The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law, enacted in August 2023 and operationalised by the DPDP Rules notified on 13 November 2025. It applies to every entity that determines the purpose and means of processing digital personal data — the Data Fiduciary — across every sector, with BFSI entities among the most exposed.

The Act imposes eight core obligations on fiduciaries: lawful processing (§5), free and specific consent (§6), legitimate-use grounds (§7), accuracy/minimisation/security duties (§8), verifiable parental consent for children (§9), enhanced duties for Significant Data Fiduciaries (§10), data principal rights (§11) and the Data Protection Board's adjudication machinery (§§12-16).

Three design choices distinguish DPDP from GDPR: a consent-manager ecosystem (registered intermediaries through which individuals manage consents across fiduciaries), a whitelist model for cross-border transfers (permitted except to countries the Government blocks), and purely civil penalties — up to ₹250 crore per breach — with no criminal liability.

For BFSI, the critical nuance is the interplay with sectoral mandates: KYC, AML and record-retention processing mandated by RBI/SEBI/IRDAI is a lawful ground needing no separate DPDP consent, but marketing, analytics and product cross-sell are not — they need granular, withdrawable consent.

The clock is running: consent-manager registration opens ~November 2026 and core fiduciary obligations become enforceable ~May 2027, when the Data Protection Board goes fully operational. The layers below cover the eight obligations, entity-type duties, the consent and grievance framework, and the enforcement timeline.