Key Takeaways
- DPDP Act 2023 is India's first comprehensive data protection law, with penalties up to INR 250 crore per violation.
- Applies to every organisation processing personal data of Indian residents, including foreign entities serving Indians.
- Six core obligations: lawful purpose, valid consent, data minimisation, breach notification, principal rights, accountability.
- Significant Data Fiduciaries (SDFs) face additional duties: mandatory DPIA, DPO appointment, periodic independent audits.
- Start compliance with data mapping. The fastest path to compliance combines DPDP with ISO 27001 controls, saving 30-40% versus running separately.
What is the DPDP Act 2023?
The Digital Personal Data Protection Act, 2023 is India's first comprehensive privacy law governing the processing of digital personal data. Notified on 11 August 2023 and operationalised through the Draft DPDP Rules 2025, the Act fundamentally changes how Indian and foreign organisations must handle personal data of Indian residents.
Unlike sectoral regulations like the RBI guidelines or SEBI rules that addressed narrow slices of data privacy, the DPDP Act creates a single national framework covering banks, fintechs, e-commerce, healthcare, education, government, SaaS companies, and any business that collects, stores or processes Indian residents' personal data, whether or not the business itself is based in India.
The law replaces the older Information Technology (Reasonable Security Practices) Rules, 2011 and aligns Indian privacy law more closely with global frameworks like the EU GDPR, although with important differences in scope, enforcement structure and remedies. For Indian businesses, this means privacy compliance is no longer a checkbox tied to sector-specific regulators. It is a board-level legal obligation with enforcement risk attached.
DPDP Act Penalties: How Much Are We Talking?
The DPDP Act has teeth. The Data Protection Board of India can impose administrative penalties through a tiered structure, with the headline number being INR 250 crore per instance of breach for failing to take reasonable security safeguards. This is the highest data protection penalty in any Indian privacy framework to date.
The penalty regime is structured around the severity and nature of the violation, with specific maximums for different obligations. Importantly, these are administrative fines imposed by the Data Protection Board, separate from any civil claims that affected individuals (data principals) may pursue.
- INR 250 crore, failure to take reasonable security safeguards (Section 8)
- INR 200 crore, failure of additional Significant Data Fiduciary obligations
- INR 200 crore, failure to notify a data breach to the Board and affected data principals
- INR 150 crore, non-compliance with obligations related to children's data
- INR 50 crore, non-compliance with other provisions of the Act
Need a DPDP Act Readiness Assessment?
Codesecure delivers a fixed-price DPDP gap assessment in 3 weeks, mapped to ISO 27001 so you save 30-40% versus running both programs separately. Named consultants, board-ready evidence pack, named accountable lead.
Get Free DPDP Assessment →Who Is a Data Fiduciary and What Are Your Obligations?
The DPDP Act defines two primary roles. The Data Fiduciary is the organisation that determines the purpose and means of processing personal data, broadly equivalent to the EU GDPR's "Data Controller". The Data Principal is the natural person whose data is being processed.
A Data Fiduciary may engage a Data Processor (similar to GDPR's processor concept) to process data on its behalf, but the Data Fiduciary remains accountable. Outsourcing processing does not outsource liability.
Core Data Fiduciary Obligations
Every Data Fiduciary must satisfy six core obligations under the Act: (1) process personal data only for a lawful purpose for which consent has been given or for legitimate uses defined by the Act; (2) collect only data necessary for that purpose (data minimisation); (3) maintain accuracy and completeness of personal data; (4) implement reasonable security safeguards to prevent personal data breach; (5) notify breaches to the Board and affected data principals; and (6) erase personal data when the purpose is no longer served or when consent is withdrawn.
Significant Data Fiduciary (SDF): The Higher Bar
The Central Government may notify certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on factors including volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, risk to electoral democracy, security of the State and public order.
