Digital Personal Data Protection Act, 2023
India's first comprehensive data protection law, enacted on 11 August 2023, with phased implementation through May 2027.
Key provisions
Consent-based processing
Processing needs free, specific, informed, unconditional and unambiguous consent, with a clear purpose.
Purpose limitation
Data may be processed only for the purpose consented to, and erased when that purpose is met.
Data Principal rights
Access, correction, erasure, grievance redressal, and nomination of a representative.
Data Fiduciary obligations
Accuracy, security safeguards, published notices, grievance response, and deletion on withdrawal.
Children's data
Verifiable parental consent for under-18s; no tracking, behavioural monitoring, or targeted ads.
Cross-border transfers
Permitted except to countries the Central Government restricts (Section 16). No blanket localisation.
Implementation timeline
Digital Personal Data Protection Act, 2023 receives Presidential assent and is published in the Official Gazette.
Phase 1: The Data Protection Board of India (DPB) begins operations to adjudicate complaints and impose penalties.
Phase 2: Consent Managers must register with the DPB. Organisations must implement granular consent mechanisms.
Phase 3: All provisions enforceable. Non-compliance attracts penalties up to ₹250 Crore per instance.
Penalty schedule
Penalties are set out in the Schedule to the DPDP Act and imposed by the Data Protection Board under Section 33, which weighs the gravity, duration and repetitive nature of the breach.
| Obligation breached | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards (Section 8(5)) | Up to ₹250 crore |
| Failure to notify the Board and affected Data Principals of a breach (Section 8(6)) | Up to ₹200 crore |
| Non-compliance with additional obligations for children's data (Section 9) | Up to ₹200 crore |
| Non-compliance with the additional obligations of a Significant Data Fiduciary (Section 10) | Up to ₹150 crore |
| Breach of the duties of a Data Principal (Section 15) | Up to ₹10,000 |
| Breach of any other provision of the Act or Rules | Up to ₹50 crore |
Key definitions
Data Fiduciary
Any person or entity that alone or in conjunction with other persons determines the purpose and means of processing of personal data. Equivalent to 'Data Controller' under GDPR.
Data Principal
The individual to whom the personal data relates. In the case of a child, the parent or lawful guardian.
Consent Manager
A registered entity that serves as a single point of contact for Data Principals to manage, review, and withdraw consent given to multiple Data Fiduciaries.
Significant Data Fiduciary (SDF)
A Data Fiduciary designated by the Central Government based on volume and sensitivity of data processed, risk to the rights of Data Principals, and potential impact on sovereignty. SDFs face enhanced obligations.
Data Protection Board (DPB)
An independent body established under the Act to adjudicate complaints, impose penalties, and oversee compliance with the DPDP Act.
Frequently asked questions
What is the maximum penalty under the DPDP Act?
Up to ₹250 crore for failing to take reasonable security safeguards, set out in the Schedule to the Act and imposed by the Data Protection Board under Section 33.
When does the DPDP Act take effect?
The Act was enacted on 11 August 2023, the DPDP Rules were notified in November 2025, and most obligations become enforceable from 13 May 2027.
What rights do data principals have?
Access, correction, erasure, grievance redressal, and nomination of a representative.