On 11 August 2023, India enacted the Digital Personal Data Protection Act, 2023 — a landmark legislation that fundamentally transforms how every organisation operating in India collects, processes, and protects personal data. It creates new legal obligations, new individual rights, and penalties of up to ₹250 crore per violation for organisations that fail to comply.
Background and Context
1.1 Why India Needed a Data Protection Law
India has over 900 million internet users — the world's second-largest online population. Several factors created urgency for a comprehensive law:
- The Puttaswamy judgment (2017): The Supreme Court of India recognised privacy as a fundamental right under Article 21, establishing the constitutional basis for data protection legislation.
- The Srikrishna Committee Report (2018): A government-appointed expert committee produced a comprehensive draft bill identifying gaps in India's data protection framework.
- Digital India scale: As UPI, Aadhaar, and digital public infrastructure scaled to hundreds of millions of users, the need for robust protections became undeniable.
- Global alignment: GDPR enforcement in Europe, CCPA in California, and similar laws globally created pressure for India to establish its own framework.
1.2 The DPDP Rules 2025
The Act provides the framework; the DPDP Rules 2025, notified by MeitY in early 2025, provide the operational detail — specific formats, timelines, and procedures. Together, the Act and the Rules form the complete legal framework for data protection in India.
Key Definitions — Who and What the Law Covers
Personal data is broadly defined as any data about an identifiable individual — names, email addresses, Aadhaar numbers, IP addresses, location data, biometric data, health records, financial information, and behavioural data. Anonymised data that cannot re-identify an individual is excluded.
A Data Fiduciary is any entity that determines the purpose and means of processing personal data. If your organisation decides why and how you process personal data, the Act applies to you in full — including Indian companies, multinationals operating in India, and foreign companies processing data of Indian individuals.
A Data Principal is the individual to whom the personal data relates. A Data Processor is any entity that processes personal data on behalf of a Data Fiduciary. A Significant Data Fiduciary (SDF) is a Data Fiduciary designated by the DPBI based on volume, sensitivity, national security risk, and other factors — SDFs face additional obligations.
Core Obligations of Data Fiduciaries
Personal data may only be processed for lawful purposes on one of two grounds: Consent or a specific Legitimate Use exemption (state functions, legal proceedings, medical emergencies, employment, public interest). There is no third option.
3.2 Section 5 — The Notice Obligation
Before or at the time of collecting personal data, a Data Fiduciary must provide a Notice that describes the data collected, the purpose, how to exercise rights, Grievance Officer contact details, and how consent can be withdrawn.
Language requirement: Notices must be in English AND at least one language listed in the Eighth Schedule to the Indian Constitution — which includes 22 languages including Hindi, Bengali, Tamil, Telugu, Kannada, Marathi, and Gujarati. For existing data, notice must be provided "as soon as reasonably practicable."
3.3 Section 6 — Consent
Consent under the DPDP Act must satisfy five attributes simultaneously:
| Attribute | What It Means |
|---|---|
| Free | No coercion, conditioning, or bundling with other consents |
| Specific | For a specific, defined purpose — not a blanket consent |
| Informed | The Data Principal was given a proper Notice before consenting |
| Unconditional | Not conditional on providing additional consents |
| Unambiguous | Clear affirmative action — no pre-ticked boxes, no inferred consent |
The Data Fiduciary must maintain a record of consent — the burden of proof is on you. Withdrawal must be as easy as giving consent. Goods and services cannot be denied for refusing non-essential processing consent.
3.4 Section 8 — General Obligations
| Obligation | What It Requires |
|---|---|
| Purpose limitation | Process personal data only for the specified, consented purpose |
| Data quality | Ensure completeness and accuracy of data used in decisions about individuals |
| Security safeguards | Implement appropriate technical and organisational measures to prevent breaches |
| Processor contracts | Ensure Data Processors provide sufficient guarantees; no processor without a valid contract |
| Breach notification | Notify the DPBI and affected Data Principals of personal data breaches |
| Data erasure | Erase personal data once the purpose is fulfilled or consent is withdrawn |
3.5 Section 9 — Children's Data
Processing personal data of children (under 18) requires verifiable parental consent. Behavioural tracking and targeted advertising directed at children is prohibited. Age verification is required before processing. The Rules 2025 reference DigiLocker and Aadhaar-based verification as approved methods.
3.6 Section 10 — Significant Data Fiduciaries
SDFs must: appoint a Data Protection Officer (DPO) based in India; appoint an independent data auditor; conduct Data Protection Impact Assessments (DPIAs) for high-risk processing; and conduct periodic algorithm assessments for fairness and bias.
Rights of Data Principals
The DPDP Act grants four enforceable rights with response deadlines and DPBI escalation paths.
4.1 Section 11 — Right to Access
Data Principals may obtain a summary of personal data processed about them and a list of all Data Fiduciaries and Processors with whom their data has been shared. Response timeline: 30 days for grievances; 90 days for access requests.
4.2 Section 12 — Right to Correction and Erasure
Data Principals may request correction of inaccurate data, completion of incomplete data, and erasure of data where consent has been withdrawn or the data is no longer necessary. Erasure must be communicated to all Data Processors — making cross-system erasure orchestration a real compliance challenge.
4.3 Section 13 — Right to Grievance Redressal
Data Principals may register a grievance with the Grievance Officer and escalate to the DPBI if not resolved within 30 days.
4.4 Section 14 — Right to Nomination
Data Principals may nominate another individual to exercise their data rights in the event of death or incapacity — a uniquely India-specific right reflecting multi-generational household structures and estate planning norms.
