it this way: if you wouldn’t let anyone wander into your office and steal files, don’t let hackers waltz into your database. Use strong passwords, keep software patched, and restrict those who can see sensitive data. The government expects you to “prevent unauthorized access, accidental loss, or destruction” of personal data. If your systems get breached, you’ll be held accountable so invest in good cybersecurity practices.

6.    Data breach reporting: If a personal data breach occurs, you have strict notification duties. A “breach” means unauthorized access or disclosure that compromises data confidentiality, integrity, or availability. Under the rules, you must report the breach to the Data Protection Board and to affected individuals as soon as possible. The notice to users should be in plain language, explaining what happened, what data was involved, any risks, and what steps you’re taking. For example: “On July 1 we discovered unauthorized access to our database; some email addresses and names were accessed. We’re resetting passwords and monitoring affected accounts. We apologize for the incident.” The law emphasizes quick and clear communication, think 72 hoursfor the Board and without “undue delay” to users. Failing to notify can draw penalties up to ₹200 crore, so have an incident response plan ready.

7.    Accountability and governance: You cannot just say “we’ll comply” the Act expects demonstrable accountability. As a data fiduciary, you should appoint a person to handle privacy compliance (some call this a DPO or Privacy Officer). From the outset, conduct risk assessments (similar to GDPR’s DPIAs) when you start big data projects. Maintain records of processing activities (what data you collect and how you use it). If you’re a Significant Data Fiduciary (SDF), for instance, a large company processing high volumes of data, the obligations are higher. SDFs must register with the regulator, appoint a DPO in India, conduct independent audits, and do thedetailed impact assessments for new technologies. Even if you’re not formally an SDF, it’s good practice to follow these steps to show accountability.

8.    Children’s data (special caution): The Act has extra rules if you handle data of minors (under 18). You must obtain verifiable parental consent before processing a child’s personal data. Certain data that can track kids (like behavior profiles) is outright banned for targeted ads. If your service is likely to be used by teens or children, build in age gates and parental consent mechanisms now.

In summary, your checklist is: notice, consent, limit, protect, notify. If any of these is missing or weak, you risk non-compliance. For example, not having a privacy notice or using ambiguous consent could be a breach of the law. Non-compliance penalties are steep: up to ₹250 crore for failing basic security duties, up to ₹200 crore for breach or children’s data violations, and up to ₹50 crore for other lapses. These fines dwarf what Indian businesses have paid under older rules, so take them seriously.

Rights of Individuals (Data Principals)

Alongside business duties, the DPDP Act grants new rights to individuals whose data you process. Your business must honor these rights promptly. The core rights are:

1.    Right to Access: A user can ask you for a summary of their personal data that you hold and how you use it. Essentially, they can say “show me everything you have on me.” This includes not just raw data, but information like who else (what other companies or departments) you shared it with and for what purpose. Practically, you should have a process (like a web form or email contact) for users to request their data and be prepared to respond (the law says within 90 days). Example: If a customer asks, “What data do you have about me?” You might send them their stored profile information and a record of recent transactions or messages, as appropriate.

2.    Right to Correction/Completion: If the personal data you hold is inaccurate or incomplete, the individual can request correction. For example, if your customer notices you have the wrong birthdate or misspelled name, they can ask you to fix it. They might also request completion of missing fields (say an address field left blank). You must comply, again within the statutory deadline (90 days). In practice, provide a way (e.g. an account settings page or support contact) to update personal data.

3.    Right to Erasure (Right to be Forgotten): Under certain conditions, a user can ask you to delete their personal data. Typically, this happens if the data is no longer needed for the purpose, or if the user withdraws consent and there’s no overriding legal reason to keep it. For instance, if a user cancels their subscription, they could request you to erase their account and payment details from your records. Again, respond in a timely manner. Note: You should also tell the user before erasure, especially if it affects their continued use of your service. (The rules say 48 hours’ notice before erasure if the user is active.)

4.    Right to Grievance Redressal: Every person has the right to file a complaint if they believe a Data Fiduciary (or Consent Manager) has violated their rights or the Act. Your business must have a grievance redressal mechanism, for example, an email or form where users can complain about misuse of their data. By law, you (or your appointed consent manager) must attempt to resolve these complaints within 30 days. If the individual remains dissatisfied, they can escalate the matter to the Data Protection Board.

5.    Right to Nominate (Data Trustee): Individuals can nominate someone to exercise these rights on their behalf (e.g., a family member or lawyer, in case they lose capacity). This means you might get requests from a person acting as a proxy for the actual data principal, and you must treat those requests as valid if the nomination is legitimate.

