The DPDP Act: what it is, who it applies to, and what you need to do
The Digital Personal Data Protection Act is India's first comprehensive data privacy law. If your business collects, stores, or processes customer data — you are legally required to comply by May 2027. Here's what that means in practice.
India's answer to GDPR — signed into law on August 11, 2023
The Digital Personal Data Protection (DPDP) Act 2023 is India's first dedicated data privacy legislation. It establishes rules for how organisations — called Data Fiduciaries — must handle personal data of individuals — called Data Principals. The DPDP Rules 2025 were notified in January 2025, and full enforcement begins in May 2027.
Unlike earlier sector-specific regulations (RBI data guidelines, DISHA for health data), the DPDP Act is horizontal — it applies to every organisation in every industry that processes digital personal data in India. That includes your startup, your mid-size enterprise, your fintech, your healthtech, and your SaaS company.
Data Fiduciary — any organisation that determines the purpose and means of processing personal data. If you collect a customer's phone number to deliver a service, you are a Data Fiduciary.
Data Principal — the individual whose data is being processed. Your customers, employees, users, and prospects are Data Principals whose rights the Act protects.
Six core obligations every Data Fiduciary must fulfil
The DPDP Act creates specific, enforceable obligations. These are not optional best practices — they are legal requirements enforceable by the Data Protection Board with financial penalties.
What the DPDP Act penalties actually look like
The Data Protection Board of India will assess penalties based on the nature, gravity, duration, and nature of the non-compliance. These are per-violation penalties — a single incident affecting thousands of customers could trigger multiple counts.
Where the DPDP Act stands today
DPDP compliance as a managed programme — not a one-time project
DPDP compliance is ongoing — consent records must be maintained, breach notification must be instant, and data principal requests must be fulfilled within prescribed timelines. NxgSecure manages your DPDP programme end-to-end so you stay compliant continuously, not just at audit time.
Common questions about the DPDP Act
Find out exactly where your organisation stands on DPDP Act compliance
Free assessment. One conversation. A written gap report — yours to keep whether you work with us or not.
Book Free DPDP Assessment →