DPDP Act India: Complete Compliance Guide for Businesses
Everything your business needs to understand India's DPDP Act — who it covers, what it requires, and how to become compliant before May 2027 enforcement begins.
₹250 Cr
Maximum fine for failure to implement security safeguards
May 2027
Full compliance deadline — enforcement begins May 14
72 hrs
Data breach notification window to the DPB
00
Overview
What Is the DPDP Act?
India's Digital Personal Data Protection Act (DPDP Act, 2023) is a comprehensive law giving Indian citizens legal rights over their personal data and placing binding obligations on businesses that collect, process, or store it. Full enforcement begins May 14, 2027.
DPDP is India's answer to global data protection laws like GDPR — built with an Indian context: a unique Consent Manager intermediary system, strict rules around children's data, and a tiered penalty structure peaking at ₹250 crore. Every business that touches personal data from Indian users must comply — regardless of incorporation country, company size, or industry.
Who this guide is for: Any founder, compliance officer, or product team whose business collects personal data from Indian citizens — whether you're a local startup, an enterprise, or a foreign company with Indian users.
01
Foundation
What Counts as "Personal Data" Under DPDP?
DPDP defines personal data as any data about an identified or identifiable individual. If a piece of data can be linked to a real person — directly or through combination — DPDP governs it. This is intentionally broad.
Standard personal data you almost certainly collect:
Full nameEmail addressPhone numberBilling addressIP addressDevice IDCookies & tracking IDsLogin credentialsTransaction historyLocation dataAadhaar / PAN number
Sensitive personal data — requiring extra care and stricter controls:
Health & medical recordsFinancial dataBiometric dataGenetic dataSexual orientationReligious / political beliefsChildren's data (under 18)
Common mistake — pseudonymization: Data linked to a user ID (where a lookup table exists to re-identify the person) is still personal data under DPDP. Only irreversibly de-identified data is exempt. Most "anonymized" databases are not actually anonymous.
02
Section 01
Does the DPDP Act Apply to Your Business?
DPDP covers any entity that processes personal data of Indian citizens, regardless of location, size, revenue, or industry. No exemptions exist for startups, SMEs, or foreign companies that don't have a physical India presence.
Scenario 01
Website or App
Contact forms, signups, user accounts, checkout — any collection of personal data from Indian users brings DPDP obligations. This includes B2B SaaS with Indian business users.
Scenario 02
E-commerce & Consumer Apps
Order data, customer profiles, payment details, usage analytics, behavioral tracking — all covered. DPDP applies to every stage of the customer data lifecycle.
Scenario 03
HR & Payroll Systems
Employee Aadhaar, PAN, bank details, attendance, performance records are personal data. Employment-specific exemptions exist but are narrow — most HR processing is still covered.
Scenario 04
Foreign Companies with Indian Users
DPDP has explicit extraterritorial reach. A US, EU, or Singapore company targeting Indian users must comply with DPDP for their Indian user data — just as GDPR works for EU users.
The central concept: Data Fiduciary. Any entity determining the purpose and means of processing personal data is a Data Fiduciary — and carries the full weight of DPDP obligations. If your business decides why and how data is collected and used, you are a Data Fiduciary.
Quick test: Does your product have a signup form, checkout, or analytics tracking? Do you store customer records? → You are a Data Fiduciary → DPDP applies → Start your compliance plan now.
03
Section 02
7 Core Obligations: What You Must Implement
The DPDP Act places 7 specific legal obligations on Data Fiduciaries. Here is what each one requires — and what "compliance" actually looks like in practice:
1
Obtain Valid Consent Before Collecting Personal Data
Consent must be free, specific, informed, and unambiguous. No bundled terms-of-service trickery — each data collection purpose needs its own clear consent. Practically:
One checkbox per purpose — "I agree to marketing emails" cannot also mean "I consent to profiling"
Plain language notice specifying what data, for what purpose
Withdrawal must be as easy as giving consent — a one-click unsubscribe equivalent
You must maintain timestamped, auditable records of every consent obtained
Alternative — Legitimate Use: DPDP allows processing without consent for specific lawful purposes (legal obligations, medical emergencies, employment contracts, national security). This does NOT cover commercial marketing or behavioral analytics — those require consent.
2
Publish a DPDP-Compliant Privacy Policy
Your privacy policy must clearly state: what personal data you collect (specific categories), why you collect it and the legal basis for each purpose, how long you retain it, who you share it with (name your key vendors), and how users exercise their rights — with a working contact mechanism. Must be available in English and in any of the 22 scheduled Indian languages used by your audience. Existing GDPR-compliant policies need substantial India-specific amendments.
