Home

DPDP Act India: Complete Compliance Guide for Businesses [2026]

India's Digital Personal Data Protection Act (DPDP Act, 2023) is now in force, with full compliance required by May 13, 2027. Every business, website, and app that collects personal data from Indian citizens must comply — or face penalties up to ₹250 crore. This guide explains what the DPDP Act requires, who it applies to, and deadlines.

In This Guide

Does the DPDP Act Apply to Your Business?

The DPDP Act applies to any entity that processes personal data of Indian citizens, regardless of where the entity is physically located. If you answer "yes" to any of these questions, the DPDP Act applies to you:

  1. Do you have a website or app? If your website has a contact form, newsletter signup, user accounts, or any feature that collects names, emails, phone numbers, or addresses from Indian users — DPDP applies.
  2. Do you collect customer data? E-commerce stores, SaaS platforms, fintech apps, EdTech platforms, healthtech services — all collect personal data. DPDP applies.
  3. Do you process employee data? If you have employees in India and maintain HR records with names, contact details, bank accounts, or Aadhaar numbers — DPDP applies (with some exemptions for employment data).
  4. Are you a foreign company with Indian users? DPDP has extraterritorial reach. If you're a US, EU, or Singapore-based company offering services to Indian users, DPDP applies to your Indian user data.

Key term: Data Fiduciary — Under DPDP, any entity that determines the purpose and means of processing personal data is called a "Data Fiduciary." If you decide why and how to collect and use personal data, you are a Data Fiduciary and must comply with DPDP obligations.

✓ Quick Test: If you have a contact form on your website that collects names and emails from Indian visitors → You are a Data Fiduciary → DPDP applies to you.

What the DPDP Act Requires from Every Indian Business

The DPDP Act imposes 7 core obligations on Data Fiduciaries. Every business must implement these requirements before the May 2027 compliance deadline:

1. Obtain Valid Consent

You must obtain free, specific, informed, and unambiguous consent from users before collecting their personal data. Consent must be:

2. Publish a Privacy Policy

You must publish a privacy policy that explains what personal data you collect, why you collect it, how long you retain it, who you share it with, and how users can exercise their rights. The privacy policy must be written in clear and plain language, available in English and any of the 22 scheduled Indian languages used by your audience.

3. Implement Data Security Measures

You must implement "reasonable security safeguards" to prevent data breaches, unauthorized access, and data loss. This includes encryption of sensitive data, access controls, regular security audits, and incident response plans.

4. Notify Data Breaches Within 72 Hours

If you experience a data breach, you must notify the Data Protection Board of India (DPB) within 72 hours. You must also notify affected users if the breach is likely to cause them harm.

5. Honor Data Principal Rights

Users (called "Data Principals" under DPDP) have the right to access their data, correct inaccurate data, delete their data, withdraw consent, and nominate a representative. You must provide a mechanism for users to exercise these rights easily.

6. Appoint a Data Protection Officer (for Significant Data Fiduciaries)

If your business is classified as a Significant Data Fiduciary (high data volume, sensitive data, or children's data), you must appoint a Data Protection Officer (DPO) based in India. Note: Most small businesses and startups will NOT be classified as Significant Data Fiduciaries and do not need a DPO.

7. Special Rules for Children's Data (Under 18)

If you collect data from users under 18 years old, you must obtain verifiable parental consent before processing their data. You are also prohibited from tracking or behavioral monitoring of children and targeted advertising directed at children.

DPDP Penalties: What the ₹250 Crore Fine Really Means

The Data Protection Board of India has the authority to impose fines on Data Fiduciaries who violate DPDP requirements. Penalties are tiered based on the severity of the violation:

Violation Maximum Penalty
Failure to implement reasonable security safeguards ₹250 crore
Processing children's data without verifiable parental consent ₹200 crore
Failure to notify data breach within 72 hours ₹200 crore
Processing data without valid consent ₹50 crore
Failure to honor Data Principal rights ₹50 crore
Non-publication of privacy policy ₹50 crore

Important context: These are maximum penalties. The DPB will likely impose proportionate fines based on the nature and severity of the violation, number of Data Principals affected, and whether the violation was intentional.

⚠️ Reality Check: Even a ₹10 lakh fine (0.04% of the maximum) is devastating for most Indian startups. The risk is real. Compliance is not optional.

Key DPDP Concepts You Must Understand

Data Fiduciary vs Data Processor

Data Fiduciary: The entity that decides why and how to process personal data (your business). Data Processor: An entity that processes data on behalf of the Data Fiduciary (e.g., your cloud hosting provider). You (Data Fiduciary) are responsible for ensuring your Data Processors comply with DPDP.

Consent Manager

A Consent Manager is a registered intermediary that helps users manage consent across multiple Data Fiduciaries. Think of it as a centralized consent dashboard. Consent Managers must register with the Data Protection Board by November 2026.

Significant Data Fiduciary (SDF)

Data Fiduciaries that process large volumes of data, sensitive data, or children's data may be classified as SDFs and have additional obligations including appointing a DPO and conducting regular audits.

DPDP Compliance Deadlines and Timeline

Date Milestone
August 11, 2023 DPDP Act passed by Parliament
November 13, 2025 DPDP Rules 2025 finalized
November 13, 2026 Consent Manager registration deadline
May 13, 2027 Full compliance required for all Data Fiduciaries
May 14, 2027 onward Data Protection Board begins enforcement

Frequently Asked Questions

Does DPDP apply to small businesses and startups?

Yes. The DPDP Act does not have a revenue threshold or employee count exemption. If you process personal data of Indian citizens, DPDP applies.

I'm based outside India. Does DPDP apply to me?

Yes, if you offer goods or services to Indian users. DPDP has extraterritorial application.

Is DPDP the same as GDPR?

No. While DPDP borrows concepts from GDPR, there are significant differences including cross-border data transfer rules, the Consent Manager system, penalty structures, and age thresholds. A GDPR-compliant privacy policy is NOT automatically DPDP-compliant.

Can I transfer data outside India?

Yes, with conditions. The DPDP Act allows cross-border data transfers to countries notified by the Indian government as having adequate data protection laws. Transfers to non-whitelisted countries will require additional safeguards.

What happens if I experience a data breach?

You must notify the Data Protection Board of India within 72 hours and affected users if the breach is likely to cause harm. Failure to notify can result in penalties up to ₹200 crore.

Do I need to hire a Data Protection Officer?

Only if you are classified as a Significant Data Fiduciary. Most small businesses and startups will not be SDFs.

Can I still use Google Analytics under DPDP?

Yes, but you need proper consent. You must obtain user consent before activating Google Analytics tracking, disclose it in your privacy policy, enable IP anonymization, and ensure you have a Data Processing Agreement with Google.

Check if DPDP applies to you

Answer 10 questions about your Business → get a score + gap report.

DPDP Compliance Checker Free →

Free forever. No credit card required.

G

Written by Guardata Team

Helping Indian businesses achieve DPDP compliance.

Follow us on LinkedIn →

Follow us on Youtube →

Follow us on X →

[email protected]