SDFs face significantly higher compliance obligations beyond the baseline Data Fiduciary requirements:
- Appointment of a Data Protection Officer (DPO) based in India
- Designation of an independent data auditor who must conduct periodic data protection audits
- Mandatory Data Protection Impact Assessments (DPIA) for high-risk processing
- Periodic review of data protection compliance and reporting to the Board
- Additional measures the Central Government may prescribe by rules, including possible cross-border data localisation
Consent: The Foundation of DPDP Compliance
Consent is the primary lawful basis for processing personal data under the DPDP Act. The bar is higher than what many Indian businesses are used to, consent must be free, specific, informed, unconditional, unambiguous, and given through a clear affirmative action.
A pre-ticked checkbox, a buried "I accept" in 80 pages of terms and conditions, or bundled consent for unrelated purposes does not meet the DPDP standard. Each processing purpose needs its own clear consent point.
Notice Requirements (Section 6)
Every consent must be preceded by a clear, plain-language notice telling the data principal: (a) the personal data items being collected; (b) the specified purpose for which it is being processed; (c) the manner of withdrawing consent and the manner of grievance redressal; and (d) the right to complain to the Data Protection Board.
The notice must be available in English and all 22 official Indian languages listed in the Eighth Schedule of the Constitution. This is a major operational shift for businesses that previously operated only in English.
Data Principal Rights
Every data principal has the right to: access a summary of personal data being processed and the identity of all Data Fiduciaries and Data Processors with whom it has been shared; correction of inaccurate or misleading data; completion of incomplete data; updating of outdated data; erasure of personal data that is no longer necessary; grievance redressal through a readily available mechanism with statutory response timelines; and nomination of another individual to exercise the principal's rights in case of death or incapacity.
Want Independent DPDP Audit Services?
For Significant Data Fiduciaries, the DPDP Act mandates periodic independent audits. Codesecure runs board-ready DPDP audits with named consultants and a clean evidence package your Data Protection Board can verify.
Book DPDP Audit Call →Personal Data Breach: 72-Hour Reality
A personal data breach under the DPDP Act includes any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data. The definition is broad, well beyond traditional ransomware or hack scenarios.
Every breach must be reported to the Data Protection Board and to each affected data principal, in the manner and within the timeline that the rules prescribe. The Draft DPDP Rules indicate a notification to the Board within a short window of becoming aware of the breach, with detailed information including the nature, scope, and steps taken.
Indian businesses that have operated under the older CERT-In incident reporting framework are now subject to a far more rigorous regime under DPDP. Both frameworks operate in parallel; a breach involving personal data triggers DPDP notification to the Board PLUS CERT-In reporting under the older IT Act framework.
Step-by-Step DPDP Compliance Roadmap
DPDP compliance is achievable. Here is the practical roadmap we use with our clients, which typically takes 3-6 months for a mid-sized Indian enterprise:
Phase 1 (Weeks 1-3): Data Mapping & Discovery
Identify every place personal data flows through your organisation: marketing CRMs, customer onboarding, HR systems, vendor management, support tickets, analytics tools, log files, backups. Document the data items, the lawful basis, retention periods, who has access, and downstream sharing with processors and third parties.
This phase typically reveals 3-5x more personal data than the team initially expects. That is normal, and exactly why this phase is non-negotiable.
Phase 2 (Weeks 4-6): Gap Analysis Against DPDP & ISO 27001
Run a structured gap assessment against the DPDP Act obligations and, in parallel, against the ISO 27001:2022 Annex A controls. The two frameworks share roughly 60% of controls. Doing both together saves significant cost and effort versus running them sequentially.
Phase 3 (Weeks 7-16): Remediation
Implement consent management platforms (CMPs), data subject rights workflows, breach response playbooks, retention policy and deletion tooling, vendor due diligence updates, and the DPIA process for any high-risk processing. Update all notices and consent flows to plain-language Section 6 compliance.
Phase 4 (Weeks 17-20): Audit & Sign-Off
Run an internal audit to test the implemented controls, fix any findings, get management sign-off, and (for SDFs) bring in an independent data auditor. Document everything. Your board needs the evidence pack ready before any regulator query.
