DPDP Compliance Toolkit for Indian Businesses

Everything you need to understand and comply with India’s Digital Personal Data Protection Act 2023 — explained in plain language.

What is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s first comprehensive law governing how businesses collect, process, and store personal data of Indian citizens. Passed by Parliament in August 2023, it represents the most significant update to India’s digital data regulation since the Information Technology Act of 2000.

The Act applies to any “data fiduciary” — meaning any business or individual who processes digital personal data of Indian residents, whether inside or outside India.

Key Obligations Under DPDP

1. Consent Requirements

Before collecting personal data, you must obtain free, specific, informed, unconditional, and unambiguous consent from the data principal (the person whose data you’re collecting). Consent must be given through a clear affirmative action — pre-ticked boxes or bundled consents are not valid.

2. Notice Requirements

You must provide a clear notice to data principals explaining: what data you collect, the purpose of collection, the rights they have, and how to exercise those rights. The notice must be available in English and any scheduled language of the Indian Constitution upon request.

3. Data Principal Rights

Under DPDP, every individual whose data you process has the right to: access information about their data, correct inaccurate data, erase their data (right to erasure), and nominate someone to exercise these rights on their behalf. You must have a process to respond to these requests.

4. Data Breach Notification

In the event of a personal data breach, you must notify the Data Protection Board of India (and affected individuals in certain cases) within 72 hours. Failure to notify can attract significant penalties.

5. Penalties

Penalties under DPDP are significant: failure to implement security safeguards can result in penalties of up to ₹250 crore, while breaches of children’s data protections can attract penalties of up to ₹200 crore. Non-reporting of data breaches carries up to ₹200 crore.

Your 5-Step DPDP Compliance Checklist

1. Conduct a data audit — Map every category of personal data your business collects, who has access to it, where it’s stored, and how long it’s retained.
2. Review your consent mechanisms — Audit every touchpoint where you collect data (forms, apps, cookies) and ensure consent is obtained validly.
3. Update your privacy policy — Your existing policy is almost certainly not DPDP-compliant. It needs to reflect the new notice requirements, rights, and grievance mechanisms.
4. Set up a data principal rights process — Create a mechanism (email or web form) for users to exercise their rights, and assign responsibility for responding within statutory timelines.
5. Prepare a breach response plan — Document what you’ll do if a breach occurs, including who gets notified internally, and how you’ll meet the 72-hour notification requirement.

Who Needs to Comply?

The short answer: almost every business operating in India that handles any personal information about customers, employees, or users. This includes startups, e-commerce companies, healthcare providers, fintech firms, SaaS businesses, and educational institutions.

There are limited exemptions (e.g., personal or domestic use, certain research activities), but these are narrow. If you’re unsure whether DPDP applies to your business, the safest assumption is that it does.