The Real Story Behind India’s DPDP Act 2023: Beyond Consent and Privacy Policies

Quick Summary of DPDPA

• What it is: India’s first dedicated data protection law, enacted in August 2023, that governs how Indian and foreign organizations collect, use, store, and delete digital personal data.
• Who it applies to: Any entity processing digital personal data within India or processing Indian citizens’ data from outside India while offering goods or services to them.
• Core mechanism: Consent-first. Personal data can only be processed with clear user consent or in limited cases defined by the Act. Unlike GDPR, there is no broad “legitimate interests” exception.
• Enforcement: The Data Protection Board of India adjudicates non-compliance, with penalties reaching up to INR 250 crore for security safeguard failures. Appeals go to TDSAT.
• Deadline: Full compliance required by May 13, 2027, with DPDP Rules 2025 already in effect from November 13, 2025.

Introduction

Let’s be direct about something most compliance decks won’t tell you: India’s Digital Personal Data Protection Act, 2023 isn’t just another regulatory checkbox. It’s a major shift in how every business, from a Bengaluru SaaS startup to a multinational operating in India, handles, processes, stores, and governs personal data.

And with the DPDP Rules 2025 that dropped on November 13, 2025, full enforcement is expected by May 13, 2027.

If you’re a CISO, CTO, or information security leader and you haven’t started a DPDP compliance program yet, here’s the uncomfortable reality: your data pipelines, consent mechanisms, breach response playbooks, and vendor contracts were probably built for a different world – one where India had no meaningful data protection law.

That world is officially over.

The real problem is not awareness of the law; it is underestimating what actually breaks inside enterprise systems when DPDP is applied in practice.

Let’s go deep.

Why India Needed a Dedicated Data Protection Law

India’s journey to a data protection law has been long.

Before the DPDP Act 2023, the primary legal instrument governing digital data was the Information Technology Act, 2000. It was a law written before smartphones, social media, cloud computing, or modern data analytics even existed.

While Sections 43A and 72A of the IT Act had some provisions around sensitive data, they were vague, weakly enforced, and not built for scale.

Everything changed in 2017.

In the landmark Justice K.S. Puttaswamy v. Union of India judgment, the Supreme Court recognized privacy as a fundamental right under Article 21 of the Constitution. That ruling became the constitutional foundation for India’s modern data protection framework.

But turning that principle into legislation took years. India went through:

• The Justice Srikrishna Committee report in 2018
• The Personal Data Protection Bill in 2019
• Reviews by the Joint Parliamentary Committee
• Withdrawal of the bill in 2022
• Public consultations and revised drafts
• And finally, the Digital Personal Data Protection (DPDP) Act, 2023

The result is a law that has been studied, debated, and revised across multiple iterations.

While the DPDP Act 2023 borrows certain ideas from GDPR, it also deliberately differs from it in several important ways.

Most organizations treat DPDP as an evolution of earlier privacy rules. In reality, it resets assumptions around data ownership, consent, and system accountability, and this is where early misjudgments begin.

What the DPDP Act 2023 Actually Covers

The Act applies to digital personal data processed within India, whether that data was collected online, or collected offline and then digitized.

Scanned KYC forms, digitized paper records, and transcribed call recordings are all covered under the law.

The DPDP Act 2023 also has extraterritorial reach.

The most common blind spot is assuming DPDP only applies to India-based infrastructure. Global systems processing Indian user data are equally in scope, and this is often discovered too late during audits.

If an organization processes personal data outside India while offering goods or services to people in India, the law still applies.

That means even:

• Foreign SaaS providers with Indian customers
• Global analytics platforms handling Indian user data
• Insurance companies serving Indian policyholders

can fall under DPDP compliance requirements.

Some important terms in the Act are:

• Data Principal: the individual whose data is being processed, such as a customer, employee, or user.
• Data Fiduciary: the organization deciding why and how personal data is processed.
• Data Processor: a third-party processing data on behalf of the fiduciary, such as a cloud provider or SaaS vendor.

One important difference in the DPDP Act is that primary responsibility lies with the Data Fiduciary, not the processor. Unlike GDPR, processors do not have direct statutory obligations under the law. Instead, organizations are expected to ensure their vendors and partners follow compliance requirements through contracts and proper oversight.

Consent Under the DPDP Act 2023: Rules and Requirements

Basically, the DPDP Act 2023 is a consent-based framework. You can only process personal data if:

1. The user has given clear, informed, and specific consent, or
2. The processing falls under certain defined “legitimate uses.”

This is one of the biggest differences between the DPDP Act and the GDPR.

