Vishwaas AIVishwaas AIDocs
Thought Leadership · 13 min read · Jun 2026

Complete Guide to the DPDP Act 2023

A comprehensive breakdown of the Digital Personal Data Protection Act, 2023: scope, consent, fiduciary obligations, data principal rights, children’s data, Significant Data Fiduciary duties, cross-border transfers, enforcement, and penalties.

India’s Digital Personal Data Protection Act, 2023, usually called the DPDP Act or DPDPA, is the country’s core data protection law for digital personal data. It changes privacy compliance from a policy exercise into an operating obligation: organisations must know what personal data they process, why they process it, how they notify individuals, how they capture and prove consent, how they respond to rights requests, and how they handle breaches.

This guide breaks the Act down for business, security, product, legal, and compliance teams.

This article is an operational guide, not legal advice. Teams should review the official Act, applicable rules, sector regulations, and counsel guidance before finalising compliance positions.

1. What the DPDP Act is trying to do

The Act balances two ideas:

  • Individuals should have enforceable rights over their digital personal data.
  • Organisations should be able to process personal data for lawful purposes when they follow the required safeguards.

In practical terms, it creates a framework for:

  • lawful processing of digital personal data;
  • consent and legitimate-use based processing;
  • notices and proof of consent;
  • data fiduciary obligations;
  • children’s data safeguards;
  • Significant Data Fiduciary obligations;
  • rights and duties of Data Principals;
  • breach handling and regulatory enforcement;
  • financial penalties for significant non-compliance.

2. Who the Act applies to

The DPDP Act applies to digital personal data. It covers:

  • personal data collected in digital form within India;
  • personal data collected offline and later digitised;
  • processing outside India when linked to offering goods or services to individuals in India.

The Act does not apply to:

  • personal data processed by an individual for personal or domestic purposes;
  • personal data that has been made publicly available by the Data Principal or under a legal obligation.

Key takeaway

If an organisation offers products, services, employment, healthcare, financial services, ecommerce, education, software, or support to people in India and processes their digital personal data, the Act is likely relevant.

3. The core roles under the Act

Data Principal

The individual to whom the personal data relates. In operational language, this may be a customer, employee, patient, applicant, user, subscriber, student, vendor contact, or partner contact.

Data Fiduciary

The person or organisation that determines the purpose and means of processing personal data. This is the primary accountable party.

Data Processor

The party that processes personal data on behalf of a Data Fiduciary. Common examples include SaaS vendors, cloud platforms, marketing tools, CRM systems, payment providers, analytics tools, and support platforms.

A registered entity through which a Data Principal may give, manage, review, or withdraw consent.

Data Protection Board of India

The regulator established under the Act to inquire into breaches, issue directions, and impose penalties.

4. What counts as lawful processing

The Act permits processing only for a lawful purpose and only when one of the permitted grounds applies:

  • the Data Principal has given consent; or
  • the processing falls under a recognised legitimate use.

The phrase “lawful purpose” means the purpose is not expressly forbidden by law.

For most private-sector customer, employee, marketing, product, and service workflows, consent and clearly mapped legitimate uses become the main compliance decision points.

Consent is one of the most important parts of the Act. Consent must be:

  • free;
  • specific;
  • informed;
  • unconditional;
  • unambiguous;
  • based on clear affirmative action;
  • limited to the specified purpose;
  • limited to personal data necessary for that purpose.

This creates several operational requirements.

If personal data is needed for one purpose but not another, the organisation should not force both together. Consent should be purpose-specific.

Requests for consent should use clear and plain language. They should also provide access in English or languages specified in the Eighth Schedule to the Constitution, as required by the Act and applicable rules.

Withdrawal must be easy

If consent is the basis for processing, the individual must be able to withdraw consent. The ease of withdrawal should be comparable to the ease of giving consent.

If a question arises in a proceeding, the Data Fiduciary must be able to prove that notice was given and consent was obtained in accordance with the Act and rules.

Operational checklist

  • Maintain a purpose catalogue.
  • Record the notice version shown to the individual.
  • Store the language of the notice and consent request.
  • Capture timestamp, channel, purpose, and affirmative action.
  • Track withdrawal separately from consent grant.
  • Propagate withdrawal to downstream processors.
  • Preserve consent evidence in a tamper-evident form.

6. Notice obligations

Before or along with a consent request, the Data Fiduciary must give the Data Principal a notice. The notice should explain:

  • what personal data is proposed to be processed;
  • the purpose for which it will be processed;
  • how the Data Principal can exercise rights;
  • how the Data Principal can make a complaint to the Board.

For consent collected before commencement, the Act also expects notice to be given as soon as reasonably practicable after commencement, with continued processing allowed unless consent is withdrawn.

