I have spent the last two years helping Indian companies figure out the Digital Personal Data Protection Act. And I can tell you this much — most of them started too late.
The DPDP Act, 2023 is not a future problem. It is law. The rules are being notified, the Data Protection Board is being set up, and penalties of up to 250 crore rupees are very real. If you are collecting customer names, emails, phone numbers, Aadhaar details, or any personal data from people in India, this applies to you.
This guide covers what the Act actually says, who it applies to, and what your business needs to do. No legal jargon. No copy-paste from the gazette. Just practical advice from someone who has done this work on the ground.
Who Does the DPDP Act Apply To?
Short answer: almost every business operating in India.
The Act applies to any organization that processes "digital personal data" of individuals in India. This includes data collected online (websites, apps, forms) and offline data that gets digitised later (paper forms scanned into a system, for example).
It does not matter whether your company is registered in India or abroad. If you are processing data of Indian residents, you fall under this Act. A SaaS company in Singapore with Indian customers? Covered. A US-based e-commerce platform shipping to Mumbai? Covered.
The only exemptions are personal or domestic use, and certain government functions related to national security.
Key Concepts You Need to Understand
Data Fiduciary
This is your company. If you decide why and how personal data is processed, you are the Data Fiduciary. You carry the primary responsibility for compliance.
Data Processor
Any third party that processes data on your behalf — your cloud provider, your CRM vendor, your payroll software. You are responsible for their compliance too, through contracts.
Data Principal
The individual whose data you hold. Your customer, your employee, your website visitor. They have rights under this Act, and you must honour those rights.
Consent Manager
A registered entity that helps manage consent on behalf of Data Principals. This is a new concept specific to the DPDP Act and the rules around it are still being finalised.
The 7 Things You Must Do
1. Get Proper Consent
This is the foundation of the entire Act. Before you collect any personal data, you need clear, informed, specific consent. No more pre-ticked checkboxes. No more burying consent in your Terms of Service.
Each purpose needs separate consent. If you collect emails for order updates, you cannot use the same consent to send marketing emails. Two different purposes, two different consents.
And here is the part most companies miss — consent must be as easy to withdraw as it was to give. If someone consented with one click, they should be able to withdraw with one click.
2. Publish a Clear Privacy Notice
Before or at the time of collecting data, you must give the person a notice explaining what data you are collecting, why, and how they can exercise their rights. This notice must be in plain language — not legalese that takes a law degree to decode.
If you are processing data that was collected before the Act came into force, you still need to send out these notices to existing data principals "as soon as reasonably practicable."
3. Honour Data Principal Rights
People have the right to:
- Access a summary of their personal data and processing activities
- Correct inaccurate or incomplete data
- Erase their data (with some exceptions)
- Nominate someone to exercise rights on their behalf
- File complaints with the Data Protection Board
You need a process for handling these requests. An email address is the bare minimum. A proper online form with tracking is what I recommend to my clients.
4. Protect Children's Data
If your platform is used by anyone under 18, you need verifiable parental consent before processing their data. You also cannot do behavioural tracking or targeted advertising directed at children. This is a hard rule with no exceptions.
For companies running ed-tech platforms or apps used by minors, this is going to require significant changes.
5. Implement Reasonable Security
The Act requires "reasonable security safeguards" to prevent breaches. It does not prescribe specific technical measures, but industry standards like encryption, access controls, and regular security audits are expected.
If a breach happens and you cannot show you had reasonable safeguards in place, your penalty exposure goes up significantly.
6. Report Breaches
If a personal data breach occurs, you must notify the Data Protection Board and the affected individuals. The timeline and format for notification will be specified in the rules, but based on global standards, expect a 72-hour window.
This means you need a breach detection capability and a response plan before a breach happens. I have seen companies scramble during a breach with no plan — it is not pretty, and it is expensive.
7. Manage Cross-Border Transfers
You can transfer personal data outside India, except to countries specifically restricted by the Central Government. The restricted country list has not been published yet, but it will come.
If you are using AWS US-East, Google Cloud in the US, or any SaaS tool with servers abroad, you are already doing cross-border transfer. Document it now.
Penalties Under the DPDP Act
The penalties are structured and severe:
- Failure to take reasonable security safeguards: up to 250 crore rupees
- Failure to notify the Board and individuals of a breach: up to 200 crore rupees
- Non-compliance with obligations regarding children: up to 200 crore rupees
- Failure to comply with other provisions: up to 50 crore rupees
These are not theoretical numbers. The Data Protection Board will have the power to impose these through adjudication proceedings. And unlike some regulators, the DPDP Board can investigate based on complaints or suo motu.
What Should You Do Right Now?
If you have not started yet, here is a practical 30-day plan:
Week 1: Take a gap assessment. Understand where you stand across consent, data mapping, security, breach response, and all other DPDP requirements. You can use our free assessment tool to get your score in 10 minutes.
Week 2: Fix your consent mechanism. Update your privacy policy. These are the most visible compliance elements and the most likely to trigger complaints.
Week 3: Set up a data subject rights process. Even a simple email workflow with tracking is better than nothing.
Week 4: Create your breach response plan. Identify your security gaps. Start documenting your data processing activities.
Perfect compliance on day one is not realistic for most companies. But demonstrating that you are making genuine, documented efforts — that matters when the regulator comes knocking.