Under GDPR, organizations can rely on broader legal bases like “legitimate interests,” contractual necessity, or legal obligations for processing data. The DPDP Act does not provide a broad “legitimate interests” exception. Instead, its legitimate use cases are limited to specific situations such as:

• Data voluntarily shared by the individual without objection
• Government functions involving benefits, subsidies, licenses, or permits
• Compliance with legal obligations or court orders
• Medical emergencies
• Public health or disaster situations
• Employment-related processing

This has major practical implications for businesses.

If your organization currently relies on GDPR-style legitimate interest justifications for collecting or processing data, you may need to reassess those activities under India’s DPDP framework.

What Valid Consent Actually Looks Like

You must provide a privacy notice before collecting someone’s personal data. The notice must be:

• Presented independently (not mixed with other content)
• Written in clear, plain language
• Available in English or any of the 22 scheduled Indian languages
• Mention what data is being collected and why
• Include ways to withdraw consent, exercise rights, and file complaints

The DPDP Rules 2025 add another major requirement: retrospective notices.

If your organization collected personal data before the Act came into effect, you may still need to notify those individuals afterward.

And that becomes difficult if the organization does not clearly know:

• What personal data it already holds
• Where that data exists
• How the data was originally collected

This is where DPDP compliance starts becoming a larger data governance challenge, especially for enterprises managing data across cloud platforms, SaaS applications, legacy systems, and third-party environments.

Consent Can Be Withdrawn

Users can withdraw consent at any time.

And it is important to note: When they withdraw consent, you must stop processing their data for that purpose.

The Consent Manager, a New Infrastructure Layer

The Act introduces a new regulated entity category: the Consent Manager. A Consent Manager is a registered entity that serves as a single point of contact for a data principal to give, manage, review, and withdraw consent across multiple data fiduciaries, through a secure, transparent, and interoperable platform.

Consent Managers must register with the Data Protection Board, maintain secure audit trails for at least seven years, and meet specific compliance requirements, including a minimum net worth of ₹2 crore.

For large enterprises, Consent Managers may eventually simplify consent governance across multiple platforms and services.

DPDPA Data Fiduciary Obligations: What Your Security and Engineering Teams Commonly Miss

This is where things get operationally concrete.

Data Accuracy and Completeness:

Organizations must keep personal data accurate and updated. If systems cannot correct or update records properly, that becomes a compliance gap.

Security Safeguards:

The Act requires “reasonable” security measures to protect personal data. While the law does not define exact controls, organizations are still expected to maintain strong security practices like:

• Encryption
• Access controls
• Security monitoring
• Vendor risk assessments

Because after a breach, “reasonable security” will be judged based on what protections were actually in place.

Storage Limitation:

One of the most overlooked requirements in the DPDP Act 2023 is storage limitation.

Organizations must delete personal data once its purpose is completed and retention is no longer legally required. For many businesses holding years of unused customer or employee data, this becomes a major data governance challenge.

Report Data Breaches Quickly:

If a personal data breach occurs, organizations must notify the Data Protection Board and affected individuals without delay. A detailed incident report must follow within 72 hours.

This means businesses need:

• Strong incident response processes
• Clear escalation workflows
• The ability to quickly identify impacted users and systems

And because many breaches happen through compromised credentials or excessive internal access, technologies like Zero Trust Network Access (ZTNA) can play an important role by limiting unnecessary access and reducing the impact of security incidents.

Significant Data Fiduciaries under DPDPA: Higher Risk, Higher Compliance

The government can classify certain organizations as Significant Data Fiduciaries (SDFs) based on factors like:

• Volume and sensitivity of personal data processed
• Risk to user rights
• National security or public interest impact

Once classified as an SDF, the compliance requirements become much stricter. Organizations may be required to:

• Appoint a Data Protection Officer (DPO) based in India
• Conduct regular compliance audits through independent auditors
• Perform Data Protection Impact Assessments (DPIAs)
• Report major compliance observations to the Data Protection Board

The framework also introduces an important concept: algorithmic accountability.

If automated systems or AI models are used for activities like fraud detection, credit scoring, profiling, or decision-making, organizations must ensure those systems do not create harmful, unfair, or discriminatory outcomes for users.

This effectively brings elements of AI governance into the DPDP framework even before India introduces a dedicated AI regulation law.

Children’s Data: The Most Underestimated High-Risk Area

Under the law, a child means anyone below 18 years of age, higher than GDPR (16 or 13) or U.S. COPPA (13) standards. Before processing a child’s data, organizations must obtain verifiable parental or guardian consent.

