India’s DPDP Act 2023 & DPDP Rules 2025: A Complete Guide for Businesses

In today’s digital economy, personal data has become a core business asset, but it also carries significant responsibility. To address this, India has introduced a modern data protection framework through the Digital Personal Data Protection Act, 2023 (DPDP Act) and its supporting laws called the Digital Personal Data Protection Rules, 2025 (DPDP Rules).

What is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 is India’s first comprehensive law designed specifically for digital personal data privacy and protection. It was passed by Parliament and received the President’s assent on 11 August 2023.

Purpose of the Act

The DPDP Act aims to:

Protect the individual’s right to privacy regarding personal data
Establish responsibilities for organisations that collect and process personal data
Promote transparent, fair and secure use of personal data in India
Foster trust and accountability in the digital ecosystem

Who Does It Apply To?

The law applies when:

Personal data is processed within India, or
Personal data of individuals in India is processed outside India in connection with offering goods/services to them. This means Indian users are protected even if the service provider is abroad.

The DPDP Act applies to all businesses that process “digital personal data”, data that can identify a person and is collected, stored, or used in digital form.

Key Concepts in the DPDP Act

Here are the essential roles and terms every founder should understand:

1.Data Principal : The individual whose personal data is being processed (e.g., a user, customer, employee).

2.Data Fiduciary : An entity (company or organisation) that decides why and how personal data is processed. This includes Startups, SaaS platforms, marketplaces, enterprises, e-commerce operators, etc.

3.Data Processor : An entity that processes data on behalf of a Data Fiduciary (e.g., a cloud provider, analytics tool).

The Startup Zone would be Data Fiduciary, as professionals we are often responsible for defining the how and why of statutory compliance, however we also act as Data Processors in some cases such as running payroll of behalf of clients,

Data Protection Board of India (DPB)

A statutory body created under the Act to:

Monitor compliance
Handle consumer complaints
Penalise violations
Adjudicate disputes under the law

Rights of Individuals (Data Principals)

Under the Act, individuals get clear rights over their personal data, empowering them to control how their data is used. These include:

Right to Consent and Withdraw

Organisations must obtain explicit, informed consent before processing personal data. Individuals can withdraw consent at any time.

Right to Information

Individuals have the right to know:

What data is being collected
Why it is being collected
How it is being used
With whom it is shared

Right to Access, Correct or Erase

Individuals can:

Request access to their personal data
Ask for corrections if data is inaccurate
Request erasure (deletion) when certain criteria are met

Right to Grievance Redressal & Representation

Individuals can file a complaint with the Data Protection Board if their rights are violated.

Who Must Comply With the DPDP Act?

If your business collects, stores, processes, shares, or derives value from personal data in digital form, you need to comply — whether you are:

A startup providing digital services
A SaaS platform
An e-commerce marketplace
A mobile app
An online platform serving Indian users

Processing includes any action on data, such as collection, storage, transfer, use, or deletion.

What Do the DPDP Rules 2025 Do?

The DPDP Rules 2025 were officially notified on 14 November 2025 by the Ministry of Electronics and Information Technology (MeitY). These rules lay out the operational framework for implementing the Act — specifying how organisations should comply.

Think of the Act as the law’s principles and the Rules as the detailed playbook for compliance.

Why the DPDP Rules Matter

The Rules provide practical clarity on:

Consent requirements
Notice obligations
Personal data breach reporting
Data retention and disposal
Obligations of significant data fiduciaries
Rights exercise mechanisms
Security safeguards
Children’s data protection

They complete the legal framework and make the law actionable.

Key Features of the DPDP Rules

Here are the compliance highlights you should know as a founder:

Clear Consent and Notice Requirements

Data fiduciaries must provide a plain-language privacy notice to individuals explaining:

What data is collected
Why it’s collected
How consent can be withdrawn
How to exercise rights

Consent must be:

Free
Specific
Informed
Unambiguous

Security Safeguards & Breach Reporting

Organisations must implement reasonable security measures, and if a personal data breach occurs they must:

Notify affected individuals immediately
Report to the Data Protection Board within a specified timeframe (e.g., 72 hours)

Phased Compliance

Compliance obligations come into force in phases over an 18-month transition period after the rules’ notification, giving businesses time to prepare.

Special Safeguards for Children’s Data

Enhanced precautions are required when processing children’s personal data, including verifiable parental consent.

Significant Data Fiduciary Requirements

Entities handling large volumes of data or sensitive categories (like social media or platforms) must adopt stronger governance measures such as:

Data Protection Officer (DPO)
Annual risk assessments
Independent audits
Enhanced oversight frameworks

Penalties for Non-Compliance

Failure to comply with the DPDP Act and Rules can lead to significant financial penalties. While exact penalties vary by violation, fines can go up to hundreds of crores of rupees depending on the severity.

Non-compliance can also lead to reputational damage, regulatory notices, audits, and enforcement actions by the Data Protection Board.

Why This Matters for Your Startup

Data privacy compliance is no longer optional for businesses operating in India. Here’s what founders need to internalise:

1.Consent Is Core

Processing personal data without valid consent is a compliance violation. You must design systems that acquire, store, and respond to consent decisions appropriately.

2.Transparent Privacy Policies

Your privacy policy must clearly state:

What data you collect
Why you collect it
How long you retain it
Third parties you share it with
How a data subject can exercise rights

3.Data Breach Preparedness: You need a dedicated breach response process and log mechanisms to meet regulatory timelines and reporting standards.

4.Internal Accountability: Appointing a Data Protection Officer (DPO) or similar role is essential for ongoing governance and compliance.

What Should Startups Do Now?

Here’s a simple startup compliance roadmap:

Step 1: Data Mapping

Understand what personal data you collect, where it resides, and how it flows through your systems.

Step 2: Update Policies

Revise your privacy policy and consent notices to reflect DPDP requirements.

Step 3: Build Processes

Create standard operating procedures for:

Consent capture and withdrawal
Rights requests (access, correction, erasure)
Security incidents and breach management

Step 4: Appoint Privacy Lead

Designate a DPO or privacy lead responsible for ongoing compliance and reporting.

Step 5: Train Your Team

Train your product, legal, engineering, and customer teams on data protection obligations.

Final Thought

The DPDP Act 2023 and DPDP Rules 2025 mark a new era of data privacy compliance in India. These laws shift data protection from an optional good-to-have practice to a regulatory requirement that every business collecting digital personal data must observe.

For startups, compliance is not just about avoiding penalties, it is about building trust with users, partners, and investors. Getting privacy governance right today will help unlock sustainable growth tomorrow.

This blog is the first in our DPDP compliance series.

In the upcoming articles, we’ll break down:
• Consent management under DPDP
• Significant Data Fiduciary obligations
• Data breach reporting timelines
• Children’s data compliance
• DPDP penalties & enforcement

Stay tuned, and if you would like a customised compliance roadmap for your company, get in touch with The Startup Zone.