PlatformOutcomesStoryHow It Works
Free Assessment →
India's Data Privacy Law · DPDP Act 2023

The DPDP Act: what it is, who it applies to, and what you need to do

The Digital Personal Data Protection Act is India's first comprehensive data privacy law. If your business collects, stores, or processes customer data — you are legally required to comply by May 2027. Here's what that means in practice.

₹250Cr
Maximum penalty per violation
May '27
Full compliance deadline
All
Sectors — no exemptions by industry
4–9 mo
Typical compliance timeline for SMEs
What is the DPDP Act?

India's answer to GDPR — signed into law on August 11, 2023

The Digital Personal Data Protection (DPDP) Act 2023 is India's first dedicated data privacy legislation. It establishes rules for how organisations — called Data Fiduciaries — must handle personal data of individuals — called Data Principals. The DPDP Rules 2025 were notified in January 2025, and full enforcement begins in May 2027.

Unlike earlier sector-specific regulations (RBI data guidelines, DISHA for health data), the DPDP Act is horizontal — it applies to every organisation in every industry that processes digital personal data in India. That includes your startup, your mid-size enterprise, your fintech, your healthtech, and your SaaS company.

Key distinction

Data Fiduciary — any organisation that determines the purpose and means of processing personal data. If you collect a customer's phone number to deliver a service, you are a Data Fiduciary.

Data Principal — the individual whose data is being processed. Your customers, employees, users, and prospects are Data Principals whose rights the Act protects.

Your Obligations

Six core obligations every Data Fiduciary must fulfil

The DPDP Act creates specific, enforceable obligations. These are not optional best practices — they are legal requirements enforceable by the Data Protection Board with financial penalties.

01
Valid Consent
Obtain free, specific, informed, and unambiguous consent before processing personal data. Consent must be obtained separately for each purpose and must be as easy to withdraw as to give.
02
Notice to Data Principals
Provide a clear, plain-language notice explaining what data is collected, why, how it will be used, and how the individual can exercise their rights — before or at the time of collection.
03
Data Principal Rights
Honour requests from individuals to access their data, correct inaccuracies, erase their data (right to be forgotten), and nominate a person to exercise their rights in case of death or incapacity.
04
Security Safeguards
Implement reasonable technical and organisational measures to prevent personal data breaches. This includes DLP controls, access management, encryption, and regular security assessments.
05
Breach Notification
Notify the Data Protection Board of India and affected individuals of any personal data breach "in the prescribed manner" — expected to require notification within 72 hours under the Rules.
06
Children's Data
Obtain verifiable parental consent before processing personal data of individuals under 18 years of age, and do not process children's data in ways that could harm their well-being.
Penalties

What the DPDP Act penalties actually look like

The Data Protection Board of India will assess penalties based on the nature, gravity, duration, and nature of the non-compliance. These are per-violation penalties — a single incident affecting thousands of customers could trigger multiple counts.

ViolationMax Penalty
Failure to implement reasonable security safeguards resulting in a data breach₹250 crore
Failure to notify Data Protection Board of a personal data breach₹200 crore
Failure to fulfil obligations relating to children's personal data₹200 crore
Failure to fulfil additional obligations as Significant Data Fiduciary₹150 crore
Failure to fulfil obligations of a Consent Manager₹50 crore
Breach of other provisions of the Act or Rules₹50 crore
Failure to fulfil duties as a Data Principal₹10,000
Enforcement Timeline

Where the DPDP Act stands today

Aug 2023
DPDP Act 2023 signed
President of India signs the Digital Personal Data Protection Act 2023. Act notified in the Official Gazette.
Jan 2025
DPDP Rules 2025 notified
Draft DPDP Rules 2025 published for public comment. Rules detail consent mechanisms, breach notification timelines, and Data Protection Board procedures.
Mid 2025
Data Protection Board being constituted
Government notifies process for constituting the Data Protection Board of India — the enforcement authority.
2026
Significant Data Fiduciary designations expected
Government expected to designate organisations as Significant Data Fiduciaries — triggering additional DPO and audit obligations.
May 2027
Full compliance deadline
All Data Fiduciaries must be fully compliant. Data Protection Board begins active enforcement. Penalties can be levied from this date.
Read the complete DPDP Act 2025 enforcement status update →
How NxgSecure Helps

DPDP compliance as a managed programme — not a one-time project

DPDP compliance is ongoing — consent records must be maintained, breach notification must be instant, and data principal requests must be fulfilled within prescribed timelines. NxgSecure manages your DPDP programme end-to-end so you stay compliant continuously, not just at audit time.

Step 01
Data Mapping & Gap Assessment
We identify every data flow in your organisation — what personal data you collect, where it lives, who accesses it, and how it moves. Then we map your current state against DPDP Act obligations to find the gaps.
Step 02
Consent & Notice Implementation
We draft DPDP-compliant privacy notices and consent mechanisms for your products and touchpoints — website, app, email, sales — and implement them with your engineering team.
Step 03
Security Safeguards
We implement the technical safeguards required by Section 8(5): DLP controls, access management, encryption at rest and in transit, and a breach detection and notification process meeting the 72-hour standard.
Step 04
Ongoing Monitoring & Response
24×7 monitoring of personal data flows, automated breach detection, and a managed incident response team ready to trigger the notification process the moment a breach is detected — well within the legal timeline.
Frequently Asked Questions

Common questions about the DPDP Act

The Digital Personal Data Protection (DPDP) Act 2023 is India's comprehensive data privacy law, signed by the President on August 11, 2023. It governs how organisations collect, store, process, and transfer personal data of Indian citizens. Every business that processes digital personal data in India — regardless of size or sector — must comply.
The DPDP Act 2023 was notified on August 11, 2023. The DPDP Rules 2025 were published in January 2025. Full compliance is required by May 13, 2027. The Data Protection Board of India will begin enforcement after this date.
The highest penalty is ₹250 crore for failure to implement reasonable security safeguards that results in a data breach. Failure to notify the Data Protection Board of a breach carries up to ₹200 crore. Other violations range from ₹10,000 to ₹150 crore depending on the nature and severity.
A Data Fiduciary is any person or organisation that determines the purpose and means of processing personal data. If your business collects customer information, employee records, or user data to provide a service, you are a Data Fiduciary and must comply with all DPDP Act obligations. Read our complete guide to Data Fiduciaries →
A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the Central Government based on the volume of data processed, the sensitivity of the data, the risk posed to data principals, or national security considerations. SDFs face additional obligations: they must appoint a Data Protection Officer (DPO), conduct regular Data Protection Impact Assessments (DPIAs), and have their processing independently audited.
Yes. The DPDP Act applies to all organisations that process digital personal data in India, including startups, SMEs, and sole proprietors. There is no turnover or employee count threshold for basic compliance. The government may exempt certain categories, but no blanket exemption for small businesses has been notified as of 2025.

Find out exactly where your organisation stands on DPDP Act compliance

Free assessment. One conversation. A written gap report — yours to keep whether you work with us or not.

Book Free DPDP Assessment →