7th - Last date to pay TDS. Talk to an expert on +91 8939 121 121
11th - Last date to file GSTR-1. Talk to an expert on +91 8939 121 121
20th - Last date to file GSTR-3B & Professional Tax. Talk to an expert on +91 8939 121 121
DPDP Compliance Is Now Live. Is Your Business Ready? Read More
7th - Last date to pay TDS. Talk to an expert on +91 8939 121 121
11th - Last date to file GSTR-1. Talk to an expert on +91 8939 121 121
20th - Last date to file GSTR-3B & Professional Tax. Talk to an expert on +91 8939 121 121
DPDP Compliance Is Now Live. Is Your Business Ready? Read More
Search Bar with Typing Effect Placeholder
Consult with an expert
Search Bar with Typing Effect Placeholder
Consult with an expert
Select Template
Please select a template to display its content.

DPDPA Act, 2023

DPDPA Act, 2023

India’s first comprehensive law governing how digital personal data is collected, stored, processed, and protected has finally arrived, and it changes everything for Indian businesses. 

The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) was passed by Parliament on August 11, 2023, creating India’s first unified legal framework for protecting digital personal data. The Act was operationalised by the DPDP Rules, 2025, formally notified on November 13, 2025, by the Ministry of Electronics and Information Technology (MeitY).  

This milestone marked the full operationalisation of the legal architecture that had been in the making for years, and the Data Protection Board of India was simultaneously established as the regulatory enforcer. 

The law strikes a careful balance between an individual’s right to privacy, recognised as a fundamental right by the Supreme Court in the landmark 2017 Justice K.S. Puttaswamy vs. Union of India judgment, and businesses’ legitimate need to process data for commercial, operational, and public purposes. The DPDP Rules introduce clear privacy notices, a Consent Manager ecosystem, prescriptive security safeguards, breach-reporting timelines, data-retention limits, and special protections for children and vulnerable persons.

Connect With Our Experts

Who Does It Apply To?

The DPDPA’s reach is deliberately wide: 

  • Any business that processes personal data digitally in India 
  • Startups, MSMEs, large corporations, and government bodies alike 
  • Foreign companies offering goods or services to Indian users (extra-territorial application) 
  • Businesses that digitize previously offline data 
  • Any entity involved in collecting, storing, using, or transferring digital personal data within India 

Who Is Exempt? 

  • Individuals processing data purely for personal or household use 
  • Research, archiving, and statistical analysis (provided results are not used to make decisions about identifiable individuals) 
  • Data made publicly available by the individual herself 
  • Certain government activities related to national security, sovereignty, or public order 

What Does DPDPA Replace?

The DPDPA replaces the IT (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011, which operated under the Information Technology Act, 2000. The old regime remains technically in force until the DPDPA’s phased implementation concludes by May 13, 2027, giving businesses necessary time to transition runway 

How Is It Different from GDPR? 

Unlike Europe’s General Data Protection Regulation (GDPR), India’s DPDPA does not define “sensitive personal data” as a separate, specially protected category. The DPDPA also has a broader exemption for publicly available data. However, similar to GDPR, it carries extraterritorial application for processing related to Indian residents, meaning foreign companies serving Indian users also has its obligations.  

Who's Who Under DPDPA

Three critical roles define every data transaction in India’s new privacy ecosystem. Understanding which role your startup occupies is the first step to understanding your obligations. 

Data Principal : The Individual 

The Data Principal is the person whose personal data is being collected or processed. For children under the age of 18, the parent or legal guardian steps into the role of Data Principal on their behalf. Data Principals have robust rights under the Act, the right to access their data, correct it, erase it, withdraw consent, nominate a representative, and seek grievance redressal. 

Data Fiduciary:  Your Startup 

The Data Fiduciary is the entity that determines the purpose and means of processing personal data. If your startup collects user data – whether emails, phone numbers, behavioral data, payment information, or anything that can identify an individual, you are almost certainly a Data Fiduciary. This role carries the heaviest obligations: you must seek consent, protect data, report breaches, honour rights, and ensure your vendors comply too. The fiduciary label is deliberate: like a trustee, you hold data in trust for the individual. 

