DPDP Act 2023: What Indian Companies Must Do Before Enforcement
The Digital Personal Data Protection Act, 2023 is now law. The DPDP Rules 2025 were notified in November 2025. Enforcement is rolling out in phases — some provisions are already live, and the final deadline is May 2027.
If your organisation processes digital personal data of anyone in India, this law applies to you. Here is what you need to know and what you need to do.
Who Does the DPDP Act Apply To?
The Act applies to any organisation that processes digital personal data within India. It also has extraterritorial reach — if your company is based outside India but offers goods or services to people in India and collects their data, you are covered.
"Processing" under the DPDP Act is defined broadly. It includes collection, storage, use, sharing, disclosure, and deletion — essentially anything you do with personal data in digital form.
Two narrow exemptions exist:
- Personal use: An individual maintaining a personal contact list is not covered.
- Public data: Data someone has voluntarily made publicly available (e.g., on social media) is exempt.
Everyone else — startups, enterprises, government bodies, foreign companies serving Indian users — falls under the Act.
The Key Roles You Need to Understand
The DPDP Act defines specific roles that carry specific obligations:
- Data Fiduciary: Your organisation, if it decides why and how personal data is processed. Most companies reading this are Data Fiduciaries.
- Data Principal: The individual whose data you process — your customers, employees, users.
- Data Processor: Any third party that processes data on your behalf — cloud providers, payroll vendors, analytics platforms.
- Significant Data Fiduciary: A Data Fiduciary designated by the Central Government based on data volume, sensitivity, or risk. If designated, you face additional obligations including appointing a Data Protection Officer and conducting periodic audits.
Key Takeaway
If your company determines why and how personal data is processed, you are a Data Fiduciary under the DPDP Act. This is not optional — it is a legal classification that carries enforceable obligations.
What the DPDP Act Requires You to Do
1. Obtain Valid Consent
Before processing anyone's personal data, you must obtain free, specific, informed, unconditional, and unambiguous consent. The Act requires you to:
- Provide a clear notice in plain language explaining what data you are collecting, why, and how it will be used
- Make the notice available in English and all 22 languages listed in the Eighth Schedule of the Constitution
- Allow consent to be withdrawn as easily as it was given
- Not bundle consent — each purpose needs separate consent
If you already hold personal data collected before the Act came into force, you must issue a retrospective notice to all affected Data Principals.
2. Process Data Only for the Stated Purpose
Data collected for one purpose cannot be repurposed for another without fresh consent. If you collected email addresses for order confirmations, you cannot use them for marketing without separate consent. Once the stated purpose is fulfilled, you must delete the data unless retention is required by law.
3. Ensure Data Accuracy and Completeness
When your processing decisions affect the Data Principal — or when you share data with another Data Fiduciary — you must make reasonable efforts to ensure the data is complete, accurate, and consistent. Outdated or incorrect data that leads to harm creates liability.
4. Implement Reasonable Security Safeguards
Section 8(5) requires you to protect personal data by implementing reasonable security safeguards to prevent breaches. The Act does not prescribe specific technologies, but "reasonable" means appropriate to the nature and volume of data you handle.
Failure to implement reasonable security safeguards carries the highest penalty under the Act — up to ₹250 crore. This is not a secondary obligation. It is the single most expensive compliance failure possible.
5. Report Data Breaches
If a personal data breach occurs, you must notify both the Data Protection Board of India and every affected Data Principal in the manner and timeframe prescribed by the Rules. You cannot hide breaches or delay notification.
6. Respect Data Principal Rights
Data Principals have four statutory rights under the Act:
- Right to access: They can request a summary of their personal data and a list of all Data Fiduciaries and Data Processors it has been shared with.
- Right to correction and erasure: They can request correction of inaccurate data or deletion of data that is no longer necessary for the stated purpose.
- Right to grievance redressal: You must provide a mechanism for complaints, and respond within the timeframe specified by the Rules.
- Right to nominate: Data Principals can nominate someone to exercise their rights in case of death or incapacity.
7. Manage Your Data Processors
If you use third-party processors (cloud hosting, analytics, payroll), you remain responsible for how they handle personal data. You must have a valid contract in place, and you must ensure they implement adequate security safeguards.
8. Handle Children's Data with Extra Care
If you process data of anyone under 18, you must obtain verifiable parental consent before processing. You are also prohibited from processing children's data in any manner that could cause them harm. Targeted advertising directed at children is explicitly banned.
EdTech and Children's Data
If your organisation operates in the education technology space, pay close attention to Section 9. The Act treats all data of individuals under 18 as requiring parental consent — this applies to school management systems, learning platforms, and any app used by minors.