The Act also prohibits:

• Tracking or monitoring children
• Targeted ads for children
• Any processing that could harm a child’s well-being

Violations related to children’s data can attract penalties of up to ₹200 crore.

While the Rules provide limited exemptions for things like child safety, educational services, email account creation, or blocking harmful content, those exceptions are narrow and purpose-specific.

Note: For edtech, gaming, social media, and consumer platforms, this is one of the strictest compliance areas under the DPDP Act.

This is one of the areas where compliance gaps are most commonly found during regulatory review due to inconsistent age verification and consent validation mechanisms.

Rights of Data Principals: What You Must Build to Honor Them

The DPDP Act 2023 gives individuals (Data Principals) several important rights:

• Right to Information to know what data is being processed and why
• Right to Correction and Erasure to correct inaccurate data or request deletion when data is no longer needed
• Right to Grievance Redressal to raise complaints with the organization and escalate them to the Data Protection Board
• Right to Nominate to appoint another person to exercise these rights in case of death or incapacity

Under the DPDP Rules 2025, organizations must provide a website or an app, where users can submit these requests. Complaints must be resolved within 90 days.

One important difference from GDPR: the DPDP Act currently does not provide the right to data portability or the right to be forgotten. Both existed in earlier drafts of the law but were removed from the final version.

The Hidden Risk in Global Data Architectures

The DPDP Act takes a more flexible approach to international data transfers compared to earlier draft versions. Organizations are generally allowed to transfer personal data outside India unless the government specifically restricts certain countries through notifications.

This is a “blacklist” approach instead of a strict approval-based system. While that makes transfers easier, organizations still need to closely monitor regulatory updates because restrictions can change at any time.

For Significant Data Fiduciaries (SDFs), additional restrictions may apply, especially in cases involving national security or access by foreign governments. For businesses with global cloud infrastructure or international data flows, this makes adaptable data architecture extremely important.

What’s in News: The Data Protection Board of India, Enforcement Is Coming

The government has now established the Data Protection Board of India under the DPDP Act 2023. The Board will act as the main enforcement authority for the law.

Its responsibilities include:

• Monitoring compliance
• Investigating violations
• Handling complaints from individuals
• Directing organizations after data breaches
• Imposing penalties for non-compliance

Appeals against Board decisions will go to TDSAT (Telecom Disputes Settlement and Appellate Tribunal).

However, questions around the Board’s independence remain. Members are appointed for only two years and can be reappointed, which some experts believe may affect independent decision-making. How aggressively the Board enforces the DPDP Act will become clearer over time.

The Penalty Structure of DPDP Act 2023

The schedule to the Act lays out a tiered penalty structure:

• Failure to implement reasonable security safeguards leading to a data breach: up to ₹250 crore (~USD $30 million)
• Failure to notify the Board and affected individuals of a breach: up to ₹200 crore
• Breach of obligations related to children’s data: up to ₹200 crore
• Failure to obtain proper consent: up to approximately ₹50 crore (~USD $6 million)
• Data principal violations (false complaints, impersonation): up to ₹10,000

Compared to GDPR, where fines can go up to €20 million or 4% of global annual turnover, DPDP penalties may appear lower. However, they are still significant, especially for organizations operating at scale in India’s massive digital market.

What a Real DPDP Act 2023 Compliance Program Looks Like

Let’s get operational. Here’s what organizations need to actually build:

Data Discovery and Classification

You cannot protect data which you cannot see. Organizations first need visibility into:

• What personal data they store
• Where the data exists
• Who has access to it
• How the data moves across systems

This is where technologies like DSPM (Data Security Posture Management) are becoming important. They help security teams continuously identify sensitive data across cloud platforms, SaaS applications, databases, and storage environments while checking whether proper protections are in place. Under DPDP, “reasonable safeguards” must be demonstrable.

Consent Management Infrastructure

Organizations need systems to properly collect, store, track, and withdraw user consent. Consent workflows must also support DPDP notice requirements, including multilingual privacy notices where applicable.

Retention and Deletion Policies

The Act requires organizations to delete data once its purpose is fulfilled. That means businesses need defined retention timelines and automated deletion processes instead of relying on manual cleanup.

Vendor Contract Review

Since the Data Fiduciary remains accountable under DPDP, vendor contracts and third-party risk reviews become critical. Organizations must ensure processors, cloud providers, and SaaS vendors also follow required safeguards.

Breach Response Playbook

DPDP introduces strict breach reporting expectations, including notifying the Board and affected individuals. Incident response plans should clearly define ownership across security, legal, and communications teams.

Backup and Disaster Recovery

One important but often ignored point: DPDP also considers loss of data availability as a breach.