Data Processor:  Your Vendors 

A Data Processor is any third party that processes personal data on behalf of and under the instructions of the Data Fiduciary. Cloud providers like AWS or Google Cloud, payroll services, analytics vendors, CRM platforms, all are Data Processors. The law requires you to bind them contractually to the same data protection standards. You cannot outsource liability by outsourcing processing. 

Data Protection Board of India (DPB) : The Regulator

A newly created regulatory body, the Data Protection Board of India monitors compliance, investigates breaches, adjudicates grievances, and imposes penalties. Critically, it operates as a fully digital office ,citizens and businesses interact with it entirely online, without physical presence. The Telecom Disputes Settlement and Appellate Tribunal (TDSAT) acts as the Appellate Authority for decisions made by the Board. 

Phased Rollout: The Compliance Timeline

Compliance is not an overnight affair. India has structured a phased implementation window, giving businesses enough runway to adapt their systems, policies, and culture. 

  • August 11, 2023: The DPDPA receives Presidential assent and is published in the Official Gazette. India’s first comprehensive data protection law is born. 
  •  January 3, 2025: Draft DPDP Rules are released for public consultation. The process received 6,915 inputs from startups, MSMEs, industry bodies, civil society, and citizens across Delhi, Mumbai, Bengaluru, Hyderabad, Kolkata, Guwahati, and Chennai. 
  • November 13, 2025: The DPDP Rules 2025 are formally notified by MeitY. The Data Protection Board of India is established. Administrative provisions come into force. 
  • November 13, 2026: Consent Manager registration opens with the Data Protection Board. Entities wishing to operate as consent managers, intermediaries helping users manage consent across platforms, can begin registering. 
  •  May 13, 2027 – The Last Deadline: All remaining provisions become mandatory. This includes notice and consent requirements, data principal rights, security safeguards, startup and MSME exemptions, and Significant Data Fiduciary obligations. Every Data Fiduciary must be fully compliant by this date

7 Core Principles of Data Protection

Every stage of data processing under the DPDPA must align with seven foundational principles. These principles are not optional guidelines, they are the legal backbone of the entire Act, and violations attract significant penalties. 

  1. Consent& Transparency: Personal data may only be processed with the individual’s free, specific, informed, and unambiguous consent, or on a clearly recognised lawful basis. Privacy notices must be written in plain, clear language, not buried in fine print. 
  2. Purpose Limitation:Data must only be used for the specific purpose for which consent was obtained. Secondary use, for marketing, profiling, or any purpose not stated at the time of collection, requires fresh, explicit consent. You cannot repurpose data silently. 
  3. DataMinimisation: Collect only what is strictly necessary for the stated purpose. Even if a user consents sharing more, collecting excess data is non-compliant. If your app asks for location when it only needs an email address, that is a violation. 
  4. Accuracy:Reasonable efforts must be taken to ensure personal data is accurate, complete, and up to date, especially where data is used to make decisions that affect the individual (credit scoring, employment, healthcare, etc.). 
  5. StorageLimitation: Data must be deleted once the purpose for which it was collected is fulfilled, or when the individual withdraws their consent. Hoarding data indefinitely ,even with good intentions, is explicitly prohibited. 
  6. Security Safeguards:Implement reasonable technical and organisational measures, encryption at rest and in transit, role-based access controls, periodic security audits, and breach response protocols, to prevent unauthorised access, use, or disclosure. 
  7. Accountability:Data Fiduciaries are ultimately responsible for compliance across their entire data ecosystem. They must ensure Data Processors bound by contracts also comply. There is no legal shield in claiming “our vendor did it.” Accountability rests with you. 

Rights of Individuals & Obligations of Businesses

The DPDPA creates a clear and powerful split: individuals gain meaningful rights over their own data; businesses take on corresponding legal duties.

