India’s Digital Personal Data Protection Act, 2023 (DPDP Act) represents the country’s most comprehensive data protection legislation and places significant compliance obligations on every organisation that collects, processes, or uses personal data of individuals in India. For businesses, the DPDP Act is not a distant compliance horizon-it is active law that is being operationalised in stages, with the foundational DPDP Rules, 2025 notified on November 13, 2025. Understanding the DPDP Act 2023 business compliance obligations-who it applies to, what it requires, and the penalties for violation-is essential for every Indian company and every foreign entity that handles Indian residents’ personal data.
The DPDP Act applies to the processing of digital personal data in India, and-critically-also applies to processing outside India if it is in connection with offering goods or services to Indian residents (extraterritorial reach similar to the EU’s GDPR).
Key definitions:
- Personal Data: Any data about an individual who is identifiable by or in relation to such data.
- Data Fiduciary: Any person (individual, company, state entity) who, alone or jointly with others, determines the purpose and means of processing personal data. This is the entity that bears primary compliance obligations under the DPDP Act.
- Data Principal: The individual to whom the personal data relates-the person whose data is being processed.
- Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.
Unlike a B2B software company (which may be a Data Processor), any company that collects consumer data, employee data, or customer data from Indian residents is a Data Fiduciary and bears the primary obligations.
Consent Requirements: Section 5 and Section 6
Notice (Section 5): Before requesting consent, the Data Fiduciary must provide the Data Principal with a notice in plain language (available in English and each scheduled language of the Eighth Schedule to the Constitution, as prescribed). The notice must describe:
- The personal data to be processed and the purpose of processing
- The manner in which the Data Principal may exercise their rights
- The manner in which a complaint may be made to the Data Protection Board
Consent (Section 6): Consent given by a Data Principal must be:
- Free (not conditional on the service being unavailable without it, where the data is not necessary for the service)
- Specific (for a specific identified purpose)
- Informed (after receiving the required notice)
- Unconditional (not bundled with consent for other unrelated processing)
- Unambiguous (requiring an affirmative act)
Deemed Consent (Section 7): Certain categories of processing are treated as having the Data Principal’s deemed consent without requiring explicit consent:
- Processing by the State for providing subsidies, services, and other government benefits
- Processing in the interest of national security or for the prevention or detection of offences
- Processing for employment purposes, provided the employer complies with applicable law
- Processing necessary for medical emergencies
- Processing necessary for compliance with a court or tribunal judgment
Deemed consent under Section 7 is meaningful for employers (who can process employee data without seeking individual consent for each HR process), and for companies operating in regulated sectors.
Rights of Data Principals: Sections 11-14
The DPDP Act grants Data Principals the following rights, which Data Fiduciaries must operationalise:
Right to Access (Section 11): The Data Principal may request a summary of personal data being processed and information about other Data Fiduciaries and Data Processors with whom the data has been shared.
Right to Correction and Erasure (Section 12): The Data Principal may request correction of inaccurate or misleading personal data; completion of incomplete data; and erasure of personal data that is no longer necessary for the purpose for which it was collected. This is subject to conditions and does not override legal obligations to retain data (tax records, regulatory records, court orders).
Right to Grievance Redressal (Section 13): Data Principals must be able to file grievances with the Data Fiduciary. The Data Fiduciary must respond within a prescribed period. Unresolved grievances may be escalated to the Data Protection Board.
Right to Nominate (Section 14): The Data Principal has the right to nominate another person to exercise rights on their behalf in the event of death or incapacity-an important provision for estate and succession planning considerations.
Obligations of Data Fiduciaries: Section 8
The core compliance obligations of a Data Fiduciary under Section 8 are:
- Accuracy: Ensure that personal data is complete and accurate, particularly where it will be used to make decisions affecting the Data Principal or to be shared with others.
- Security Safeguards: Implement reasonable security measures to prevent personal data breaches. The standard of “reasonable” security will be elaborated in rules, but best practice benchmarks (ISO 27001, CERT-In advisories) are the current reference.
