The Digital Personal Data Protection Act, 2023 is India's primary data-protection law. It governs how any business — Indian or foreign — collects, stores, uses, and shares the personal data of individuals located in India. It creates two key roles: the Data Fiduciary (you decide why and how data is processed) and the Data Processor (you process on someone else's behalf). It is enforced by the Data Protection Board of India.
DPDP Act enacted by Parliament.
Draft Rules notified by MeitY.
Phased enforcement rolling out.
Any business processing the personal data of individuals in India — start-ups, banks, hospitals, ed-tech, e-commerce, SaaS, and non-Indian companies that offer goods or services here. There is no size or revenue floor.
Up to ₹250 crore per failure to safeguard personal data. ₹200 crore for failing to notify the Board of a breach. Smaller bands for other categories under the Schedule.
Each DPDP section in plain English, and the module that solves it.
Take the free readiness check and find out in 10 minutes.