Rights of Data Principals (Individuals)

  • Right of Access: Individuals can request a summary of what personal data a business holds about them and how it is being processed. Valid requests must be fulfilled within 7 days. 
  •  Right to Correction & Erasure: Users can request correction of inaccurate data, or erasure of data that is no longer necessary for the purpose it was collected. 
  • Right to Withdraw Consent: Consent can be withdrawn at any time. The process to withdraw must be as easy as the process to give consent, no dark patterns, no friction, no buried opt-outs. Once withdrawn, data processing must cease, and data must be deleted. 
  • Right to Nominate: Individuals may nominate another person to exercise their data rights in the event of their death or incapacity, a thoughtful addition that recognises the human reality of data. 
  • Right to Grievance Redressal: Individuals may file complaints with the Data Fiduciary first and escalate to the Data Protection Board if unsatisfied. The entire process is digital. 

Obligations of Data Fiduciaries (Your Startup)

  • Provide a Clear Privacy Notice: Before collecting data, issue a separate, plain-language consent notice explaining precisely what data is collected, why it is collected, and what rights the individual has. Legal boilerplate will not comply. 
  • Collect Only What You Need: Data minimisation is mandatory, Collecting more data than required for the stated purpose, regardless of consent, is a violation. 
  • Delete Data When Done: Erase personal data once the purpose is fulfilled, or the user withdraws consent. Ensure your Data Processors (vendors) also delete it. 
  • Implement Security Measures: Encryption, access controls, periodic audits, and documented breach response plans are mandatory safeguards. 
  • Report All Breaches to the DPB: Every personal data breach, regardless of severity or how few individuals are affected, must be reported to the Data Protection Board. 
  • Publish Grievance Contact: Publish accessible contact details for a grievance officer so that individuals can easily reach you. 

When Can You Process Without Explicit Consent?

The DPDPA recognises “deemed consent”, situations where processing is lawful without active opt-in. These include: 

  • The individual voluntarily provides data and does not indicate non-consent
  • Processing is necessary for a service or benefit the individual applied for
  • For employment-related purposes
  • Medical emergencies
  • Processing for state-provided services or benefits

Basic security safeguards remain mandatory even in deemed consent scenarios. 

Significant Data Fiduciaries (SDF)

Some businesses attract a higher tier of obligations based on the volume, sensitivity, or societal impact of their data processing. The Central Government designates these entities as Significant Data Fiduciaries (SDFs) based on a risk-based assessment. 

Criteria for SDF designation: 

  1. Large volume of personal data processed 
  2. Sensitive nature of the data (health, financial, children’s) 
  3. High risk of harm to Data Principals 
  4. Potential impact on national security or public order 
  5. Risk to electoral democracy or social sovereignty 
  6. Major platforms offering services to large Indian user bases 

Additional SDF Obligations:

  1. Appoint a Data Protection Officer (DPO), who must be an Indian resident 
  2. Appoint an independent Data Auditor 
  3. Conduct periodic Data Protection Impact Assessments (DPIA) 
  4. Higher data localisation requirements 
  5. Algorithmic accountability measures 
  6. Enhanced transparency reporting 
  7. Stricter cross-border data transfer rules 

Most early-stage Indian startups will not be classified as SDFs, but as you scale, especially into health, finance, edtech, or social media, classification becomes a real possibility. SDF provisions are expected to come into force on May 13, 2027. 

Children's Data

Under the DPDPA, a “child” is defined as anyone under the age of 18, notably stricter than GDPR’s threshold of 16 (with flexibility down to 13 depending on member state). If your product or platform can be accessed by minors, the following rules are non-negotiable. 

