DPDPA compliance refers to an organisation’s adherence to the requirements of the Digital Personal Data Protection Act, 2023, India’s first comprehensive data protection legislation. The Act governs the processing of digital personal data in India and establishes a framework of rights for individuals and obligations for organisations that process their data.
The DPDP Rules were published on November 13, 2025. The Data Protection Board of India was established at the same time. Full compliance, including consent, privacy notice, and security obligations, is required by May 13, 2027. Enforcement, including penalties of up to INR 250 crore per contravention, is expected to begin around the same time. 2026 is the critical build year for organisations that are not yet operationally compliant.
This article covers what the DPDPA requires, who it applies to, the key obligations in the compliance framework, and what the enforcement and penalty structure looks like.
What the DPDPA Is
The Digital Personal Data Protection Act, 2023 was passed by the Parliament of India in August 2023. It replaced the earlier data protection framework under the Information Technology Act, 2000 and the 2011 SPDI Rules, which were considered inadequate for the scale and complexity of India’s digital economy.
The DPDPA’s enactment followed the Supreme Court’s landmark judgment in K.S. Puttaswamy v. Union of India (2017), which recognised the right to privacy as a fundamental right under the Indian Constitution. The Act translates this constitutional right into a comprehensive statutory framework governing how organisations collect, process, store, and protect personal data.
The Act is principles-based: it establishes high-level obligations around consent, purpose limitation, data minimisation, accuracy, security, and accountability. The DPDP Rules 2025 provide the operational detail for implementing these obligations.
Who the DPDPA Applies To
The DPDPA applies to Data Fiduciaries: entities that determine the purpose and means of processing personal data. Any organisation that processes digital personal data of individuals in India, or processes personal data in connection with offering goods or services to individuals in India, is a Data Fiduciary subject to the Act.
Territorial scope. The Act has extraterritorial reach. Foreign companies that offer goods or services to individuals in India must comply, even if they have no physical presence in India. This is broader than the previous IT Act framework and aligns India’s approach with global data protection laws like the GDPR.
Data Processors. Data Processors process personal data on behalf of Data Fiduciaries. While Data Processors have fewer direct obligations under the Act than Data Fiduciaries, they must process data only on the instructions of the Data Fiduciary and must implement appropriate security measures. The Data Fiduciary remains responsible for the Processor’s compliance.
Significant Data Fiduciaries. The Central Government may designate specific Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data processed, potential impact on national security, public order, or sovereignty, and risk to the rights of data principals. SDFs face additional obligations including the appointment of a Data Protection Officer, periodic Data Protection Impact Assessments, and independent data audits.
Exemptions. The Act exempts certain categories of processing: personal data processed for purposes of prevention, detection, investigation, or prosecution of offences; processing necessary for enforcing legal rights or claims; processing for research, archiving, or statistical purposes; processing by courts or tribunals; and processing by the Central Government for national security and public order. These exemptions are important for legal and compliance functions, which frequently process personal data in connection with litigation and regulatory matters.
The Core Obligations Under the DPDPA
1. Consent as the primary legal basis
The DPDPA is a consent-first framework. Consent is the primary legal basis for processing personal data. Unlike GDPR, the DPDPA does not include “legitimate interests” as a processing basis. Processing personal data without valid consent is generally impermissible unless it falls within the defined categories of legitimate uses.
What constitutes valid consent. Consent must be free, specific, informed, unconditional, and unambiguous. It must be given through a clear affirmative action. Organisations cannot condition access to core services on consent to unrelated data collection. Consent must be obtained before processing begins.
Legitimate uses without consent. The Act identifies specific categories where processing is permitted without consent: compliance with court orders or legal obligations, medical emergencies, employment purposes (within defined limits), and processing by the state for specified public functions. Employers processing employee data for payroll, benefits, and HR functions fall within the employment legitimate use, subject to conditions.
Notice requirements. Before obtaining consent, the organisation must provide a privacy notice that describes the personal data being collected, the purpose of processing, and the data principal’s rights. The notice must be in simple language and must be available in all languages listed in the Eighth Schedule of the Constitution (22 languages).
Consent management. Consent must be capable of being revoked by the data principal as easily as it was given. Organisations need consent management systems that allow individuals to withdraw consent and that trigger data deletion or cessation of processing when consent is withdrawn.
2. Rights of data principals
The DPDPA grants individuals, as Data Principals, specific rights over their personal data. Organisations must establish mechanisms to receive and respond to requests from data principals exercising these rights.
Right to information. Data principals have the right to know what personal data the organisation holds about them, the basis on which it is processed, and who it has been shared with.