The Enforcement Timeline
The DPDP Act is being enforced in phases. Not everything kicks in at once — but the clock is ticking:
| Phase | Provisions | Effective |
|---|---|---|
| Phase 1 | Core definitions, Data Protection Board establishment, government powers | Already in force |
| Phase 2 | Data Fiduciary obligations, Data Principal rights, consent requirements | Rolling out 2026 |
| Phase 3 | Full enforcement including penalties, Significant Data Fiduciary obligations | By May 2027 |
The important point: the May 2027 deadline is when penalty provisions become fully operational. Organisations found in breach after that date face monetary penalties from the Data Protection Board.
The Penalty Structure
The penalties are significant and designed to deter non-compliance:
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards | ₹250 crore |
| Failure to notify Board and Data Principals of a breach | ₹200 crore |
| Breach of children's data obligations | ₹200 crore |
| Breach of Significant Data Fiduciary obligations | ₹150 crore |
| Any other breach of the Act or Rules | ₹50 crore |
| Data Principal filing a false complaint | ₹10,000 |
The Board determines the actual penalty based on seven factors: nature and gravity of the breach, type of data affected, whether the breach is repetitive, any gain or loss involved, mitigation steps taken, proportionality, and impact on the person. The Central Government can increase these maximum penalties by up to 2x through notification.
Key Takeaway
The ₹250 crore maximum for security safeguard failures is not theoretical. The Data Protection Board is being established as a digital-first body with civil court powers. Repeat offenders face an additional risk: the Board can advise the government to block public access to their services in India.
Legitimate Uses: When You Don't Need Consent
Not every type of processing requires consent. Section 7 defines certain legitimate uses where processing is lawful without consent:
- Voluntary provision: When a Data Principal voluntarily provides data for a specific purpose (e.g., filling out a form) and has not withdrawn consent
- State functions: Processing necessary for government subsidies, benefits, services, licences, or permits
- Court orders: Compliance with a judgement or court order
- Medical emergencies: Processing necessary to respond to a threat to life or health
- Employment: Processing necessary for employment-related purposes (salary, attendance, benefits)
- Public interest: Processing in the interest of sovereignty, security, or to prevent offences
These are narrowly defined. Do not treat them as blanket exemptions — each has specific conditions that must be met.
Your Practical Compliance Roadmap
Here is what to do, in order of priority:
Immediate (Start Now)
- Audit your data: Map every category of personal data you collect, why you collect it, where it is stored, who it is shared with, and how long you retain it.
- Review consent mechanisms: Ensure your consent flows meet the Act's requirements — free, specific, informed, unconditional, unambiguous, and withdrawable.
- Update privacy notices: Rewrite your privacy policy in plain language. It must explain what data you collect, why, who you share it with, and how to exercise data rights.
Short Term (Next 3-6 Months)
- Implement security safeguards: Review your technical security measures — encryption, access controls, monitoring, incident response. Given that the highest penalty is for security failures, this deserves proportionate investment.
- Set up breach notification procedures: Define who reports what, to whom, and when. You need both internal escalation paths and external notification templates ready before a breach happens.
- Establish a grievance mechanism: Data Principals need a way to contact you about their rights. Set up a dedicated channel and define response timelines.
Before Full Enforcement (By May 2027)
- Review all processor contracts: Ensure every third-party that handles personal data on your behalf has appropriate contractual obligations and security commitments.
- Handle legacy data: Issue retrospective notices for personal data collected before the Act came into force. If you cannot justify the continued processing of that data, delete it.
- Train your team: Ensure that employees who handle personal data understand their obligations under the Act. This is especially important for customer-facing, HR, and IT teams.
What Happens If You Don't Comply
Beyond financial penalties, the DPDP Act creates three additional consequences for non-compliance:
- Blocking orders: If the Board penalises you two or more times, it can advise the Central Government to block public access to your services in India. For digital businesses, this is an existential threat.
- Reputational damage: Board proceedings are digital and decisions are public. A penalty order from the Data Protection Board becomes a matter of public record.
- Criminal liability under other laws: The DPDP Act operates in addition to other Indian laws. A data breach could simultaneously trigger liability under the IT Act, sector-specific regulations, and contractual obligations.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score.
Check Your ReadinessThe Bottom Line
The DPDP Act 2023 is not a future concern — it is current law being enforced in phases. The organisations that start compliance work now will have a structural advantage over those scrambling before the May 2027 deadline.
The Act is not unreasonably complex. It creates clear roles (Data Fiduciary, Data Principal, Data Processor), clear obligations (consent, purpose limitation, security, breach notification), and clear consequences (penalties up to ₹250 crore, service blocking).
Start with a data audit. Fix your consent mechanisms. Invest in security. Everything else follows from those three foundations.
For a complete section-by-section breakdown of the Act and Rules, see our DPDP Act 2023 — Complete Guide in Plain English.
Not sure where your organisation stands?
Take the free 3-minute DPDP Readiness Assessment and get a personalised compliance score with actionable next steps.
Check Your DPDP Readiness