  1. Verifiable Parental Consent: You must obtain verifiable consent from the parent or legal guardian before processing any personal data of a child. Simple tick-boxes or self-declarations will not suffice, the consent must be genuinely and robustly verified. 
  2. No Behavioural Targeting: Tracking, profiling, or behavioural advertising directed at children is strictly and categorically prohibited. No targeted ads. No data-driven personalisation for under-18 users. 
  3. No Detrimental Monitoring: Processing that is detrimental to the wellbeing of a child is banned outright, including invasive monitoring of children’s activities, whether online or offline. 
  4. Age Verification is Your Responsibility: The obligation to verify the user’s age falls squarely on the Data Fiduciary, i.e, your startup. You cannot simply rely on users self-declaring their age. Robust, reliable age-verification mechanisms must be built into the product itself. 

Startup Alert: Ed-tech platforms, gaming apps, social media networks, kids’ entertainment products, and any consumer-facing application that minors can access must build age-verification and parental consent flows into the product architecture. Non-compliance in the area of children’s data attracts the highest penalty tier under the Act. 

What To Do When a Data Breach Happens

Under India’s DPDPA, ALL breaches must be reported; there is no de minimis threshold, no “low-risk” exemption, and no minimum number of affected individuals that triggers the obligation. The moment a breach occurs, the following five-step protocol must be followed. 

  1. Detect & Contain: Identify the breach immediately. Stop further unauthorised access. Preserve digital evidence for investigation. 
  2. Assess Scope: Determine what categories of data were affected, how many individuals are impacted, and what potential harm may result. 
  3. Notify the DPB: Report the breach to the Data Protection Board. There is no minimum severity threshold, every breach must be reported. 
  4. Notify Affected Individuals: Inform all affected Data Principals promptly. Explain clearly what happened, what data was involved, and what remedial steps are being taken. 
  5. Remediate: Fix the root cause. Implement additional safeguards to prevent recurrence. Document the entire incident comprehensively. 

Additionally, consent records, including records of consents given, denied, and withdrawn, must be maintained for a minimum of 7 years, which is also critical for breach investigations and audits by the DPB.

Penalties: What's Financially at Stake

Penalties under the DPDPA are civil (financial) in nature and are not criminal. There is no provision for imprisonment under the Act. However, the financial consequences are serious and should not be underestimated. The Data Protection Board is empowered to impose monetary penalties of up to ₹250 crore per breach, taking into account the nature of the fiduciary, the volume and sensitivity of data involved, and the harm caused. 

Violation Maximum Penalty
Failure to take reasonable security safeguards leading to a breach ₹250 Crores
Failure to notify DPB or Data Principals of a breach ₹200 Crores
Failure to notify DPB or Data Principals of a breach ₹200 Crores
Failure to fulfill Data Principal rights (access, correction, erasure) ₹200 Crores
Non-compliance by Significant Data Fiduciary (no DPO, no DPIA, etc.) ₹150 Crores
Violation of Data Principal duties (false complaints, impersonation) ₹10,000
Any other violation with no specific penalty prescribed ₹50 Crores

How Are Penalties Determined?  

The DPB considers: the nature and gravity of the default, whether it is a repetitive violation, efforts made to reduce harm, profits gained from the violation, and prior undertakings given by the business. Businesses may also voluntarily give undertakings to comply at any stage of proceedings; if accepted by the Board, proceedings are dropped entirely, providing a meaningful off-ramp for startups that acted in good faith.

The Gaps and concerns for DPDPA

No law is perfect, and the DPDP framework has its share of open questions. Several of these may ultimately be tested in court under the Puttaswamy constitutional framework. 

Rule 23 and Government Access 

Perhaps the most contentious provision. Rule 23 allows the central government to direct any data fiduciary to furnish personal data for purposes of national security, sovereignty, or public duty. Any authorised official may issue such notices and fix deadlines for compliance. More alarming, Rule 23(2) permits the government to bar the fiduciary from informing the data principal about the request. 

The Internet Freedom Foundation has warned that Rule 23 “grants unchecked power” to the state to demand personal data without consent, using “vague justifications like national security.” The categories of data access are so broadly defined that they invite abuse. There is no explicit requirement for judicial oversight, no warrant process specified in the Rules, no ex-post review mechanism, no data minimisation requirement for government requests, and no obligation to publish statistics on how often data is demanded.

