India's privacy law, in plain English.
The Digital Personal Data Protection Act is India's first comprehensive privacy statute. It governs how every business that processes the personal data of Indian residents must collect consent, serve notices, honour rights and report breaches — regardless of where the company is headquartered.
Privacy is no longer a policy page.
Under DPDP, every cookie banner, signup form, support ticket, analytics SDK and customer database becomes a regulated artefact. The Data Protection Board of India can issue financial penalties that dwarf most Series-B war chests — and the burden of proof sits with you, not the regulator.
DPDP is law. The Data Protection Board has adjudicatory power, can summon witnesses and levy penalties without court intervention.
Every user is a Data Principal with rights to access, correct, erase, withdraw consent and nominate a representative — at any time, in any of 22 languages.
Significant Data Fiduciaries must appoint a DPO. Officers in default of breach reporting or consent obligations face direct accountability.
Seven things the Act actually demands.
Schedule of penalties.
The Data Protection Board imposes penalties per breach event, capped per item in the Schedule. Under §33(2) the Board weighs the nature, gravity, duration and repetitive character of the breach when deciding quantum.
How we got here.
- Aug 2023DPDP Act receives Presidential assent.
- Jan 2025Draft DPDP Rules published for public consultation.
- 2025DPDP Rules notified; Data Protection Board constituted.
- 2026Phased enforcement begins for Significant Data Fiduciaries.
- NowMid-market enforcement window opens. Discovery letters issued to D2C, fintech and edtech operators.
Terms you'll actually use.
The natural person whose personal data is being processed. In GDPR terms: the data subject.
Any person or company that determines the purpose and means of processing personal data. Equivalent to GDPR's controller.
An entity that processes personal data on behalf of a Data Fiduciary.
A Fiduciary notified by the Central Government based on volume, sensitivity or risk. Triggers DPO, DPIA and audit obligations.
A registered intermediary that gives Data Principals a single, auditable, interoperable view of consent across all Fiduciaries.
Data Subject / Principal Request — the right to access, correct, erase or withdraw.
Data Protection Impact Assessment — mandatory for SDFs and recommended whenever processing is high-risk.
The Data Protection Board of India — the adjudicatory body with the power to investigate and fine.
The 90-second readiness check.
- Every consent collected is granular, logged and withdrawable.
- Every notice is available in English and at least one regional language.
- A Data Principal can submit access, correction and erasure requests without emailing support.
- You can resolve a DSR end-to-end in under 7 days, with an audit trail.
- You know which of your processors are India-resident.
- You have a 72-hour breach playbook with on-call escalation paths.
- Children's data flows are gated by verifiable parental consent.
- Your DPO (or interim equivalent) has a board-level escalation channel.
Get a free DPDP gap assessment.
We map your current consent, notice and DSR practices against every operative section of the Act and hand you a prioritised remediation plan within 5 working days.