What a good DPDP notice should include

  • legal entity name of the Data Fiduciary;
  • categories of personal data;
  • specific processing purposes;
  • lawful basis or consent basis;
  • Data Principal rights route;
  • consent withdrawal route;
  • grievance contact;
  • DPO or authorised contact where applicable;
  • complaint route to the Board;
  • language availability;
  • retention and erasure approach;
  • processor or sharing overview where relevant.

7. Data Fiduciary obligations

The Act places direct obligations on Data Fiduciaries. These include:

  • complying with the Act and rules when processing personal data;
  • using Data Processors only under valid arrangements;
  • ensuring completeness, accuracy, and consistency of personal data where it is used to make decisions affecting the Data Principal or disclosed to another Data Fiduciary;
  • implementing reasonable security safeguards;
  • notifying personal data breaches as required;
  • erasing personal data when consent is withdrawn or the specified purpose is no longer served, unless retention is legally required;
  • publishing contact details for grievance communication;
  • responding to grievances within the prescribed period.

Why this matters

Compliance cannot live only in privacy policy text. The organisation needs operational controls across product, CRM, marketing, support, HR, security, legal, and vendor systems.

8. Personal data breach duties

The Act requires action when there is a personal data breach. Organisations need the ability to:

  • detect and classify personal data breaches;
  • identify affected Data Principals and data categories;
  • preserve incident evidence;
  • notify the Board as required;
  • notify affected Data Principals as required;
  • track remediation and mitigation;
  • prove timelines and decisions after the event.

Practical breach-readiness controls

  • incident runbook mapped to DPDP obligations;
  • breach severity model;
  • data inventory linked to systems and processors;
  • processor notification clauses;
  • draft Board and Data Principal notification templates;
  • audit trail of breach decisions and communications.

9. Children’s personal data

The Act has specific protections for children’s personal data. Before processing a child’s personal data, a Data Fiduciary must obtain verifiable consent from the parent or lawful guardian, subject to applicable rules and exemptions.

The Act also restricts:

  • tracking or behavioural monitoring of children;
  • targeted advertising directed at children.

Operational implications

Products that may involve minors need age-screening, guardian consent, consent evidence, and advertising restrictions. This is especially relevant for edtech, gaming, healthcare, ecommerce, fintech, social platforms, and loyalty programmes.

10. Significant Data Fiduciaries

The Central Government may notify certain Data Fiduciaries as Significant Data Fiduciaries based on factors such as:

  • volume and sensitivity of personal data processed;
  • risk to Data Principal rights;
  • potential impact on sovereignty and integrity of India;
  • risk to electoral democracy;
  • security of the State;
  • public order.

Significant Data Fiduciaries have additional obligations, including:

  • appointing a Data Protection Officer based in India;
  • ensuring the DPO is responsible to the Board of Directors or similar governing body;
  • appointing an independent data auditor;
  • conducting periodic Data Protection Impact Assessments;
  • conducting periodic audits;
  • implementing other prescribed measures.

SDF readiness checklist

  • identify high-volume and high-risk processing;
  • maintain DPIA templates and workflow;
  • define board-level reporting;
  • appoint accountable privacy leadership;
  • maintain processor and cross-border records;
  • produce audit evidence on demand.

11. Data Principal rights

The Act gives Data Principals rights over their personal data. These include:

Right to access information

The Data Principal may request a summary of personal data being processed and processing activities undertaken by the Data Fiduciary, along with certain sharing information.

Right to correction and erasure

The Data Principal may request correction, completion, updating, and erasure of personal data, subject to applicable legal requirements and retention obligations.

Right to grievance redressal

The Data Principal has the right to grievance redressal from the Data Fiduciary or Consent Manager. The Data Principal must generally exhaust this route before approaching the Board.

Right to nominate

The Data Principal may nominate another individual to exercise rights in the event of death or incapacity.

Practical rights workflow

To operationalise these rights, organisations need:

  • authenticated request intake;
  • identity verification;
  • request classification;
  • data discovery across systems;
  • processor coordination;
  • SLA tracking;
  • response templates;
  • evidence retention.

12. Duties of Data Principals

The Act also gives Data Principals duties. These include:

  • complying with applicable laws while exercising rights;
  • not impersonating another person;
  • not suppressing material information while providing personal data for official documents;
  • not filing false or frivolous grievances or complaints;
  • providing verifiably authentic information when seeking correction or erasure.

This matters because rights workflows should include identity verification and fraud controls, not only intake forms.

13. Cross-border transfers

The DPDP Act allows the Central Government to restrict transfer of personal data outside India by notification. This means organisations should maintain a clear map of:

  • where personal data is stored;
  • where it is accessed from;
  • which processors and sub-processors receive it;
  • which countries are involved;
  • what contractual and technical safeguards apply.

