DPDP Act 2023 → enforcement live§8(6) + Rule 7(2): 72h breach reportMax penalty: ₹250 Cr22 scheduled languagesap-south-1 · MumbaiConsent Manager framework: pilotDPDP Rules: operationalisedDPDP Act 2023 → enforcement live§8(6) + Rule 7(2): 72h breach reportMax penalty: ₹250 Cr22 scheduled languagesap-south-1 · MumbaiConsent Manager framework: pilotDPDP Rules: operationalised
[01]The DPDP Act, 2023

India's privacy law, in plain English.

The Digital Personal Data Protection Act is India's first comprehensive privacy statute. It governs how every business that processes the personal data of Indian residents must collect consent, serve notices, honour rights and report breaches — regardless of where the company is headquartered.

Royal Assent
Aug 2023
Max Penalty
₹250 Cr
Breach Window
72 hrs
Languages
22
[02]Why it matters

Privacy is no longer a policy page.

Under DPDP, every cookie banner, signup form, support ticket, analytics SDK and customer database becomes a regulated artefact. The Data Protection Board of India can issue financial penalties that dwarf most Series-B war chests — and the burden of proof sits with you, not the regulator.

Statutory, not advisory

DPDP is law. The Data Protection Board has adjudicatory power, can summon witnesses and levy penalties without court intervention.

Indians control their data

Every user is a Data Principal with rights to access, correct, erase, withdraw consent and nominate a representative — at any time, in any of 22 languages.

Personal liability risk

Significant Data Fiduciaries must appoint a DPO. Officers in default of breach reporting or consent obligations face direct accountability.

[03]Core principles

Seven things the Act actually demands.

§6
Lawful consent
Free, specific, informed, unconditional, unambiguous. Pre-ticked checkboxes and bundled consent are invalid.
§5
Itemised notice
Plain language, in English plus any of the 22 scheduled languages requested, listing every purpose and every recipient.
§11-14
Data Principal rights
Access, correction, erasure, grievance redressal and nomination — resolved within a reasonable timeline.
§8(7)
Purpose & storage limitation
Personal data must be erased when the purpose ends, unless retention is legally required.
§8(6) + Rule 7
Breach notification
Notify the Board and affected Data Principals. DPDP Rules 2025, Rule 7(2) requires a detailed report to the Board within 72 hours of becoming aware.
§9
Children's data
Verifiable parental consent before processing data of anyone under 18. No tracking, targeted ads or behavioural monitoring.
§10
SDF obligations
Significant Data Fiduciaries must appoint a DPO, run DPIAs, perform periodic audits and maintain India-resident data.
[04]The price of non-compliance

Schedule of penalties.

The Data Protection Board imposes penalties per breach event, capped per item in the Schedule. Under §33(2) the Board weighs the nature, gravity, duration and repetitive character of the breach when deciding quantum.

₹250 Cr
Failure to prevent a personal data breach
₹200 Cr
Failure to notify affected users / Board
₹200 Cr
Non-fulfilment of children's data obligations
₹150 Cr
Non-fulfilment of SDF additional duties
₹50 Cr
Failure to honour Data Principal rights
₹10,000
Data Principal duties — frivolous complaints
+ orders
Cease processing, deletion, public censure
+ liability
Personal liability for officers in default
[05]Enforcement timeline

How we got here.

  1. Aug 2023
    DPDP Act receives Presidential assent.
  2. Jan 2025
    Draft DPDP Rules published for public consultation.
  3. 2025
    DPDP Rules notified; Data Protection Board constituted.
  4. 2026
    Phased enforcement begins for Significant Data Fiduciaries.
  5. Now
    Mid-market enforcement window opens. Discovery letters issued to D2C, fintech and edtech operators.
[06]Glossary

Terms you'll actually use.

Data Principal

The natural person whose personal data is being processed. In GDPR terms: the data subject.

Data Fiduciary

Any person or company that determines the purpose and means of processing personal data. Equivalent to GDPR's controller.

Data Processor

An entity that processes personal data on behalf of a Data Fiduciary.

Significant Data Fiduciary (SDF)

A Fiduciary notified by the Central Government based on volume, sensitivity or risk. Triggers DPO, DPIA and audit obligations.

Consent Manager

A registered intermediary that gives Data Principals a single, auditable, interoperable view of consent across all Fiduciaries.

DSR / DPR

Data Subject / Principal Request — the right to access, correct, erase or withdraw.

DPIA

Data Protection Impact Assessment — mandatory for SDFs and recommended whenever processing is high-risk.

DPB

The Data Protection Board of India — the adjudicatory body with the power to investigate and fine.

[07]Are you covered?

The 90-second readiness check.

  • Every consent collected is granular, logged and withdrawable.
  • Every notice is available in English and at least one regional language.
  • A Data Principal can submit access, correction and erasure requests without emailing support.
  • You can resolve a DSR end-to-end in under 7 days, with an audit trail.
  • You know which of your processors are India-resident.
  • You have a 72-hour breach playbook with on-call escalation paths.
  • Children's data flows are gated by verifiable parental consent.
  • Your DPO (or interim equivalent) has a board-level escalation channel.

Get a free DPDP gap assessment.

We map your current consent, notice and DSR practices against every operative section of the Act and hand you a prioritised remediation plan within 5 working days.