India's data-protection law, in plain English.

Overview & timeline

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data-protection law. It applies to the processing of digital personal data — that is, any data about an identifiable person, in digital form. It received Presidential assent on 11 August 2023.

For two years it was law without operating rules. That changed on 13–14 November 2025, when the Ministry of Electronics & Information Technology (MeitY) notified the DPDP Rules, 2025. The Rules ship with a phased rollout — different obligations come into force at different points across an 18-month window. The headline deadline: full compliance by 13 May 2027.

• 13–14 Nov 2025 — DPDP Rules notified; Data Protection Board operational.
• ~Nov 2026 — Consent Manager registration window opens.
• 13 May 2027 — Full DPDP Act compliance deadline.

2026 is your build year. Most organisations underestimate how much is required for consent UX, processor agreements, breach playbooks and rights-handling — start now.

Key roles under the Act

• Data Principal — the individual whose personal data is being processed (you and me). Children and persons with a guardian have special rules.
• Data Fiduciary — anyone who decides the purpose and means of processing. If you run a website that collects user data, you are one.
• Data Processor — a party that processes personal data on behalf of a Data Fiduciary (your hosting provider, analytics vendor, CRM, etc.).
• Consent Manager — a Board-registered entity that gives Data Principals a single dashboard to give, manage and withdraw consent across Fiduciaries. Registration is expected to open around November 2026. Compare 30+ DPDP-ready consent management platforms ranked by DPDP fit, security and ease.
• Significant Data Fiduciary (SDF) — a Fiduciary the Central Government has designated as significant (by volume, sensitivity, risk to sovereignty/electoral integrity, etc.). SDFs have extra duties: a Data Protection Officer based in India, periodic Data Protection Impact Assessments, and an independent audit.

Core obligations of every Data Fiduciary

1. Clear, itemised consent notice in plain language (Section 5): what personal data, for what purposes, how rights can be exercised, and who to contact for grievance.
2. Purpose limitation & lawful processing (Section 4 / Section 7): process only for the consented purpose, or one of the narrow "legitimate uses" the Act lists.
3. Reasonable security safeguards (Section 8(5)): organisational and technical measures appropriate to the risk — failing this carries the highest penalty band (₹250 cr).
4. Breach notification (Section 8(6)): notify both the Data Protection Board and affected Data Principals. The Rules require a detailed report to the Board within 72 hours (with an early intimation as soon as it's known).
5. Data retention & erasure (Sections 8(7)–(8)): erase personal data when the purpose is met or consent is withdrawn, unless retention is required by law.
6. Grievance redressal (Section 8(10)): publish a Grievance Officer and resolve grievances within the time the Rules specify (currently aimed at ~90 days).
7. Accuracy & completeness (Section 8(3)): if you use the data to make decisions about a person or share it, you must take reasonable steps to keep it accurate and complete.

Not sure which obligations you've already met? Run the free DPDP gap analysis — it maps each of the seven obligations above to your current site state and produces a fix-list ordered by enforcement risk.

Data Principal rights

Every Indian resident gets these rights against every Data Fiduciary:

• Access — a summary of personal data being processed, with the purposes and the entities it's shared with.
• Correction & updation — and erasure of data no longer necessary.
• Grievance redressal — a usable mechanism with a time-bound response.
• Nomination — to nominate someone to exercise rights in case of death or incapacity.

The Act also lists duties of Data Principals (e.g. not to file false or frivolous complaints) with a penalty of up to ₹10,000.

Children's data (Section 9)

For anyone under 18, a Data Fiduciary must obtain verifiable parental consent before processing. The Rules outline acceptable methods including DigiLocker-based parental verification. Two activities are prohibited outright:

• Behavioural tracking or monitoring of children.
• Targeted advertising directed at children.

Penalties for children's-data violations sit in the top band — up to ₹200 crore.

Penalties (Schedule)

Source: First Schedule, Digital Personal Data Protection Act, 2023.

Want a band-by-band view of your own exposure? Use the free DPDP penalty calculator — five quick inputs (data volume, sector, breach history, SDF status, sensitive data) and you get a realistic worst-case rupee number for each Schedule band.

Who does it apply to?

The Act applies to processing of digital personal data inside India, whether collected online or offline-then-digitised. It also applies extraterritorially — any business outside India that processes the personal data of people in India in connection with offering goods or services to them is in scope.

The Act does not apply to processing for personal/domestic use, or to personal data made publicly available by the Data Principal themselves (or by anyone under a legal obligation to publish).