For your company, the implication is clear, build user controls and processes. Allow customers to view/change their data (for example, in account settings) and provide clear channels for deleting accounts or withdrawing consent. Maintain a contact point (like a privacy email) to handle rights requests. Remember, you cannot charge a fee for these requests (unless it’s clearly unfounded, and you charge a nominal amount). Finally, document your responses to show you followed the law, and this will be important if the Data Protection Board ever asks about your compliance.

Cross-Border Data Transfers

Many businesses rely on international servers, outsourcing, or cloud services. How does the DPDP Act handle data leaving India? The law permitstransfers outside India, but under the government’s watch. In effect, personal data can flow to any country or territory outside Indiaexcept those that the Central Government specifically restricts by notification. In other words, think of it as a “whitelist” system: transfers are generally allowed unless India bans a particular destination.

Section 16 of the Act states: “The Central Government may, by notification, restrict the transfer of personal data… to such country or territory outside India as may be so notified.”. This means that, as of now, your business can send data overseas as long as the receiving country isn’t on a banned list. (Keep an eye on new notifications, the government has said it will notify countries that are not approved over time.)

The government has also indicated that Significant Data Fiduciaries may face stricter rules on certain sensitive data categories, effectively requiring some data localization. For example, draft rules suggest that SDFs should prevent specified types of data (like national identification info or certain system logs) from leaving India. If your company handles critical personal data (for instance, financial or health data), watch for sector-specific directives.

Practically, for most small to mid-size businesses, you should plan for cross-border transfers like this and use strong encryption and contractual safeguards when sending personal data abroad and choose the data centers in stable jurisdictions. Also, prepare to adjust if India notifies restrictions (e.g., if one day transfers to Country X require special permission or are disallowed). Remember, the penalties for violating transfer restrictions can be the same high fines as other breaches.

Meanwhile, ensure that any overseas vendor or cloud provider you use understands Indian law. If your servers are in Singapore, Europe, or the USA, make sure they comply with the DPDP Act’s requirements (for example, by having them sign privacy clauses similar to GDPR’s Standard Contractual Clauses). With global businesses, it’s wise to align DPDP compliance with other data laws you follow, creating a unified data protection approach.

Staying Compliant: Practical Steps

To put this all together, here are some practical steps for businesses aiming to comply with the DPDP Act:

1.    Classify your data: Make a simple map of what personal data you collect, why, and where it flows. Identify whether you have any sensitive or special category data. This data inventory will guide everything else.

2.    Update policies and notices: Rewrite your privacy policy and consent forms in clear Indian language. Ensure they cover all required points (see above). Translate them if you serve multiple languages. Use examples so customers really get it.

3.    Consent mechanism: Audit how you obtain consent. Replace any “forced” or vague consents with affirmative checkboxes and explanatory text. Provide a way for users to withdraw consent easily (a link or setting in their profile).

4.    Security audit: Review your tech and physical safeguards. Use encryption for data at rest and in transit. Limit database access to essential personnel. Schedule routine security checks. Document your security measures to demonstrate reasonableness.

5.    Breach plan: Have a written incident response plan. Assign roles to thosewho will notify management, legal, affected users, and the Board. Prepare templates for breach of notices. Practice a drill so the team knows the 72-hour rule.

6.    Rights handling: Set up a process for user requests. This could be a dedicated email (e.g. data@yourcompany.com) or a web portal. Train staff, so they recognize legitimate requests and know how to verify identity. Keep a log of all rights requests and responses.

7.    Employee training: Educate your team about the DPDP Act basics. Everyone in marketing, IT, and HR should know not to misuse personal data. Make sure employees understand phishing risks and their own privacy rights.

8.    Review vendor contracts: Ensure any third-party processor (like payment gateways, CRM providers) has clauses respecting DPDP standards. You remain responsible as the data fiduciary, so pick vendors that can comply. Consider adding an indemnity for data breaches.

9.    Monitor regulatory updates: The DPDP Act has rules (like DPDPR 2025) and future amendments. Stay updated on any new notifications (especially country restrictions or significant data fiduciary lists).

10. Seek expert help if needed: This law can be complex. If you’re unsure about certain obligations (for example, whether you’re an SDF or how to handle cross-border flows), consult a legal expert in Indian tech law. No one expects you to be perfect on day one, but demonstrating good-faith effort and a roadmap for compliance will serve you well if questions arise.

By taking these steps, businesses not only comply with the law but also build customer trust. In fact, regulators and advisors (like EY) note that embedding privacy into operations can become a strategic advantage. It signals to your customers that you value their rights. Conversely, ignoring the DPDP Act risks hefty penalties (up to ₹250 Cr per violation) and serious reputational damage.

Cross-Border Data Transfers (more detail)

(If you work in a global environment, see theabove Cross-Border Transfers section for a summary. Here’s a bit more in detail.)