- Data Breach Notification: On becoming aware of a personal data breach, the Data Fiduciary must notify the Data Protection Board and each affected Data Principal in the prescribed form and manner, within the prescribed time.
- Retention Limitation: Personal data must not be retained beyond the period necessary for the purpose for which it was collected. After the purpose is fulfilled or the Data Principal withdraws consent (and there is no other legal basis for retention), the data must be erased.
- Children’s Data: Additional obligations apply to processing personal data of children (defined as persons below 18 years). A Data Fiduciary must obtain verifiable parental consent before processing a child’s data, and must not engage in tracking, behavioural monitoring, or targeted advertising directed at children.
Significant Data Fiduciaries: Enhanced Obligations
The Central Government may designate any Data Fiduciary (or class of Data Fiduciaries) as a Significant Data Fiduciary (SDF) based on: volume and sensitivity of data processed, risk to national security, sovereignty, public order, or elections, potential harm to Data Principals, and impact on India’s sovereignty.
SDFs bear additional obligations:
- Appointment of a Data Protection Officer (DPO) based in India
- Appointment of an independent Data Auditor
- Conduct of a Data Protection Impact Assessment (DPIA) for high-risk processing activities
- Compliance with any specific obligations that the Government may notify
The list of SDFs and the criteria for designation are to be notified by the Government; large social media platforms, digital intermediaries, and healthcare data processors are expected to be designated as SDFs.
Cross-Border Data Transfers: Section 16
The DPDP Act adopts a positive list approach to cross-border data transfers: personal data may be transferred to any country outside India except countries specifically restricted by the Central Government by notification. As of the publication of this article, the Government has not yet notified any restricted countries, meaning cross-border data transfers to all countries are currently permitted (subject to the standard consent and purpose limitations).
This approach is notably different from the EU’s GDPR (which uses an adequacy decision model) and from earlier drafts of Indian data protection legislation (which proposed data localisation). The current position provides more flexibility for businesses with global operations and data flows.
Penalties: Section 33
The DPDP Act contains a tiered penalty structure, with penalties imposed by the Data Protection Board after a hearing process:
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards (Section 8(5)) | Up to INR 250 crore |
| Failure to notify Data Protection Board of a personal data breach | Up to INR 200 crore |
| Violation of obligations for processing children’s data | Up to INR 200 crore |
| Non-compliance by a Significant Data Fiduciary | Up to INR 150 crore |
| Failure to provide data access, correction, or erasure | Up to INR 10 crore |
| Breach of any other provision of the Act or Rules | Up to INR 50 crore |
Implementation Timeline: Current Status
The DPDP Act, 2023 (Act 22 of 2023) was enacted by Parliament and received Presidential assent. The DPDP Rules, 2025 were notified on November 13, 2025:
- Effective immediately (November 13, 2025): Rules 1 (commencement), 2 (definitions), and Rules 17-21 (Data Protection Board operations). The Data Protection Board’s infrastructure is being established.
- Effective from November 13, 2026 (after 1 year): Rule 4 (Consent Managers) enabling the consent architecture under Sections 5 and 6.
- Effective from May 13, 2027 (after 18 months): The bulk of the operational compliance provisions, making day-to-day compliance obligations fully enforceable.
Businesses should use the implementation period to: map personal data flows, assess consent mechanisms, build breach notification procedures, and review retention policies.
Key Takeaways
- The DPDP Act 2023 applies to all Data Fiduciaries processing personal data of Indian residents, including foreign companies offering services to Indian users.
- Penalties for failure to maintain security safeguards reach INR 250 crore; full operational compliance obligations are expected to be enforceable from May 2027.
- The cross-border transfer framework currently permits data transfers to all countries; businesses should monitor Government notifications for any restricted countries.
This article is for informational purposes only and does not constitute legal advice. Readers should seek appropriate professional counsel for their specific circumstances.
META TITLE: DPDP Act 2023: What Indian Businesses Must Do to Comply