Right to correction and erasure. Data principals have the right to have their personal data corrected, updated, or erased. Erasure is required where the purpose for which the data was collected has been fulfilled, where consent has been withdrawn, or where the data principal exercises the right to erasure subject to the organisation’s legal obligations to retain the data.
Right to grievance redressal. Data principals have the right to raise grievances about the processing of their personal data with the organisation. Organisations must establish a grievance redressal mechanism and respond within defined timelines.
Right to nominate. Data principals may nominate another individual to exercise their rights on their behalf in the event of death or incapacity. This is a specific provision of the DPDPA that does not have an equivalent in most other data protection laws.
Right to approach the Data Protection Board. If an organisation does not respond to a data principal’s grievance satisfactorily, the data principal may approach the Data Protection Board of India for redress.
3. Data retention and deletion obligations
Personal data may not be retained for longer than is necessary for the purpose for which it was collected. Once the purpose is fulfilled, the data must be erased.
The DPDPA does not prescribe specific retention periods for most categories of data: organisations are expected to define and implement their own retention policies based on the purpose of processing. Where statutory requirements mandate retention of specific records (such as financial records under the Companies Act or transaction records under banking regulations), those requirements govern retention and the data may be retained for the legally required period.
For Data Processors, the obligation to delete data at the end of the processing relationship must be reflected in the Data Processing Agreement. The Data Processor must return or delete all personal data on instruction from the Data Fiduciary, or at the end of the contractual engagement.
4. Security safeguards
Data Fiduciaries are required to implement appropriate technical and organisational security safeguards to prevent personal data breaches. The DPDP Rules specify that security measures must be appropriate to the nature and extent of the personal data processed and the risk of harm to the data principal.
The Act does not prescribe specific security standards, but ISO 27001 certification and SOC 2 compliance are widely considered indicative of appropriate security measures. For large organisations processing significant volumes of sensitive data, more stringent security measures are expected.
Contractual security obligations must flow through to Data Processors: the Data Processing Agreement must require the Processor to implement appropriate security safeguards and to report security incidents to the Data Fiduciary promptly.
5. Personal data breach notification
Where a personal data breach occurs, Data Fiduciaries are required to notify the Data Protection Board of India. The DPDP Rules specify notification timelines and content requirements.
The notification must describe the nature of the breach, the categories of personal data affected, the approximate number of data principals affected, the likely consequences of the breach, and the measures taken or proposed to address the breach. For BFSI enterprises, the DPDPA breach notification obligation runs alongside RBI’s existing breach reporting requirements.
Data Processors are required to notify the Data Fiduciary of a breach without unreasonable delay. The Data Processing Agreement should specify the notification timeline from Processor to Fiduciary, to ensure the Fiduciary can comply with the statutory notification obligation to the Board.
6. Data Fiduciary-Data Processor contracts
The DPDP Rules expressly require that Data Fiduciary-Data Processor engagements be governed by a contract. The contract must impose on the Processor the obligation to process personal data only on the instructions of the Fiduciary, to implement appropriate security measures, to notify the Fiduciary of breaches, to delete data on instruction, and to restrict sub-processing.
This is one of the most operationally significant obligations under the Act for enterprise legal teams: every vendor contract involving personal data processing needs to include a DPDPA-compliant Data Processing Agreement. For enterprises with hundreds of vendor relationships, this creates a significant contract review and remediation requirement.
Additional Obligations for Significant Data Fiduciaries
Organisations designated as Significant Data Fiduciaries face additional obligations:
Data Protection Officer (DPO). SDFs must appoint a DPO based in India, who acts as the point of contact with the Data Protection Board and oversees DPDPA compliance.
Data Protection Impact Assessment (DPIA). SDFs must conduct periodic DPIAs to assess the impact of processing activities on the rights of data principals and to identify and implement appropriate safeguards.
Independent data audit. SDFs must undergo periodic independent audits of their data processing activities.
Algorithmic accountability. SDFs that use automated decision-making must ensure that such decision-making does not result in discriminatory or harmful outcomes and must be able to explain decisions to affected data principals.
Children’s Data: Special Rules
The DPDPA treats children’s personal data (individuals under 18) as a category requiring additional protection. Processing children’s personal data requires verifiable parental consent. Organisations must not process children’s data in ways that are detrimental to their wellbeing and must not track, monitor, or target children for advertising.
For organisations providing digital services to consumers, the child data provisions require age verification mechanisms and verifiable parental consent workflows. This is a technically demanding requirement that will be operationalised through the Consent Manager framework becoming operational in November 2026.
The Data Protection Board of India
The Data Protection Board of India (DPBI) is the enforcement authority under the DPDPA. It has the power to:
Receive and adjudicate complaints. Data principals who are not satisfied with an organisation’s response to their grievance may file a complaint with the DPBI. The Board investigates and adjudicates complaints, with powers to issue directions and impose penalties.
