Select a tool to get started
The definitive reference guide to understanding India's Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025
India's first comprehensive data protection legislation
Rights-based framework centered on "Data Principals" (individuals)
Regulates "Data Fiduciaries" (organizations processing personal data)
Establishes Data Protection Board of India as regulatory authority
Applies to both digital and digitized personal data
Not a direct copy of GDPR—India's framework is distinct
Not retroactive—applies to processing after enforcement date
Not applicable to personal data outside India's jurisdiction
Not a general data governance or cybersecurity law
Not sector-specific—applies across all industries
What most organizations misunderstand about DPDPA compliance
"DPDPA is just GDPR for India"
While influenced by GDPR, DPDPA has distinct features including narrower consent requirements, different breach notification timelines, and unique concepts like "Consent Manager" and "Significant Data Fiduciary."
"Consent is always required for data processing"
DPDPA allows processing without consent under specific grounds including "legitimate uses" (employer-employee relationships, compliance with law, medical emergencies, etc.). Section 7 lists 15 exemptions.
"Zero data retention = compliance"
DPDPA requires retention only as long as necessary for lawful purposes. Immediate deletion may violate tax laws (7 years), labor laws (varies), or contractual obligations. Balance is key.
"DPIA is mandatory for everyone"
DPIA (Data Protection Impact Assessment) is mandatory only for: (1) Large-scale processing, (2) Sensitive personal data, (3) Profiling or tracking, (4) When specifically notified by the Board.
"Small businesses are exempt"
No blanket exemption exists. All Data Fiduciaries must comply. However, the Board may notify exemptions for small entities processing limited data volumes (not yet specified).
"Data localization is mandatory"
DPDPA does NOT mandate data localization. Cross-border transfers are allowed to notified countries or with consent. This is a major departure from earlier drafts and GDPR's approach.
Applicability and jurisdiction of the Digital Personal Data Protection Act
Processing personal data of individuals in India
Examples:
Offering goods/services to individuals in India or profiling Indians
Examples:
Processing data on behalf of Data Fiduciaries
Examples:
Personal or domestic purposes
Examples:
What is actually enforced vs. future-facing requirements
November 2025 onwards
DPDP Rules 2025 in effect
Data Protection Board being constituted
Compliance obligations enforceable
Organizations must implement frameworks
Q1-Q2 2026 (Expected)
Data Protection Board fully operational
Consent Manager framework specifications
SDF (Significant Data Fiduciary) notifications
Sector-specific guidance expected
2026-2027 (Projected)
Active enforcement and audits begin
First penalties and compliance orders
Case law development
Industry practice standardization
Understanding the difference between mandatory obligations, regulatory expectations, and voluntary best practices
Legal Obligation: Requirements under DPDPA 2023, DPDP Rules 2025, or other binding Indian legislation. Non-compliance can result in penalties.
Examples: Consent requirements (Section 6), Data breach notification (Rule XX), Data retention limits
Regulatory Expectations: MeitY guidance, international norms (GDPR, ISO 27701), or industry-standard practices referenced by regulators.
Examples: Privacy by design principles, cross-border transfer safeguards, vendor due diligence
Industry Excellence: ISO, NIST, or globally recognized standards that exceed statutory minimums. Demonstrates leadership in data protection.
Examples: Automated consent dashboards, real-time audit logging, proactive privacy impact assessments
Note: This classification helps distinguish what you must do from what you should do. Most Indian DPDPA content fails to make this critical distinction. Use this legend to assess priorities and resource allocation.