Everything Indian enterprises need to know about the DPDP Act.
15 areas. 90 days. One source of truth.
A practical guide covering all 15 obligation areas, penalties up to ₹250 Cr, a 90-day compliance roadmap, and how DPDP differs from GDPR.
What is the DPDP Act? And who needs to comply.
India's primary data protection law, in plain English — what it requires, who it applies to, and how it's enforced.
India's primary data protection law.
Enacted in August 2023, the Digital Personal Data Protection Act governs how organisations collect, process, store, and delete digital personal data of Indian residents.
Data Fiduciary
Organisations that decide why and how personal data is processed.
Data Principal
Individuals whose data is collected, processed, or stored.
Enforced by the Data Protection Board of India (DPBI), with authority to investigate, adjudicate, and impose penalties.
Any organisation processing data of Indian residents.
Regardless of where your organisation is headquartered.
- Indian companies processing customer, employee, or partner data digitally
- Foreign companies offering goods or services to Indian residents
- Banks, NBFCs, insurance firms, and other BFSI entities
- Healthcare providers and healthtech platforms
- E-commerce, retail, and logistics companies
- SaaS and technology platforms with Indian users
+ Significant Data Fiduciaries (SDFs)
ADDITIONAL OBLIGATIONSOrganisations designated as SDFs face additional duties: mandatory DPO, periodic DPIAs, external audits, and potential data localisation.
15 obligations, grouped into 4 pillars.
Don't read 15 cards in a row. Read 4 pillars first — see how your work splits. Then drill into the obligations that affect you.
Governance & Accountability
Appoint responsible persons, establish policies, maintain records of processing.
Notice & Consent
Clear privacy notices; free, specific, informed, unconditional, unambiguous consent.
Significant Data Fiduciary obligations
If designated as SDF: mandatory DPO, DPIA, periodic audits, data localisation.
Data Discovery & Inventory
Map all personal data flows, classify by sensitivity, maintain inventory.
Security Safeguards
Technical and organisational measures to prevent unauthorised access.
Retention & Erasure
Erase when purpose ends or consent withdrawn; implement automated schedules.
Personal Data Breach Management
Detect, contain, and notify the DPB and affected principals promptly.
Cross-Border Data Transfers
Transfers permitted unless restricted by Central Government order (Rule 15); SDFs may face localisation of specified data (Rule 13(4)).
Data Principal Rights
Enable access, correction, erasure and grievance. Grievance redressal within ≤90 days (Rule 14(3)); set your own SLA for the others.
Children & Persons with Disabilities
Verifiable parental consent for minors; avoid processing that harms children.
Processor & Vendor Management
Conduct due diligence; bind processors via Data Processing Agreements.
Grievance Redressal
Publish a grievance mechanism and resolve complaints within ≤90 days (Rule 14(3)).
Exemptions & Special Cases
Understand exemptions for national security, research, legitimate uses.
Enforcement & Penalties
Understand DPB adjudication, appeal processes, penalty schedules.
Monitoring & Continuous Improvement
Maintain a compliance calendar; conduct periodic internal audits.
Map your organisation against all 15 areas with our free DPDP self-assessment.
Take the assessmentWhat it costs to get it wrong.
The Data Protection Board of India can impose substantial penalties. The bars below are scaled to the maximum penalty for each violation type.
Maximum penalties by category
Inadequate security safeguards → personal data breach
Failure to notify the Board of a breach
Non-compliance with children's data obligations
Non-compliance with additional SDF obligations
Non-compliance with other provisions of the Act
Obstruction of the Board's functions
The Board also has powers to direct Data Fiduciaries to delete personal data, block non-compliant services, and refer egregious cases for criminal prosecution.
From sign-off to compliant — in 90 days.
A practical three-phase plan. Three phases, fourteen tasks. Each phase builds on the last.
Find out where you stand.
Put the rails in place.
Prove it works under audit.
Need help with your roadmap?
Sammati provides end-to-end DPDP advisory — legal, operational, and technical — in one engagement.
Already GDPR-compliant? Here's what changes under DPDP.
Most Indian organisations have GDPR-aligned processes. The table below shows where DPDP follows the same shape — and where you'll need new work.
| TOPIC | DPDP ACT, 2023INDIA | GDPREU |
|---|---|---|
DPO Requirement ↓ Looser | Only for Significant Data Fiduciaries | Broader — for public bodies and large-scale processing |
DPIA Requirement ↓ Looser | Required only for SDFs | Required for high-risk processing by all controllers |
Maximum Penalty ≠ Different | ₹250 Cr per breach | 4% global turnover or €20M, whichever is higher |
Data Localisation ↑ Stricter | Possible for SDFs via Central Govt notification | No explicit data localisation requirement |
Right to Portability ↓ Looser | Not explicitly included | Explicitly included |
Automated Decisions ↓ Looser | Not explicitly covered | Article 22 — explicit protections |
Consent Standard ↑ Stricter | Free, specific, informed, unconditional, unambiguous | Freely given, specific, informed, unambiguous |
Children's Data ↑ Stricter | Verifiable parental consent; age threshold TBD | Age 16 (or lower by member state); parental consent |
Frequently asked questions
What is the DPDP Act 2023?
The Digital Personal Data Protection Act, 2023 is India's primary data protection law, enacted in August 2023. It governs how organisations collect, process, store, and delete digital personal data of Indian residents.
Who must comply with the DPDP Act?
Any organisation (Data Fiduciary) that processes digital personal data of individuals in India must comply, regardless of where the organisation is headquartered.
What is the maximum penalty under the DPDP Act?
The DPDP Act prescribes penalties up to ₹250 crore per breach, imposed by the Data Protection Board of India.
Is a Data Protection Officer (DPO) mandatory under the DPDP Act?
A DPO is mandatory only for Significant Data Fiduciaries (SDFs). Other Data Fiduciaries must appoint a grievance officer.
What are the 15 DPDP obligation areas?
The 15 obligation areas are: 1) Governance & Accountability, 2) Data Discovery & Inventory, 3) Notice & Consent, 4) Data Principal Rights, 5) Children & Persons with Disabilities, 6) Security Safeguards, 7) Processor & Vendor Management, 8) Personal Data Breach Management, 9) Retention & Erasure, 10) Cross-Border Data Transfers, 11) Significant Data Fiduciary obligations, 12) Grievance Redressal, 13) Exemptions & Special Cases, 14) Enforcement & Penalties, 15) Monitoring & Continuous Improvement.
How is the DPDP Act different from GDPR?
Key differences include DPO scope, DPIA requirements, penalty structure (₹250 crore vs 4% global turnover), data localisation rules, right to portability, automated decision-making, consent standard (DPDP adds 'unconditional'), and children's data protections.
What is a Significant Data Fiduciary under DPDP?
A Significant Data Fiduciary (SDF) is an organisation designated by the Central Government based on volume and sensitivity of data processed, risk to data principals, and national security implications. SDFs face additional obligations: mandatory DPO, periodic audits, DPIAs, and data localisation requirements.
Find out your DPDP readiness score.
Take the free self-assessment — 62 questions across all 15 obligation areas. Get your score and top priority gaps in under 12 minutes.