Conduct inquiries. The Board may conduct inquiries into data processing practices and has inspection powers.
Impose penalties. The DPDPA provides for penalties of up to INR 250 crore per contravention for failures relating to children’s data and security safeguards, and up to INR 200 crore for other contraventions. These are per-contravention figures: where multiple contraventions occur, the total penalty exposure can be significantly higher.
Issue compliance directions. Where the Board finds non-compliance, it may issue directions requiring remedial action within a defined timeline.
Appeals from the Board’s decisions go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and then to the High Courts.
The DPDPA Implementation Timeline
November 13, 2025. DPDP Rules published. Data Protection Board established. Administrative provisions in force.
November 13, 2026. Consent Manager framework becomes operational. Consent Managers may register with the Data Protection Board.
May 13, 2027. Full compliance deadline. Consent, privacy notice, security, and all other substantive obligations become mandatory. The Data Protection Board is expected to begin active enforcement.
Post-May 2027. Active enforcement of the full compliance framework, including significant financial penalties for contraventions.
DPDPA Compliance: Practical Steps for Indian Enterprises
Conduct a data inventory. Map what personal data the organisation collects, from whom, for what purposes, and who it is shared with. This data map is the foundation of the compliance programme.
Review and update consent mechanisms. Ensure that consent is obtained for all processing that requires it, that the consent is specific and unconditional, and that mechanisms exist for data principals to withdraw consent.
Update privacy notices. Review privacy notices against the DPDPA’s content requirements and the language accessibility requirement (22 scheduled languages for public-facing notices).
Audit vendor contracts for DPA compliance. Review all vendor contracts that involve personal data processing and identify those that lack DPDPA-compliant Data Processing Agreement provisions. Prioritise remediation based on data volume and sensitivity.
Implement breach response workflows. Define the breach response process, including identification, containment, assessment, notification to the DPBI, and notification to affected data principals where required.
Establish data principal rights fulfilment processes. Create mechanisms for receiving, processing, and responding to requests from data principals exercising their rights under the Act.
Assess whether the organisation is an SDF. Evaluate whether the organisation is likely to be designated as a Significant Data Fiduciary and, if so, begin preparing for the additional SDF obligations including DPO appointment and DPIA processes.
Conclusion
DPDPA compliance is not a project with a completion date. It is an ongoing operational programme that requires systematic changes to how the organisation collects consent, processes personal data, manages vendor relationships, responds to data principal requests, and handles security incidents. The compliance deadline of May 2027 is the point at which full enforcement begins, not the point at which compliance work should start.
For Indian enterprises, the DPDPA represents the most significant change to the data processing regulatory framework in a generation. Organisations that build structured, documented, and auditable compliance programmes in 2026 will be positioned for the enforcement environment that begins in 2027. Those that delay risk facing regulatory attention at precisely the moment they are trying to build compliance infrastructure under pressure.
Frequently Asked Questions
What is the DPDPA and when does it apply?
The Digital Personal Data Protection Act, 2023 is India’s comprehensive data protection legislation. It applies to any organisation that processes digital personal data of individuals in India, or processes personal data in connection with offering goods or services to individuals in India, regardless of where the organisation is located. DPDP Rules were published on November 13, 2025, and full compliance is required by May 13, 2027.
What is the difference between a Data Fiduciary and a Data Processor under the DPDPA?
A Data Fiduciary determines the purpose and means of processing personal data and bears primary compliance responsibility under the Act. A Data Processor processes personal data on behalf of a Data Fiduciary, subject to the Fiduciary’s instructions. The Fiduciary remains responsible for the Processor’s compliance with DPDPA obligations and must govern the relationship through a contractual Data Processing Agreement.
What are the penalties for non-compliance with the DPDPA?
The Data Protection Board of India can impose penalties of up to INR 250 crore per contravention for failures relating to children’s data and security safeguards. Other contraventions attract penalties of up to INR 200 crore per contravention. The DPBI may also issue compliance directions requiring remedial action. Appeals go to the TDSAT and then to the High Courts.
What is a Significant Data Fiduciary under the DPDPA?
A Significant Data Fiduciary is an organisation designated by the Central Government based on the volume and sensitivity of data processed, potential national security implications, or risk to data principals’ rights. SDFs face additional obligations including appointment of a Data Protection Officer based in India, periodic Data Protection Impact Assessments, independent data audits, and algorithmic accountability obligations.
What does the DPDPA require for children’s data?
Processing personal data of individuals under 18 requires verifiable parental consent. Organisations must not process children’s data in ways that are detrimental to their wellbeing and must not track, monitor, or target children for advertising purposes. For digital services with consumer-facing interfaces, age verification and verifiable parental consent mechanisms are required.