3
Implement Reasonable Security Safeguards
This is the highest-penalty obligation (up to ₹250 crore). "Reasonable" is context-dependent but should include:
Encryption of personal data at rest and in transit (HTTPS, encrypted databases)
Role-based access controls — minimum necessary access per employee
Regular security assessments and third-party penetration testing
A documented, tested incident response plan
Data Processing Agreements with all vendors who process personal data on your behalf
4
Notify Data Breaches Within 72 Hours
The 72-hour clock starts when you first become aware of a breach — not when your investigation is complete. You must notify the Data Protection Board with: nature of the breach, data categories affected, approximate number of users affected, and containment steps taken. You must also notify affected users directly if the breach is likely to cause them harm. Build your breach response procedure before a breach happens — this is not the time to improvise.
5
Honor All Data Principal Rights
Your users have legally enforceable rights that you must fulfill within a reasonable time:
Right to access: A summary of what personal data you hold about them
Right to correction: Fix inaccurate or incomplete data
Right to erasure: Delete data on request (subject to legal retention requirements)
Right to withdraw consent: Equally as easy as giving consent
Right to nominate: Designate a representative to exercise rights on their behalf
Even a dedicated email address with a documented response SLA is an acceptable mechanism for small businesses. The key is having a real, functional process.
6
Strict Rules for Children's Data (Under 18)
If your platform could be used by users under 18: verifiable parental consent is required (not a self-declaration age gate), behavioral tracking and profiling of children is prohibited, targeted advertising directed at children is prohibited. Age verification mechanisms are mandatory. International context: TikTok was fined €345 million under GDPR for inadequate children's data protection. This is among the most aggressively enforced areas of data protection law globally.
7
Data Protection Officer (Significant Data Fiduciaries Only)
Businesses designated as Significant Data Fiduciaries (SDFs) by the government must appoint an India-based DPO and conduct Data Protection Impact Assessments. SDF criteria are not yet finalized but expected to apply to large platforms and businesses processing sensitive data at scale. Most startups and SMEs will not be SDFs and do not need a DPO.
04
Section 03
DPDP Penalties: The Complete Fine Structure
The Data Protection Board of India has authority to investigate, audit, and impose fines. Penalties are per violation — a single incident can result in multiple penalty assessments. These are maximum fines; the DPB will impose proportionate amounts based on severity, number of affected users, and remediation steps.
Violation
Maximum Fine
Risk Level
Failure to implement reasonable security safeguards
₹250 crore
Critical
Processing children's data without verifiable parental consent
₹200 crore
Critical
Failure to notify data breach within 72 hours
₹200 crore
Critical
Processing personal data without valid, documented consent
₹50 crore
High
Failure to honor Data Principal rights
₹50 crore
High
Non-publication of a DPDP-compliant privacy policy
₹50 crore
High
How DPB Enforcement Works
Enforcement flow: user complaint → DPB investigation notice → Data Fiduciary response → DPB determination (fine, compliance order, or dismissal) → right of appeal to the Appellate Tribunal. The DPB can also initiate suo motu investigations for large public breaches without a user complaint. Maintain clear documentation of your compliance measures — this is your primary defense.
Perspective: Even a ₹5 lakh enforcement action — 0.02% of the maximum — is severe for most Indian startups. Fines are assessed per violation, and multiple violations from one incident can be assessed separately. The cost of compliance is a fraction of the cost of a single enforcement action.
05
Section 04
Key DPDP Terms Every Business Must Know
Data Fiduciary
Your business — determines why and how personal data is processed. Bears all DPDP obligations. Legally accountable for compliance and for your processors' compliance.
Data Principal
Your user, customer, or employee — the individual whose data is processed. Holds all rights under DPDP: access, correction, erasure, withdrawal, nomination.
Data Processor
A vendor or tool that processes data on your behalf — cloud host, CRM, analytics platform. You remain responsible for their compliance through contractual controls.
Consent Manager
India-specific: a registered intermediary where users manage consent across multiple platforms — like a central consent wallet. Must register with DPB by November 2026.
Legitimate Use
Legal basis for processing without consent — covers legal obligations, employment contracts, medical emergencies, national security. Does NOT cover commercial marketing or analytics.
Significant Data Fiduciary
Government-designated high-risk Data Fiduciary. Extra obligations: appoint a DPO, conduct DPIAs, annual audits. SDF criteria not yet published — expected to target large or high-risk processors.
06
Action Plan
Your 10-Step DPDP Compliance Checklist
Concrete steps your business must complete before May 13, 2027:
1
Audit all personal data you collectMap every data point across all touchpoints — forms, analytics, APIs, databases. You cannot protect what you haven't inventoried.
2
Map all data flowsDocument where each type of data goes — which vendors process it, where it's stored, how long retained, who has access internally.
3
Build a proper consent mechanismReplace pre-ticked boxes and bundled consent with granular, purpose-specific notices. Block analytics scripts until user accepts. Include a real withdrawal option.