DPDP Act vs GDPR: Key Differences
For Indian businesses that already have EU GDPR compliance, the DPDP Act is largely a subset with a few important departures. For businesses starting fresh, the DPDP Act is generally simpler to navigate.
- Scope: DPDP covers only digital personal data (or non-digital data subsequently digitised). GDPR covers all forms of personal data.
- Sensitive data: DPDP does not (yet) define a separate category of sensitive personal data, unlike GDPR's special categories.
- Penalties: DPDP has per-instance ceiling-based penalties (INR 250 crore max). GDPR uses percentage of global turnover (up to 4%).
- Lawful basis: DPDP relies heavily on consent plus a closed list of "legitimate uses". GDPR has 6 lawful bases including legitimate interest.
- Data Protection Officer: DPDP requires a DPO only for SDFs. GDPR requires DPOs for a wider set of organisations including most large-scale processors of sensitive data.
- Cross-border transfer: DPDP allows transfers except to countries notified by Central Government as restricted. GDPR uses adequacy decisions and Standard Contractual Clauses.
Frequently Asked Questions
Does the DPDP Act apply to my business if I am based outside India?
Yes, if you process the personal data of Indian residents in connection with offering goods or services to them. The DPDP Act has extraterritorial reach. A SaaS company in the US or UAE serving Indian customers is fully in scope and must comply with the Act.
When does the DPDP Act come into force?
The Act was notified on 11 August 2023. The Draft DPDP Rules 2025 are progressing through public consultation. Different provisions of the Act will be operationalised on dates the Central Government notifies. The Data Protection Board has been constituted. Indian businesses should treat the Act as effectively live for compliance planning purposes, the regulator and rules are crystallising rapidly.
What is the difference between the DPDP Act and the IT Rules 2011?
The IT (Reasonable Security Practices) Rules 2011 only governed Sensitive Personal Data or Information (SPDI) and only applied to body corporates. The DPDP Act is a comprehensive law applying to all digital personal data and all Data Fiduciaries, government, private companies, individuals processing for non-personal use. The DPDP Act effectively supersedes most of the privacy provisions of the IT Rules 2011 framework.
Do I need to localise data in India under the DPDP Act?
Not by default. The DPDP Act allows cross-border transfers except to countries that the Central Government may specifically notify as restricted. This is significantly more permissive than earlier draft data protection bills. However, sector-specific regulations (RBI, SEBI, IRDAI, MeitY) may still impose data localisation on financial data, health data and other categories regardless of DPDP.
How much does DPDP compliance cost for a typical Indian business?
A small Indian SaaS company can achieve DPDP readiness in 3-4 months for INR 8-15 lakh. A mid-sized fintech or hospital with personal data at scale typically needs 4-6 months and INR 15-30 lakh. Significant Data Fiduciaries with mandatory audits run INR 30-60 lakh for the initial compliance program. Codesecure offers fixed-price engagements with named consultants and clear milestones.
Can I combine DPDP compliance with ISO 27001 or SOC 2?
Yes, and we strongly recommend it. ISO 27001:2022 Annex A and DPDP Act controls overlap roughly 60%. Running them as a single program with a unified control library saves 30-40% in time and cost versus running them sequentially. Many Codesecure clients run DPDP + ISO 27001 in parallel to achieve both within 5-7 months.
What happens if I am breached and don't notify under DPDP?
Failure to notify a personal data breach to the Data Protection Board and affected data principals can attract penalties up to INR 200 crore. Worse, the failure-to-notify is generally an aggravating factor in any subsequent regulatory action. Our incident response playbooks include parallel DPDP + CERT-In notification workflows to keep clients compliant under both frameworks simultaneously.
Ready to Make Your Business DPDP-Compliant?
Codesecure has helped 150+ Indian banks, fintechs, SaaS firms, hospitals and government suppliers achieve DPDP compliance. Fixed-price engagements, named senior consultants, board-ready evidence pack, and a guarantee your auditor and regulator can defend.
