Loading…
The Digital Personal Data Protection Act, 2023 is India's first comprehensive privacy law. Together with the DPDP Rules, 2025 (G.S.R. 846(E)), it governs how personal data of Indian data principals is collected, processed, stored, and shared — anywhere in the world.
Enforcement sits with the Data Protection Board of India (DPBI), with financial penalties of up to ₹250 crore per instance and stricter obligations for Significant Data Fiduciaries.
From consent capture to Board notification, each obligation is mapped to a control, an owner, and an SLA.
Process personal data only on valid consent or one of the certain legitimate uses defined under Section 7 of the DPDP Act.
Collect only for specified, explicit, and lawful purposes; never repurpose without fresh consent.
Limit collection to what is necessary for the stated purpose — no opportunistic data harvesting.
Keep data accurate; erase when purpose is served or consent is withdrawn.
Implement encryption, access controls, logging and resilience as required under Rule 6 — penalty up to ₹250 crore per failure.
Notify the Data Protection Board of India within 72 hours, and affected data principals without undue delay (Rule 7).
Offering services to users in India — DPDPA applies extraterritorially.
DPDPA layered on top of RBI / SEBI / IRDAI and Digital Health frameworks.
High-volume consumer personal data — typical Significant Data Fiduciary candidates.
Heightened obligations and a ₹150 crore penalty ceiling for breaches involving children's data.
Gap analysis against the Act and Rules 2025 with prioritized remediation roadmap and budget.
Appointed Data Protection Officer in India to liaise with the Data Protection Board (DPBI) on your behalf.
DPDPA-compliant notices in English plus 22 scheduled languages with granular, withdrawable consent management.
Self-service portal to handle access, correction, erasure, and grievance requests within statutory timelines.
Runbook, classification, Board filing, and data principal communications — handled end-to-end during an incident.
DPIA cadence, independent audit, and additional governance obligations for SDF-designated organizations.
A typical DPDPA implementation runs ₹1.48–2.22 crore (~$178–267K USD). Compared with ₹500+ crore in penalty exposure, that's a 23:1–34:1 return on prevention.