Even if a transfer is currently permitted, the organisation should be able to explain and evidence its cross-border processing position.

14. Data Protection Board and enforcement

The Board may inquire into personal data breaches and failures to comply with obligations under the Act. It may issue directions and impose monetary penalties after inquiry and opportunity of being heard.

The Act also allows voluntary undertakings in certain circumstances, and penalties are credited to the Consolidated Fund of India.

Factors considered for penalties

When determining a monetary penalty, the Board considers factors such as:

  • nature, gravity, and duration of the breach;
  • type and nature of personal data affected;
  • repetitive nature of the breach;
  • whether the person gained or avoided loss because of the breach;
  • mitigation actions and their timeliness;
  • proportionality and deterrence;
  • likely impact of the penalty.

15. Penalties under the DPDP Act

The Schedule to the Act lists penalty ceilings for different categories of breach. The highest penalty category may extend to ₹250 crore.

Important penalty categories include:

Breach categoryMaximum penalty
Failure to take reasonable security safeguards to prevent personal data breachUp to ₹250 crore
Failure to notify the Board or affected Data Principals of a personal data breachUp to ₹200 crore
Breach of additional obligations relating to childrenUp to ₹200 crore
Breach of additional obligations of Significant Data FiduciariesUp to ₹150 crore
Breach of Data Principal dutiesUp to ₹10,000
Breach of voluntary undertakingUp to the applicable amount for the underlying breach
Breach of any other provision of the Act or rulesUp to ₹50 crore

What this means for leadership

The financial exposure is not only about “having a privacy policy.” The highest-risk areas are operational:

  • security safeguards;
  • breach detection and notification;
  • children’s data controls;
  • SDF governance;
  • consent proof;
  • rights handling;
  • processor oversight.

16. What organisations should do first

1. Build a personal data inventory

Map personal data by system, purpose, Data Principal type, processor, retention period, and transfer location.

2. Create a purpose catalogue

Each processing purpose should have a clear owner, lawful basis, notice text, data categories, retention rule, and downstream processor mapping.

Replace generic “I agree” patterns with purpose-specific consent, clear affirmative action, withdrawal, and evidence capture.

4. Version and publish notices

Notices should be clear, language-ready, versioned, and tied to the consent record.

5. Operationalise Data Principal rights

Create a workflow for access, correction, erasure, grievance, and nomination requests.

6. Prepare breach response

Run a breach tabletop exercise. Confirm that incident, legal, privacy, support, and processor teams know their roles.

7. Review children’s data exposure

Identify whether the business processes children’s data directly or indirectly. Add guardian consent and ad-tech restrictions where needed.

8. Assess SDF risk

Even before formal designation, high-volume or high-risk organisations should prepare DPIA, audit, DPO, and board-reporting workflows.

17. Common compliance gaps

Organisations often discover these gaps during DPDP readiness work:

  • consent is captured but not independently provable;
  • notices are static legal pages, not tied to purposes;
  • withdrawal does not propagate to processors;
  • rights requests are handled through email and spreadsheets;
  • breach response does not identify affected Data Principals quickly;
  • processor contracts do not support DPDP workflows;
  • children’s data exposure is not mapped;
  • cross-border transfer records are incomplete;
  • SDF governance has not been assessed.

18. How Vishwaas AI helps operationalise DPDP compliance

Vishwaas AI is designed to turn DPDP obligations into operating workflows:

  • purpose and processing-activity catalogue;
  • multilingual privacy notice management;
  • consent capture and withdrawal;
  • cryptographic consent evidence;
  • Data Principal rights workflows;
  • grievance tracking;
  • breach response coordination;
  • DPIA and governance workflows;
  • processor and downstream propagation tracking;
  • audit-ready evidence packs.

The core shift is from policy documents to proof-backed operations. Under the DPDP Act, it is not enough to say consent was collected or a right was fulfilled. The organisation should be able to show when, how, under which notice, for which purpose, and through which downstream systems the decision was enforced.

19. Executive summary

The DPDP Act 2023 creates India’s privacy operating model for digital personal data. It applies broadly, including to some processing outside India when linked to offering goods or services to people in India. It requires lawful processing, clear notice, valid consent, breach readiness, rights fulfilment, children’s data safeguards, and stronger governance for Significant Data Fiduciaries.

The biggest compliance challenge is not reading the Act. It is building the operational evidence layer needed to prove compliance across systems, teams, and processors.

Sources

  • Ministry of Electronics and Information Technology, Government of India: Digital Personal Data Protection Act, 2023
  • The Gazette of India: Digital Personal Data Protection Act, 2023, Act No. 22 of 2023, presidential assent dated 11 August 2023, as reproduced in the MeitY official copy above.
Last updated 14 Jun 2026, 10:00 IST · published 08 Jun 2026, 05:30 IST