Everything Indian enterprises need to know about the DPDP Act.
15 areas. 90 days. One source of truth.
A practical guide covering all 15 obligation areas, penalties up to ₹250 Cr, a 90-day compliance roadmap, and how DPDP differs from GDPR.
What is the DPDP Act?
And who needs to comply.
India's primary data protection law, in plain English — what it requires, who it applies to, and how it's enforced.
India's primary data protection law.
Enacted in August 2023, the Digital Personal Data Protection Act governs how organisations collect, process, store, and delete digital personal data of Indian residents.
ROLE 01
Data Fiduciary
Organisations that decide why and how personal data is processed.
ROLE 02
Data Principal
Individuals whose data is collected, processed, or stored.
ENFORCEMENT
Enforced by the Data Protection Board of India (DPBI), with authority to investigate, adjudicate, and impose penalties.
MAX PENALTY
per violation — board-level priority for any Indian fiduciary.
Any organisation processing data of Indian residents.
Regardless of where your organisation is headquartered.
- Indian companies processing customer, employee, or partner data digitally
- Foreign companies offering goods or services to Indian residents
- Banks, NBFCs, insurance firms, and other BFSI entities
- Healthcare providers and healthtech platforms
- E-commerce, retail, and logistics companies
- SaaS and technology platforms with Indian users
Organisations designated as SDFs face additional duties: mandatory DPO, periodic DPIAs, external audits, and potential data localisation.
15 obligations,
grouped into 4 pillars.
Don't read 15 cards in a row. Read 4 pillars first — see how your work splits. Then drill into the obligations that affect you.
PILLAR I
Foundation
Governance & Accountability
Appoint responsible persons, establish policies, maintain records of processing.
Notice & Consent
Clear privacy notices; free, specific, informed, unconditional, unambiguous consent.
Significant Data Fiduciary obligations
If designated as SDF: mandatory DPO, DPIA, periodic audits, data localisation.
PILLAR II
Data Lifecycle
Data Discovery & Inventory
Map all personal data flows, classify by sensitivity, maintain inventory.
Security Safeguards
Technical and organisational measures to prevent unauthorised access.
Retention & Erasure
Erase when purpose ends or consent withdrawn; implement automated schedules.
Personal Data Breach Management
Detect, contain, and notify the DPB and affected principals promptly.
Cross-Border Data Transfers
Transfers permitted unless restricted by Central Government order (Rule 15); SDFs may face localisation of specified data (Rule 13(4)).
PILLAR III
Rights & People
Data Principal Rights
Enable access, correction, erasure, grievance within SLAs (15–30 days).
Children & Persons with Disabilities
Verifiable parental consent for minors; avoid processing that harms children.
Processor & Vendor Management
Conduct due diligence; bind processors via Data Processing Agreements.
Grievance Redressal
Publish a grievance mechanism and resolve complaints within ≤90 days (DPDP Rules, 2025, Rule 14(3)).
PILLAR IV
Operations
Exemptions & Special Cases
Understand exemptions for national security, research, legitimate uses.
Enforcement & Penalties
Understand DPB adjudication, appeal processes, penalty schedules.
Monitoring & Continuous Improvement
Maintain a compliance calendar; conduct periodic internal audits.
What it costs
to get it wrong.
The Data Protection Board of India can impose substantial penalties. The bars below are scaled to the maximum penalty for each violation type.
VIOLATION TYPE
Maximum penalties by category
Inadequate security safeguards → personal data breach
Failure to notify the Board of a breach
Non-compliance with children's data obligations
Non-compliance with additional SDF obligations
Non-compliance with other provisions of the Act
Obstruction of the Board's functions
The Board also has powers to direct Data Fiduciaries to delete personal data, block non-compliant services, and refer egregious cases for criminal prosecution.
From sign-off
to compliant — in 90 days.
A practical three-phase plan. Three phases, fourteen tasks. Each phase builds on the last.
DAYS 1–30
Assess & Discover
Find out where you stand.
- Complete the DPDP self-assessment across all 15 areas
- Map all personal data flows and processing activities
- Identify high-risk processing and SDF exposure
- Appoint a Grievance Officer (mandatory for all fiduciaries)
DAYS 31–60
Design & Build
Put the rails in place.
- Draft and publish DPDP-compliant privacy notices
- Implement consent management (collect, record, withdraw)
- Build data principal rights workflows (access, erasure, correction)
- Update vendor agreements with DPA clauses
DAYS 61–90
Test & Operate
Prove it works under audit.
- Run breach detection and notification playbook tabletop
- Implement data retention schedules and erasure automation
- Conduct internal audit with findings tracking
- Train staff on DPDP obligations and incident response
Need help with your roadmap?
Sammati provides end-to-end DPDP advisory — legal, operational, and technical — in one engagement.
Already GDPR-compliant?
Here's what changes under DPDP.
Most Indian organisations have GDPR-aligned processes. The table below shows where DPDP follows the same shape — and where you'll need new work.
DPO Requirement
↓ LooserOnly for Significant Data Fiduciaries
Broader — for public bodies and large-scale processing
DPIA Requirement
↓ LooserRequired only for SDFs
Required for high-risk processing by all controllers
Maximum Penalty
≠ Different₹250 Cr per breach
4% global turnover or €20M, whichever is higher
Data Localisation
↑ StricterPossible for SDFs via Central Govt notification
No explicit data localisation requirement
Right to Portability
↓ LooserNot explicitly included
Explicitly included
Automated Decisions
↓ LooserNot explicitly covered
Article 22 — explicit protections
Consent Standard
↑ StricterFree, specific, informed, unconditional, unambiguous
Freely given, specific, informed, unambiguous
Children's Data
↑ StricterVerifiable parental consent; age threshold TBD
Age 16 (or lower by member state); parental consent
Questions teams
ask us most.
The Digital Personal Data Protection Act, 2023 is India's primary data protection law, enacted in August 2023. It governs how organisations collect, process, store, and delete digital personal data of Indian residents. It establishes rights for data principals (individuals) and obligations for data fiduciaries (organisations processing data).
Latest insights
DPDP for Healthcare and Healthtech: Consent, Sensitive Data and Sector Rules
How the DPDP Act applies to patient data: why there is no separate "sensitive data" tier, how medical-emergency processing works, and how sector rules interact.
DPDP Compliance for SaaS Companies and Startups in India
Are you a Data Fiduciary or a Processor? How DPDP applies to B2B SaaS — DPAs with sub-processors, consent for product analytics, and handling customer data.
DPDP Compliance for D2C and E-commerce Brands in India
Consent at signup and checkout, unbundled marketing consent, the age-determination problem for OTP signups, and tracking consent — DPDP for D2C and e-commerce.
62 questions.
Twelve minutes.
Your score, today.
The free DPDP self-assessment covers all 15 obligation areas. Get a defensible readiness score and a ranked list of your top priority gaps — no email required to view results.