DPDPA Guide

Understanding DPDPA: Complete Guide

Abhi Anand
1 July 2025
8 min read

Introduction

India's Digital Personal Data Protection Act (DPDPA), 2023, represents a watershed moment for data privacy in one of the world's largest digital economies. Enacted in August 2023, the legislation establishes a comprehensive framework governing how organisations collect, store, process, and share the personal data of Indian citizens. With over 800 million internet users and a rapidly digitising economy, the DPDPA addresses a critical gap that had persisted for years - the absence of a dedicated, modern data protection law. Yet according to EY India's 2026 DPDP readiness survey, 71% of Indian enterprises still have limited understanding of the Act, and over 83% have not initiated end-to-end implementation across their systems.

What is the DPDPA?

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection legislation. It draws inspiration from global frameworks like the EU's GDPR while being tailored to India's unique digital landscape. The Act applies to any digital personal data that is collected online or digitised after being collected offline. Its scope extends beyond Indian borders - any organisation outside India that offers goods or services to Indian residents must also comply.

  • Applies to all digital personal data processed within India
  • Covers organisations outside India that offer goods or services to Indian residents
  • Establishes the Data Protection Board of India (DPBI) as the enforcement body
  • Introduces concepts of Data Fiduciary, Data Processor, and Data Principal
  • Provides special protections for children's personal data

Key Definitions You Need to Know

Understanding the DPDPA starts with its core terminology. The Act introduces specific definitions that form the foundation of every compliance obligation.

  • Data Principal - The individual whose personal data is being processed. This is equivalent to the 'data subject' under GDPR
  • Data Fiduciary - Any person or organisation that determines the purpose and means of processing personal data. This includes companies, government agencies, and non-profits
  • Data Processor - An entity that processes personal data on behalf of a Data Fiduciary, such as cloud service providers or analytics platforms
  • Consent Manager - A registered entity that acts as a single point of contact for Data Principals to manage their consent across multiple Data Fiduciaries
  • Significant Data Fiduciary - A Data Fiduciary designated by the government based on volume of data processed, sensitivity of data, risk to Data Principals, or potential impact on sovereignty

Obligations for Data Fiduciaries

Under the DPDPA, any organisation that determines the purpose and means of processing personal data is classified as a Data Fiduciary. These obligations are non-negotiable and form the backbone of compliance. Failure to meet these obligations can result in penalties of up to ₹250 crore.

  • Obtain free, specific, informed, and unambiguous consent before processing personal data
  • Provide clear notice to Data Principals about what data is being collected and why
  • Process data only for the stated purpose and retain it only as long as necessary
  • Implement reasonable security safeguards to protect personal data from breaches
  • Report data breaches to the DPBI and affected Data Principals without undue delay
  • Appoint a Data Protection Officer (for Significant Data Fiduciaries)
  • Conduct periodic Data Protection Impact Assessments (for Significant Data Fiduciaries)
  • Ensure data processors comply with the Act's requirements through contractual obligations

Data Principal Rights

The DPDPA grants individuals several fundamental rights over their personal data. These rights empower citizens to take control of how their information is used and provide mechanisms for redressal when things go wrong. Organisations must build workflows to handle these rights requests within a reasonable timeframe.

  • Right to Access - Data Principals can request a summary of their personal data being processed and the processing activities
  • Right to Correction and Erasure - Individuals can request correction of inaccurate data or erasure of data that is no longer necessary
  • Right to Grievance Redressal - Every Data Fiduciary must provide a mechanism for Data Principals to raise grievances about data processing
  • Right to Nominate - Data Principals can nominate another individual to exercise their rights in case of death or incapacity

Consent Under the DPDPA

Consent is the cornerstone of the DPDPA. Unlike many existing practices where consent is buried in lengthy terms and conditions, the DPDPA demands that consent be free, specific, informed, unconditional, and unambiguous. The notice requesting consent must be in clear, plain language and must specify the purpose of data processing. Importantly, consent can be withdrawn at any time, and withdrawal must be as easy as giving consent. Organisations relying on 'legitimate uses' - such as employment purposes or government services - are exempt from the consent requirement in specific circumstances, but these exemptions are narrow and well-defined.

Cross-Border Data Transfers

Section 16 of the DPDPA addresses cross-border data transfers. The Central Government may restrict transfers to certain countries through a negative list - meaning data can flow freely to any country not on the restricted list. This is a departure from GDPR's adequacy-based approach and provides more flexibility for Indian businesses operating globally. However, organisations must remain vigilant as the restricted country list can be updated at any time.

Penalties and Enforcement

The DPDPA introduces a tiered penalty framework that is among the most significant in the Asia-Pacific region. The Data Protection Board of India (DPBI) is the adjudicatory body responsible for enforcement.

  • Up to ₹250 crore for failure to take reasonable security safeguards leading to a data breach
  • Up to ₹200 crore for non-compliance with obligations related to children's data
  • Up to ₹150 crore for failure to notify the DPBI and affected individuals of a data breach
  • Up to ₹50 crore for other violations of the Act's provisions

Timeline and Implementation

The DPDPA was passed by Parliament in August 2023 and received Presidential assent. The DPDP Rules were published on November 13, 2025 by the Ministry of Electronics and Information Technology (MeitY), establishing a phased compliance timeline: Phase 1 requirements are already in effect, Phase 2 by November 2026, and full compliance by May 13, 2027. Businesses should begin their compliance journey now — with only 48% of organisations having even started gap assessments (per EY India), early movers will have a significant advantage.

How Kraver.ai Helps

Kraver.ai's AI-native platform automates the entire DPDPA compliance lifecycle - from data discovery and classification to consent management, breach notification, and audit reporting. Our platform uses machine learning to identify personal data across your systems, map data flows, and continuously monitor compliance posture. What traditionally takes months of manual effort and expensive consultants, Kraver.ai accomplishes in weeks with higher accuracy and real-time visibility.

Frequently Asked Questions

Related Articles

Compliance

Consent Management Under DPDPA

How the DPDPA redefines consent requirements for Indian businesses. Learn what free, specific, informed consent means and how to stay compliant.

5 Jul 2025
6 min
Risk

DPDPA Penalties: Understanding the Risk Framework

DPDPA penalties range from ₹50 crore to ₹250 crore. Learn how violations are assessed and strategies to mitigate your risk exposure.

15 Jul 2025
7 min

Need help with DPDPA compliance?

Kraver.ai automates your compliance journey from start to finish.

Get a Free Assessment