Under the DPDP Act, the only mechanism for governing international transfers is central government notification. There is no adequacy framework like the GDPR’s list of approved countries. For now, India seems to allow transfers broadly, with the government reserving the right to ban specific destinations. In practice:

1.    Check if any new Data Protection Board notifications list prohibited countries. As of today (2026), no countries have been officially blacklisted yet. But this could change.

2.    If you export personal data to third countries, ensure you use contractual safeguards (strong privacy terms in your agreements) and technical measures (e.g. encrypt data and consider using data centers with local encryption keys).

3.    For SDFs (generally large digital companies), draft rules introduce extra conditions. Rule 12 of the draft DPDP Rules (2025) suggests SDFs must implement measures to prevent the transfer of specified categories of data (like critical categories) outside India. While these draft rules may evolve, be prepared that certain types of data (especially related to sovereignty or security) might require local processing.

4.    Sectoral regulators (like RBI for banks, or IRDA for insurance) may also have additional cross-border requirements. If your data is regulated (for example, financial data under RBI’s norms), follow those too.

In summary, you must keep data flows transparent and defensible. If your cloud is in the EU or USA, there’s no immediate conflict, but maintain records of where data goes and be ready to explain your measures. Avoid transferring unique Indian identifiers (like Aadhaar numbers) to foreign entities unless they are absolutely necessary and legal. For a more detailed understanding of how international data protection laws impact businesses outside Europe, you can also read our guide on whether GDPR applies to non-EU businesses

The Bottom Line

The DPDP Act is a major shift in India’s legal landscape. For businesses, it means adopting a privacy-first mindset across all operations that touch personal data. Think of it as a roadmap to data responsibility: clear notice, solid consent, minimal collection, firm security, and respect for user rights. If you follow these principles, you’ll not only avoid legal trouble (like fines up to ₹250 crore) but also earn customer trust a crucial asset in a competitive market.

No one expects perfection overnight. The Act itself allows a phased approach and even exempts certain requirements for startups in the early years. What’s important is progress and documentation. Conduct a data protection audit, prioritize gaps, and fix them methodically. When the Data Protection Board asks about your compliance, having records of your efforts will go a long way.

Finally, remember this guide is for general understanding. Every business is unique. If you have complex questions, say, about a novel technology or a large-scale data initiative, consider seeking professional legal advice.Solvlegalcan help you with it. Privacy is now a boardroom topic, not just an IT issue. By taking DPDP compliance seriously, your business can turn a potential headache into an opportunity: enhancing data governance, reducing risk, and showing customers you truly care about their privacy. Keep your policies updated, your staff educated, and your systems secure, and the DPDP Act can become a catalyst for stronger practices and greater digital trust.

FAQs

1. What is the Digital Personal Data Protection Act, 2023?

 The DPDP Act, 2023 is India’s law for the processing of digital personal data. It is built around lawful processing, individual rights, and business accountability. The Government later notified the DPDP Rules, 2025 on 14 November 2025, which marked the full operationalisation of the framework.

2. Does the DPDP Act apply to all businesses in India?

 It applies to the processing of digital personal data within India, including data first collected in digital form or digitised later. It also applies outside India when the processing is connected with offering goods or services to people in India.

3. Does the DPDP Act apply to foreign companies?

 Yes, if a foreign company processes digital personal data in connection with offering goods or services to people in India, the Act can apply to it as well. That makes cross-border compliance important for SaaS, e-commerce, fintech, and cloud-based businesses.

4. What is “personal data” under the DPDP Act?

 Personal data means data about an identifiable individual. The Act uses the term in the context of digital personal data, so businesses should treat any data that identifies or can identify a person with care.

5. What are the main consent requirements under the DPDP Act?

 Consent must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. The notice must explain what data is being collected and why. Consent can also be withdrawn, and the business must stop processing unless another legal basis applies

6. Does the DPDP Act allow cross-border data transfers?

 Yes, but with a government-controlled restriction model. Section 16 says the Central Government may notify countries or territories to which transfer is restricted. Until such restrictions are notified, businesses should still track where data goes and keep vendor and transfer controls in place.

RELATED ARTICLES

1.    India’s New DPDP Rules Explained: What Startups and SMEs Must Do in the Next 18 Months

2.    Have EU Customers? Why GDPR Applies to Your Business and How to Comply Without Overcomplicating It (2026 Guide)

3.    How to Comply with the DPDP Act in India: A Practical Checklist for Startups and Businesses

DISCLAIMER

The information provided in this article is for general educational purposes and does not constitute legal advice. Readers are encouraged to seek professional counsel before acting on any information herein. SolvLegal and the author disclaims any liability arising from reliance on this content.