Home/Resources

A short, honest guide
to the DPDPA.

We get the same questions from compliance heads, CIOs and CFOs across sectors. Here's a plain-language primer — and answers to the questions you're probably about to ask.

DPDPA in 60 seconds

What the law actually says.

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection law. It applies to any organisation that processes the personal data of individuals in India — regardless of where the organisation is based.

The core idea

Individuals — called Data Principals — own their personal data. Organisations — called Data Fiduciaries — can process that data only for clearly stated, lawful purposes, and only with the principal's consent or under specific legitimate uses defined in the Act.

The Data Protection Board of India enforces the Act and can impose penalties of up to ₹250 crore per instance for serious breaches.

Who is in scope

Almost every organisation operating digitally in India. The Act exempts certain government processing and very limited research activities, but the working assumption for any commercial enterprise should be: you are in scope.

The seven rights of a Data Principal

01

Right to information

About what's processed, why, and how.

02

Right to access

To their own personal data on request.

03

Correction & erasure

To fix or delete inaccurate data.

04

Nomination

For incapacity or in case of death.

05

Grievance redressal

Via a clearly published channel.

06

Withdraw consent

As easily as it was given.

07

Data portability

Where applicable, in standard formats.

Your obligations

What you must do.

The DPDPA places concrete duties on every Data Fiduciary. These are the obligations that any meaningful compliance programme has to address.

/ DUTY 01

Lawful basis

Process personal data only with consent, or under the specifically defined "legitimate uses" in the Act.

/ DUTY 02

Clear notice

Give Data Principals a clear, itemised notice of what data is collected, why, and how it'll be used — before collection.

/ DUTY 03

Purpose limitation

Use personal data only for the purpose disclosed. Want to use it differently? You need fresh consent.

/ DUTY 04

Data minimisation

Collect only what's necessary for the stated purpose. Delete when no longer needed (or when consent is withdrawn).

/ DUTY 05

Security safeguards

Implement reasonable technical and organisational measures — encryption, access controls, audit logs.

/ DUTY 06

Breach notification

Report breaches to the Data Protection Board and affected individuals within prescribed timelines.

Frequently asked

The questions everyone asks first.

We hear these in nearly every first conversation. Short, direct answers below — if you want longer, sector-specific responses, get in touch.

Do we need to comply if we already follow GDPR?
GDPR compliance is a very strong foundation, but it's not a free pass. DPDPA has Indian-specific provisions — particularly around consent for minors, the role of Consent Managers, and notification to the Data Protection Board — that have no direct GDPR equivalent. The right approach is usually a delta assessment: what you already have vs what DPDPA adds.
What's a "Significant Data Fiduciary" and how do we know if we are one?
The Central Government designates certain Data Fiduciaries as "Significant" based on volume and sensitivity of data processed, risk to electoral democracy, security of the state and other factors. Significant Data Fiduciaries face additional obligations: appointing a Data Protection Officer based in India, conducting periodic data protection impact assessments, and undergoing independent audits.
How long does a typical DPDPA implementation take?
For a mid-sized organisation, we plan for 12 to 16 weeks from kickoff to operational readiness. Larger institutions with complex legacy systems can run 6 to 9 months, often in parallel waves. The first 4 to 6 weeks are typically the gap assessment, and the rest is implementation. Sustaining the capability is ongoing.
Can we just buy a tool and call it done?
No — but we understand the temptation. Consent management platforms and data discovery tools are useful pieces of infrastructure, but DPDPA compliance is fundamentally a governance question: policies, accountability, decision-making frameworks, training. Tools support compliance; they don't constitute it.
What happens if we ignore this?
The Data Protection Board can impose financial penalties of up to ₹250 crore per instance for serious failures. Beyond financial penalties, there are reputational consequences, customer trust impacts, and — for regulated sectors — secondary action by sectoral regulators (RBI, IRDAI, etc.). The cost of compliance is materially lower than the cost of getting it wrong.
Do we need a Data Protection Officer?
Significant Data Fiduciaries are legally required to appoint a DPO based in India. For other organisations, a DPO is not mandatory but is strongly advisable — both for risk management and to have a clear point of accountability if and when the regulator comes calling.
How do you charge for your services?
Gap assessments are fixed-fee, scoped at the outset. Implementation work is typically time-and-materials with capped estimates. DPO-as-a-Service and audit work run on annual retainers. We're happy to share indicative pricing once we understand your scope — usually after a 30-minute scoping call.
Will the DPDPA rules and timelines change?
Yes — the Act provides for subsidiary rules and operational guidance from the Data Protection Board, which continue to be issued and refined. Part of our standing service is monitoring these changes and flagging anything that materially affects your posture. We send a short quarterly briefing to all clients.
Still have questions?

A 30-minute call is
free and useful.

Schedule a call