A ransomware attack that encrypts or destroys customer data may trigger reporting obligations. Strong backup and disaster recovery (DR) capabilities therefore become part of privacy resilience — not just IT operations. Backup environments also need the same retention, encryption, and access controls as primary systems.

Rights Management Mechanism

Organizations must provide accessible mechanisms for users to request:

• Information about their data
• Corrections
• Erasure
• Grievance redressal

These requests must be handled within the timelines defined under the Rules.

DPO and DPIA Requirements

Significant Data Fiduciaries (SDFs) may need to appoint a Data Protection Officer (DPO), conduct Data Protection Impact Assessments (DPIAs), and undergo audits for high-risk processing activities.

Industries with the Highest DPDP Act 2023 Compliance Risk

In most industries, exposure is not uniform, it concentrates where data volume, automation, and third-party ecosystems intersect.

The highest-exposure sectors include:

Fintech and Banking: This sector processes financial data at scale, with complex third-party ecosystems and significant cross-border data flows. Existing RBI requirements will continue alongside DPDP obligations.

Healthcare and HealthTech: Healthcare organizations handle extremely sensitive personal information. Even though DPDP does not separately classify “sensitive personal data,” the practical expectation for healthcare security and privacy controls will likely remain very high.

E-commerce and Retail: Behavioral analytics, targeted advertising, loyalty programs, and multiple third-party integrations make compliance especially complex for digital commerce businesses.

HR Tech and Enterprises: Employee data also falls under DPDP. Global enterprises will need to align Indian privacy requirements with existing GDPR and international compliance programs.

Edtech: Children’s data obligations make this sector particularly high-risk for non-compliance.

Telecom: TRAI regulations continue to apply, now operating under the DPDP umbrella.

AI Startups and Data-Driven Businesses: For AI companies and organizations building personalization engines, recommendation systems, or behavioral analytics models, DPDP’s consent-first approach creates significant operational impact.

Using personal data simply for “product improvement” may not automatically qualify as a lawful basis under the Act. Organizations building AI systems should start embedding privacy and governance controls into their data pipelines now instead of waiting for enforcement actions later.

DPDP Act 2023 Compliance: Where to Start

The DPDP Act 2023 is still evolving. Important details around Significant Data Fiduciaries (SDFs), cross-border data transfers, children’s consent verification, and enforcement mechanisms are still becoming clearer through new rules and notifications.

But that uncertainty does not reduce the importance of compliance.

For CISOs, CTOs, and security teams, DPDP is not just a legal challenge, it is a data governance and security challenge. Organizations now need:

• Better visibility into where personal data exists
• Stronger consent management
• Faster breach response processes
• Better vendor and third-party oversight
• Strong security, backup, and disaster recovery controls

The organizations that will adapt best are the ones treating DPDP as more than a compliance checklist.

Because in the long run, mature data governance is not just about avoiding penalties, it is about building a more secure, trustworthy, and resilient business.

In practice, DPDP compliance also depends on having the right data security and resilience architecture in place, including DSPM for data visibility, ZTNA for controlled access, and backup & DR for recovery and continuity. We help organizations implement these capabilities as part of building a DPDP-ready security foundation.

Frequently Asked Questions on DPDP Act 2023

What is the difference between GDPR and DPDPA?

GDPR allows multiple legal bases for processing personal data, including legitimate interests and contractual necessity. DPDPA is more consent-focused and allows only limited legitimate use exceptions. GDPR also includes rights like data portability and the right to be forgotten, which are currently not part of DPDPA.

What is the DPDPA in India?

The Digital Personal Data Protection (DPDP) Act, 2023 is India’s first comprehensive data privacy law. It governs how organizations can collect, process, store, and delete digital personal data, while also giving individuals rights over their data. The law is built on a consent-first framework, giving individuals rights over their data, and requires full compliance by May 13, 2027.

What is the penalty for the DPDP Act 2023?

DPDP penalties depend on the type of violation. Organizations can face penalties of up to ₹250 crore for failing to protect personal data and up to ₹200 crore for failing to report breaches or violating children’s data requirements. Individuals filing false complaints can face penalties up to ₹10,000.

What is personal data under the DPDP Act 2023?

Personal data means any information that can identify an individual, directly or indirectly. This includes names, phone numbers, email IDs, financial details, location data, and online activity data. The Act covers both digitally collected data and offline data that is later digitized.

What are the exemptions under the DPDP Act 2023?

The government can exempt certain agencies from parts of the Act for reasons such as national security, public order, or crime prevention. Some startups or smaller data fiduciaries may also receive limited exemptions from specific compliance requirements. However, data security obligations still continue to apply.