DPDPA 2023 Compliance Guide India

What Is DPDPA?

India's Data Privacy Law

The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection legislation, enacted in August 2023. It governs the processing of digital personal data of individuals (Data Principals) in India.

The Act applies to any entity (Data Fiduciary) that collects, stores, or processes personal data of Indian residents — whether the processing occurs within or outside India.

Non-compliance can attract penalties up to ₹250 crore (approx. USD 30 million). Rules and enforcement mechanisms are being progressively notified through 2025–26.

Get DPDPA Ready → Compliance Services

Key Facts

Enacted: August 2023 (Digital Personal Data Protection Act 2023)
Applies to digital personal data of Indian residents
Extra-territorial scope — applies to overseas processing of Indian data
Maximum penalty: ₹250 crore per instance of breach
Establishes Data Protection Board of India
Rules being progressively notified in 2025–26

Key Obligations

Data Fiduciary Obligations

What your organisation must do to comply with DPDPA.

Consent Management

Obtain free, specific, informed, and unconditional consent before processing personal data. Provide clear notice of purposes.

Purpose Limitation

Process personal data only for the specific purpose for which consent was obtained. No secondary use without fresh consent.

Data Security

Implement reasonable technical and organisational security safeguards to prevent personal data breaches.

Breach Notification

Notify the Data Protection Board and affected Data Principals in the event of a personal data breach — promptly.

Data Erasure

Erase personal data once the purpose is fulfilled or upon withdrawal of consent by the Data Principal.

Children's Data

Obtain verifiable parental consent before processing personal data of children under 18. Prohibit profiling and targeted advertising to children.

Rights

Data Principal Rights

Rights granted to individuals whose data you process.

Right to Information

Right to know what personal data is being processed and for what purpose.

Right to Correction & Erasure

Right to correct inaccurate data and request erasure when processing purpose is fulfilled.

Right to Withdraw Consent

Right to withdraw consent at any time, with the same ease as it was given.

Right to Grievance Redressal

Right to seek redressal of grievances from the Data Fiduciary and Data Protection Board.

How We Help

Dravincon's DPDPA Readiness Programme

Our structured DPDPA compliance programme takes you from awareness to full readiness, covering all obligations under the Act and its Rules.

Data Mapping & Inventory

Identify all personal data processed, its flow, storage, and sharing across your organisation.

Gap Assessment

Benchmark current practices against DPDPA obligations and identify compliance gaps.

Consent & Notice Framework

Design and implement compliant consent flows, privacy notices, and purpose registries.

Technical Controls

Implement security measures, breach detection, and incident response for personal data.

Policies & Training

Develop DPDPA-aligned policies and train staff on data protection obligations.

Penalties Under DPDPA

Failure to implement security safeguards: Up to ₹250 crore
Failure to notify breach: Up to ₹200 crore
Breach of children's data obligations: Up to ₹200 crore
Non-fulfilment of additional obligations: Up to ₹150 crore
Breach of voluntary undertaking: Up to ₹10,000

* Penalties are per instance. Significant Fiduciaries face enhanced obligations.

ISO 27001 + DPDPA

Achieving ISO 27001 certification provides a strong foundation for DPDPA compliance — the security controls in Annex A map directly to DPDPA's security obligations. Dravincon can help you pursue both simultaneously for maximum efficiency.

India's Digital Personal Data Protection Act