Impact on Press Freedom and RTI 

The DPDP Act’s interaction with the Right to Information Act has drawn significant criticism. Section 44(3) of the Act imposes restrictions on releasing “personal information” through RTI, which critics argue could be used to block legitimate transparency requests. Earlier versions of India’s data-protection proposals, the 2018 Srikrishna Committee draft and the 2019 bill, explicitly included exemptions for journalistic purposes, similar to the GDPR model. The final Act contains no such exemption. 

The Editors Guild of India has stated that “the absence of any journalistic exemption, coupled with wide-ranging powers granted to the government to obtain personal data, poses a direct threat to press freedom.” 

Consent Fatigue in a Diverse Nation 

India has significant literacy and digital fluency gaps. Even “clear and plain language” notices may fail to empower the average user. The absence of standardised, user-friendly notice templates (like layered notices) risks turning the consent framework into a compliance formality rather than a genuine empowerment tool. 

Algorithmic Accountability 

As AI-driven processing grows, and shadow AI has already emerged as one of the top three cost drivers of breaches in India, adding an average of ₹17.9 million to breach costs, the absence of any provision on automated profiling, explainability, or algorithmic transparency is a notable gap. While Significant Data Fiduciaries must verify that their algorithms don’t endanger data principals’ rights, the Rules prescribe no testing methods or assessment frameworks for doing so. 

Technical Standards Gap 

The Rules describe technical standards in broad terms but offer no specific guidance on encryption benchmarks, log formats, authentication protocols, or incident-response service-level expectations. Mandatory one-year log retention may also conflict with sectoral laws requiring longer retention periods and could impose disproportionate burdens on smaller entities. The absence of standardised templates for notices, consent forms, breach reports, and DPIAs may lead to inconsistent industry practices until supplementary guidance is issued. 

Startup DPDPA Compliance Checklist

Use this as your practical action plan. Work through each item before May 2027 – ideally, start today. 

Foundation (Do First) 

  • Map all personal data your startup collects, sources, storage locations, and Data Processors 
  • Identify your legal basis for each type of data processing (consent vs. deemed consent) 
  • Draft a plain-language Privacy Notice for each data collection touchpoint 
  • Build a consent mechanism that is as easy to withdraw as it is to give 
  • Review and update all third-party vendor contracts with data processing clauses  
  • Implement data minimisation ,audit and remove unnecessary data collection fields 
  • Set up data retention schedules; know when and how to delete 

Security & Breach Preparedness 

  • Implement encryption for data at rest and in transit 
  • Set up access controls and role-based permissions for internal teams 
  • Create a documented Data Breach Response Plan (DBRP) 
  • Register with the Data Protection Board once the portal opens 
  • Establish a clear, tested process to report breaches to the DPB immediately 

Data Principal Rights 

  • Build a user-facing portal or mechanism to handle data access requests within 7 days 
  • Set up a process for correction and erasure requests 
  • Create a grievance redressal mechanism and publish grievance officer contact details 
  • Ensure consent withdrawal is seamless and automatically triggers data deletion 
  • Notify existing users and obtain fresh consent for any legacy data 

If Your Product Reaches Children 

  • Implement age-verification mechanisms  
  • Build verifiable parental consent flows into your onboarding experience 
  • Audit and disable any behavioural targeting or profiling of under-18 users 
  • Review all ad-tech integrations that may target children 

Records & Governance 

  • Set up a consent registry ,log all consents given, denied, and withdrawn 
  • Maintain all records for a minimum of 7 years 
  • Assign internal data protection ownership, even informally if not a formal DPO 
  • Train all employees who handle personal data on DPDPA basics 

