Who must comply with Digital Personal Data Protection Act 2023 in India?

All entities processing digital personal data of individuals in India, including companies, startups, government bodies, and processors acting as data fiduciaries or processors, regardless of location if offering goods/services to India.

What are the penalties under Digital Personal Data Protection Act 2023?

Penalties under the Act range up to ₹250 crore for significant data fiduciaries breaching security safeguards or failing to protect children's data. The Data Protection Board of India adjudicates violations and imposes fines as per Section 33.

How does the Digital Personal Data Protection Act 2023 compare with GDPR?

The Act adopts consent-based processing similar to GDPR but omits data localization mandates, simplifies cross-border transfer rules, excludes right to portability, and exempts government processing for public services, reflecting India's regulatory balance.

All entries

MeitY · Data Privacy

Digital Personal Data Protection Act 2023

The Digital Personal Data Protection Act 2023 establishes a comprehensive framework for lawful processing of digital personal data, recognizing individuals' rights and obligations of data fiduciaries, with rules notified progressively through 2024-2025.

Framework overview

The Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent in August 2023 and establishes a consent-based framework for processing digital personal data. It creates the Data Protection Board of India as the adjudicating authority, mandates Data Fiduciaries to implement reasonable security safeguards, and grants Digital Nagariks seven specific rights including right to correction, erasure, and grievance redressal. The Act applies to processing of digital personal data within India and to processing outside India if related to offering goods or services to individuals in India, with penalties up to ₹250 crores for non-compliance.

Advantages

Clear consent framework with simplified obligations compared to GDPR, reducing compliance complexity for Indian startups and MSMEs entering digital economy
Exemptions for processing by startups and research institutions encourage innovation while maintaining baseline data protection standards
Single Data Protection Board provides unified adjudication mechanism, avoiding fragmented enforcement across multiple sectoral regulators
Deemed consent provisions for legitimate uses (employment, medical emergency, disaster management) balance protection with practical business operations
Cross-border data transfer framework allows free flow to notified countries, supporting Indian IT services and BPO industry competitiveness

Gaps in implementation

Broad exemptions under Section 17 for government agencies in interests of sovereignty and public order create potential surveillance concerns with limited oversight
Absence of data localization mandates contradicts earlier RBI and sectoral requirements, creating regulatory uncertainty for BFSI and telecom sectors
No specific provisions for algorithmic accountability, automated decision-making, or AI governance despite increasing deployment by Indian platforms
Lack of detailed enforcement timelines and transition periods leaves organisations uncertain about compliance deadlines for legacy systems
Minimal guidance on Data Protection Impact Assessments and security audit requirements compared to mature frameworks like GDPR or Singapore PDPA

Real-world Indian scenarios

In 2024, MeitY released draft Digital Personal Data Protection Rules for public consultation, detailing consent management frameworks, Data Protection Board structure, and cross-border transfer mechanisms, with final rules expected in phases through 2025-2026.
Major Indian digital platforms including Paytm, PhonePe, and Swiggy began implementing consent management systems in 2024-2025 in preparation for DPDP Act enforcement, redesigning data collection interfaces and establishing grievance redressal officers as mandated.
The Data Protection Board of India was constituted in phases during 2025, with initial focus on establishing penalty frameworks and adjudication processes, while significant data fiduciaries began registrations and impact assessments ahead of full enforcement.

Room for improvement

Establish comprehensive data mapping and classification systems to identify all personal data processing activities, appointing Data Protection Officers and implementing consent management platforms before full enforcement in 2026.
Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, particularly for significant data fiduciaries, and implement technical measures for data minimization, purpose limitation, and retention schedules.
Review and update vendor contracts and cross-border data transfer arrangements to ensure compliance with restricted country transfer provisions and adequate safeguards as specified in notified rules.
Implement robust grievance redressal mechanisms with dedicated officers, establish breach notification protocols within 72-hour timelines, and conduct employee training programs on DPDP obligations and individual rights including right to erasure and correction.

data protectionprivacy complianceconsent managementMeitYpersonal datadata fiduciary

Frequently asked

Questions risk leaders ask

The Digital Personal Data Protection Act 2023 is India's primary data protection law enacted on 11 August 2023, governing lawful processing of digital personal data, recognizing individual rights, and imposing obligations on data fiduciaries, with rules notified progressively.

Updated 6/8/2026 · refreshed weekly

RiskPedia — The Risk Framework Encyclopedia & AI Advisor

Frameworks indexed

Digital Personal Data Protection Act 2023

Questions risk leaders ask