The Data Protection Board of India (DPBI) & Penalties
The DPBI adjudicates complaints, investigates breaches, imposes penalties, and issues guidance. Penalties are tiered:
| Violation | Maximum Penalty |
|---|---|
| Failure to implement adequate security safeguards | ₹250 crore |
| Failure to notify DPBI / Data Principals of a breach | ₹200 crore |
| Non-compliance with children's data provisions (§9) | ₹200 crore |
| Non-compliance with SDF obligations (§10) | ₹150 crore |
| Non-compliance with DPBI orders | ₹150 crore |
| Non-compliance with other provisions | ₹50 crore |
Each breach of each provision may attract separate penalties. A single incident involving a breach notification failure and inadequate security measures could attract ₹450 crore in combined penalties. The burden of proof is on the Data Fiduciary — a database record saying consent = true does not meet the evidentiary standard.
The DPDP Rules 2025 — Key Provisions
Rule 3 — Notice Format
Notices must be in clear and plain language, standalone (not buried in T&Cs), contain all five mandatory elements, and be available in English and at least one Eighth Schedule language.
Rule 4 — Consent Manager Obligations
Consent Managers must maintain consent artifacts for 7 years. Each artifact must identify the Data Principal, purpose, notice version, timestamp, and channel. A log of consent propagation — documenting how consent decisions reach downstream processors — is required.
Rule 8 — Breach Notification
Data Fiduciaries must notify the DPBI within 72 hours of becoming aware of a breach, including the nature, data categories, estimated impact, likely consequences, and measures taken.
What Compliance Actually Looks Like
Compliance is not a one-time project — it is an ongoing operational capability. A fully compliant Data Fiduciary maintains:
- Consent infrastructure: Multilingual notices, affirmative-action consent collection, cryptographically non-repudiable records (hash-chained, RSA signed, RFC 3161 timestamped), real-time withdrawal propagation, 7-year record retention
- Rights management: Self-service portal, SLA-tracked requests, cross-system erasure orchestration
- Breach response: 72-hour DPBI clock, structured notification, immutable breach audit log
- Vendor management: Signed DPAs for every processor, tracked for expiry, erasure propagation
- Audit readiness: Complete, verifiable audit trail; signed PDF exports; end-to-end chain verification
The Compliance Timeline
- Act enacted: August 2023
- DPDP Rules 2025: Notified Q1 2025
- DPBI being constituted: Ongoing as of March 2026
- Full enforcement expected: May 2027 (18 months from Rules notification)
The enforcement period is not a grace period to begin compliance — it is the period by which compliance must be established.
| Milestone | Timeline |
|---|---|
| Compliance gap assessment | Now |
| Legal basis documentation for all processing purposes | Within 30 days |
| Consent management platform implementation | Within 60 days |
| Privacy notice publishing (EN + 1 language minimum) | Within 60 days |
| Data Principal rights portal deployment | Within 90 days |
| Vendor DPA review and remediation | Within 90 days |
| Breach response playbook | Within 60 days |
| DPIA for high-risk processing (SDFs) | Within 120 days |
| Staff training, monthly compliance review | Continuous |
Common Compliance Gaps
Gap 1 — No Multilingual Consent Infrastructure
Most organisations have English-only consent flows. DPDP Rules Rule 3(4) requires at least one Eighth Schedule language. For organisations with significant regional user bases, this gap is material.
Gap 2 — No Consent Withdrawal Mechanism
Consenting is easy; withdrawing often requires contacting support. The Act requires withdrawal to be as easy as giving consent.
Gap 3 — No Cryptographic Evidence of Consent
Many organisations record consent as a database flag. When the DPBI asks "prove you obtained consent before processing," a flag is not evidence. Non-repudiable records — with timestamps, exact consent text, and cryptographic proof — are required.
Gap 4 — No Rights Request Process
Data Principals have 90-day SLA rights under the Act. Most organisations have no self-service mechanism for submitting, tracking, or responding to rights requests.
Gap 5 — No Breach Response Process
The 72-hour DPBI notification requirement is non-negotiable. Many organisations do not have a documented incident response process that includes the data protection-specific components required by Rule 8.
Gap 6 — Non-Compliant Processor Contracts
Many organisations use SaaS vendors and cloud providers without Data Processing Agreements that comply with DPDP Act Section 8(5). This creates joint liability risk.
The Time to Act Is Now
The DPDP Act is not a future risk — it is a present obligation. The DPBI is being constituted, enforcement will follow, and organisations that have not built compliant data practices will face both legal and reputational consequences.
The right infrastructure — built on consent-first architecture, cryptographic non-repudiation, multilingual delivery, and automated rights management — transforms compliance from a legal burden into a competitive advantage. Organisations that demonstrate DPDP compliance will differentiate themselves on trust.
Quick Reference: DPDP Act Key Provisions
| Section | Topic | Key Requirement |
|---|---|---|
| §4 | Grounds for processing | Consent or legitimate use; no other basis |
| §5 | Notice | Before collection; multilingual; standalone |
| §6 | Consent | Free, specific, informed, unconditional, unambiguous; non-repudiable record |
| §7 | Legitimate uses | Specific exemptions; not a general override |
| §8 | Fiduciary obligations | Security, accuracy, processor management, breach notification, erasure |
| §9 | Children's data | Verifiable parental consent; no tracking/advertising |
| §10 | SDF obligations | DPO, DPIA, independent audit |
| §11 | Right to access | 90-day response SLA |
| §12 | Right to correction/erasure | Erased across all processors |
| §13 | Right to grievance | 30-day resolution; DPBI escalation |
| §14 | Right to nomination | Nominee can exercise rights after death/incapacity |
| §23–24 | DPBI penalties | Up to ₹250 crore per violation |
About Vishwaas AI
India's privacy and consent management platform purpose-built for DPDP Act compliance with cryptographic non-repudiation at its core. Every consent record is SHA-256 hash-chained, RSA-2048 signed, and RFC 3161 timestamped.