Key Terms Decoded: DPDPA Glossary

Term Definition
Personal Data Any data about an identifiable individual ,name, email, phone number, device ID, biometrics, etc.
Data Principal The individual whose personal data is being processed; parent/guardian if they are a minor
Data Fiduciary The entity (your startup) that decides the purpose and means of processing personal data
Data Processor A third party (vendor, cloud provider, analytics tool) processing data on instructions from the Fiduciary
Consent Manager A registered intermediary enabling users to manage, give, and withdraw consent across multiple platforms
Significant Data Fiduciary (SDF) A high-risk Data Fiduciary notified by the government; subject to additional obligations including DPO, DPIA, and audits
Data Protection Board (DPB) The regulatory authority that monitors compliance, investigates breaches, and imposes penalties
Data Protection Officer (DPO) Mandatory appointment for SDFs; responsible for compliance and liaison with the DPB
DPIA Data Protection Impact Assessment, a pre-processing evaluation of potential harms for high-risk activities
Deemed Consent Situations where processing is legally valid without active opt-in, e.g., voluntary sharing or medical emergencies
Purpose Limitation The principle that data collected for one purpose cannot be repurposed without fresh, explicit consent
Data Localisation Rules governing where data can be stored or transferred; cross-border transfer rules are pending full notification

FAQ's

What is the Data Protection Board of India?

The DPB is the regulatory authority that monitors compliance, investigates breaches, adjudicates grievances, and imposes penalties. It operates as a fully digital office all interactions occur online. Appeals against DPB decisions lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

How does the DPB decide the penalty amount?

The Board considers factors including the nature and gravity of the violation, whether it is a repeat offence, efforts taken to reduce harm, profits gained from the violation, and prior undertakings given. Businesses may voluntarily give undertakings to comply at any stage of proceedings if accepted, proceedings are dropped entirely.

My startup is very small. Does DPDPA still apply to us?

Yes. The Act applies to startups of all sizes, though smaller businesses benefit from graded obligations. Certain heavier requirements — like appointing a Data Protection Officer or conducting DPIAs are reserved for Significant Data Fiduciaries. That said, core duties like obtaining consent, implementing security safeguards, and reporting breaches apply to everyone.

What rights do individuals have under DPDPA?

Data Principals have the right to access their data, correct inaccuracies, request erasure, withdraw consent, nominate a representative (for death or incapacity), and file grievances. Access requests must be fulfilled within 7 days.

Once a user withdraws consent, you must stop processing their data and delete it including ensuring your third-party vendors (Data Processors) delete it too. The withdrawal process must be seamless and friction-free.

As a startup, do we need to appoint a Data Protection Officer (DPO)?

Only if your startup is designated as a Significant Data Fiduciary (SDF) by the Central Government. Most early-stage startups will not qualify as SDFs, but as you scale particularly in health, finance, edtech, or social media this designation becomes a real possibility.

What must our privacy notice include?

 Your privacy notice must clearly explain what personal data is collected, why it is collected, how it will be used, and what rights the individual has. It must be written in plain language and issued separately before data collection standard legal boilerplate will not meet the requirement.

Consent records including consents given, denied, and withdrawn must be maintained for a minimum of 7 years.

Related Blogs

Logo
Linkedin Instagram Facebook Twitter

The StartUp Zone (One More Light AI Private Limited) promotion on Google Ads focuses on providing consultancy services through our private portal (https://thestartupzone.in/), and our targeting of keywords related to government documents and services is incidental to understanding client needs, rather than promoting such documents or services directly. Our portal (https://thestartupzone.in/) does not represent any affiliation or association with any government authority or body. We emphasize to our users that we are a private company managing this website, and any fees collected are for consultancy services rendered.

All rights reserved & Copyrighted to The Startup Zone | Powered by

Logo
Linkedin Instagram Facebook Twitter

The StartUp Zone (StartUp Zone Financial Planning and Advisories Private Limited) promotion on Google Ads focuses on providing consultancy services through our private portal (https://thestartupzone.in/), and our targeting of keywords related to government documents and services is incidental to understanding client needs, rather than promoting such documents or services directly. Our portal (https://thestartupzone.in/) does not represent any affiliation or association with any government authority or body. We emphasize to our users that we are a private company managing this website, and any fees collected are for consultancy services rendered.

All rights reserved & Copyrighted to The Startup Zone | Powered by