DPDP Primer

India's Digital Personal Data Protection Act

A plain-English primer. What the DPDP Act says, who it covers, what happens if you ignore it — and how ProtectComply implements each section.

What is the DPDP Act?

The Digital Personal Data Protection Act, 2023 is India's primary data-protection law. It governs how any business — Indian or foreign — collects, stores, uses, and shares the personal data of individuals located in India. It creates two key roles: the Data Fiduciary (you decide why and how data is processed) and the Data Processor (you process on someone else's behalf). It is enforced by the Data Protection Board of India.

Timeline

1

Aug 2023

DPDP Act enacted by Parliament.

2

Jan 2025

Draft Rules notified by MeitY.

3

2025–2026

Phased enforcement rolling out.

Platform

Who is affected & the penalty band

Who is affected?

Any business processing the personal data of individuals in India — start-ups, banks, hospitals, ed-tech, e-commerce, SaaS, and non-Indian companies that offer goods or services here. There is no size or revenue floor.

Penalty band

Up to ₹250 crore per failure to safeguard personal data. ₹200 crore for failing to notify the Board of a breach. Smaller bands for other categories under the Schedule.

Section-by-section primer

Each DPDP section in plain English, and the module that solves it.

SectionWhat it meansSolved by
§4 Lawful basisProcess personal data only with consent or certain legitimate uses. No bundled consent.Consent Management
§5 Notice & free consentNotice must be itemised, plain-language, in any of 22 official Indian languages, before/at the time of consent.AI Policy Generator
§6 Valid consentFree, specific, informed, unconditional, unambiguous, with a right to withdraw as easy as to grant.Consent Management
§7 Legitimate usesSome processing (employment, medical emergency, court order) needs no consent. Document the basis.Readiness Assessment
§8 Fiduciary obligationsEnsure accuracy, reasonable security safeguards, breach notification, and erasure when purpose is exhausted.Breach Management
§9 Children's dataVerifiable parental consent. No behavioural monitoring or targeted ads to minors.Children's consent flow
§10 SDF dutiesIf designated Significant, you owe a DPO, periodic DPIAs, and periodic audits.SDF Readiness
§11 Principal rightsAccess, Correction, Erasure, Nominee, and Grievance redressal — five rights every Indian has.Rights Manager
§12 NominationA principal can nominate someone to exercise their rights on death or incapacity.Rights Manager
§13 Grievance redressalPublish a grievance officer and resolve complaints within a defined period (90 days by Rule 13).Grievance Management

Where do you stand under DPDP?

Take the free readiness check and find out in 10 minutes.