4
Rewrite your Privacy Policy for DPDPCover all required elements: specific data categories, purposes, legal basis, retention periods, user rights, and a working contact channel.
5
Implement and document security measuresEncryption, access controls, security audits. Document everything — your security architecture is your primary defense in a DPB investigation.
6
Write a breach response procedureDefine exactly what happens in the first 72 hours — who leads the response, what to document, how and who to notify. Test it before you need it.
7
Create a user rights request mechanismEnable users to submit access, correction, and deletion requests. Document your response SLA. Even a dedicated inbox with a clear process is sufficient for small businesses.
8
Audit and contract all vendorsEnsure Data Processing Agreements are in place with every vendor that processes personal data on your behalf — cloud providers, CRMs, analytics tools, payment gateways.
9
Address children's dataIf users could be under 18, implement age verification and verifiable parental consent. Remove all behavioral profiling and targeted advertising directed at minors.
10
Define and enforce data retention periodsSet specific retention periods for each data type. Implement automated deletion or anonymization. Personal data cannot be held indefinitely — you must be able to demonstrate this.
07
Section 05
DPDP Compliance Timeline
Aug 11, 2023
✓ Complete
DPDP Act passed by Parliament
India enacts comprehensive data protection law. The statutory framework is now in place.
Nov 13, 2025
✓ Complete
DPDP Rules 2025 finalized and notified
Implementation rules are in force. The 18-month compliance preparation window has begun.
This is the critical window: audit, plan, build, and test your compliance infrastructure before enforcement begins.
Nov 13, 2026
Consent Manager registration deadline
Businesses operating as Consent Managers must be registered with the Data Protection Board.
May 13, 2027
⚠ Deadline
Full compliance required — all Data Fiduciaries
No grace period expected. Every business processing personal data from Indian citizens must be fully compliant by this date.
May 14, 2027+
Data Protection Board begins active enforcement
DPB can investigate complaints, conduct audits, and impose penalties. Non-compliant businesses face immediate risk.
08
FAQ
Frequently Asked Questions
Yes — there is no size exemption. No revenue threshold, no employee count minimum, no startup carve-out. If you collect personal data from Indian citizens — even a small newsletter list — DPDP applies. The primary difference for small businesses: you are unlikely to be classified as a Significant Data Fiduciary and won't need a dedicated DPO. But all 7 core obligations still apply.
Yes, if you offer goods or services to Indian users. DPDP has explicit extraterritorial reach. The test is whether you are deliberately targeting Indian users: INR pricing, Indian payment methods, Indian-market marketing, Indian customer support. If yes, DPDP governs your handling of that Indian user data — regardless of where your company or servers are based.
No — they differ significantly. Key differences: DPDP's Consent Manager system is unique to India. DPDP's Legitimate Use is narrower than GDPR's Legitimate Interests (no commercial profiling without consent). Cross-border transfer rules differ. Age threshold is 18 in DPDP, not 16 as in some GDPR implementations. Privacy policy disclosure requirements differ. GDPR compliance is a useful starting point but is not sufficient — your policy needs India-specific amendments across multiple sections.
Yes, with conditions. DPDP allows cross-border transfers to countries notified by the Indian government as having adequate data protection. The approved countries list has not been published but is expected to include major economies with established privacy laws. For transfers to non-approved countries, additional safeguards (analogous to GDPR's Standard Contractual Clauses) will be required. Document your data transfer arrangements now and be prepared to adjust when the list is published.
Yes, but consent must come before any tracking activates. All these tools collect personal data — IP addresses, device IDs, behavioral signals. To use them legally: implement a cookie consent banner that blocks tracking scripts until the user accepts; disclose each tool by name in your privacy policy; enable IP anonymization in Google Analytics; sign Data Processing Agreements with each vendor; provide a functional opt-out. "Implied consent" or "continued browsing = consent" interpretations are not valid under DPDP.
Consent is a user's explicit agreement to specific, disclosed data processing. It is the primary legal basis for most commercial data collection. Legitimate Use is an alternative basis allowing processing without consent — but only for narrowly defined purposes: legal proceedings, court orders, employment and service contracts (for strictly necessary processing), medical emergencies, national security, disaster response, and public interest research. Legitimate Use explicitly does NOT cover commercial marketing, behavioral profiling, or general analytics for business improvement. These require consent.
Enforcement process: user complaint (or DPB suo motu investigation) → DPB issues a notice → you must respond with evidence of compliance → DPB issues a determination that can include a fine, a compliance order, or dismissal. You have the right to appeal to the Appellate Tribunal. Your best defense is documented compliance: records of consents obtained, your privacy policy revision history, security documentation, breach response procedures, and vendor contracts. Businesses with clear compliance documentation are significantly better positioned in investigations than those that cannot demonstrate their processes.