Skip to main content
Home » Data Privacy & DPDPA » What Is the DPDPA? A Plain-English Guide for Indian Businesses

What Is the DPDPA? A Plain-English Guide for Indian Businesses

Shashikant Kalsha

July 2, 2026

Blog features image

What Is the DPDPA? A Plain-English Guide for Indian Businesses

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's first comprehensive data protection law. Enacted on August 11, 2023, it governs how organizations collect, store, use, and share the digital personal data of individuals in India — and it gives those individuals, called Data Principals, enforceable rights over their own data.

For two years the Act sat on the statute book waiting for its operating manual. That changed on November 13, 2025, when the Ministry of Electronics and Information Technology (MeitY) notified the DPDP Rules, 2025. The law is now live, the Data Protection Board of India is operational, and every business that touches the personal data of people in India is on a compliance countdown.

Who does the DPDPA apply to?

If you process the digital personal data of anyone in India — customers, employees, users, or vendors — you are a Data Fiduciary under the Act, with binding obligations. This is true whether you are a two-person startup or a listed enterprise, and it applies to foreign companies offering goods or services to people in India as well.

The Act deliberately avoids the sector-by-sector approach of older Indian regulations. There is no revenue threshold and no exemption for small businesses processing customer data in digital form. If you run a website with a signup form, an app with user accounts, a CRM full of leads, or an HRMS with employee records, the DPDPA applies to you.

Some organizations will additionally be designated Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process. SDFs carry extra obligations: appointing a Data Protection Officer based in India, conducting periodic Data Protection Impact Assessments (DPIAs), and undergoing independent audits.

The rights your users now have

The DPDPA gives every Data Principal four core rights:

  1. Right to access — a summary of what personal data you hold about them and what you have done with it.
  2. Right to correction and erasure — the ability to have inaccurate data fixed and data that is no longer needed deleted.
  3. Right to grievance redressal — a working, time-bound complaints channel before they escalate to the Data Protection Board.
  4. Right to nominate — the ability to nominate another person to exercise these rights in case of death or incapacity.

Each of these rights implies operational machinery on your side: identity verification, request tracking, SLA timers, and an audit trail proving you responded correctly and on time.

What counts as valid consent?

Consent under the DPDPA must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. Pre-ticked boxes, bundled consents, and dark patterns do not qualify. Every request for consent must be accompanied by a notice — available in English or any of the 22 languages in the Eighth Schedule of the Constitution — explaining what data is collected, for what purpose, and how to withdraw consent or complain.

Critically, withdrawing consent must be as easy as giving it. If your product has a one-tap signup and a five-screen deletion flow, that asymmetry is now a legal problem, not just a UX one.

What happens if you don't comply?

The Schedule to the Act sets out financial penalties that are among the highest in Indian regulatory history. Failure to take reasonable security safeguards to prevent a personal data breach can attract a penalty of up to ₹250 crore per instance. Failure to notify a breach, and violations involving children's data, each carry penalties up to ₹200 crore.

The Data Protection Board — operational since November 2025 — is the adjudicating body. It can inquire into complaints, direct remediation, and impose penalties. Compliance that cannot be proven is not compliance: the Board will expect evidence, not assurances.

The deadlines you need to know

The DPDP Rules, 2025 phase in over 18 months:

  • Phase 1 — November 13, 2025 (in force): the Data Protection Board is constituted and complaint mechanisms are live.
  • Phase 2 — November 13, 2026: Rule 4 takes effect — the registration and obligations of Consent Managers.
  • Phase 3 — May 13, 2027: the bulk of the substantive regime — notices, consent machinery, security safeguards, breach reporting, erasure, children's data, and SDF obligations.

May 2027 sounds distant, but the technical lifting — consent architecture, rights workflows, vendor contracts, evidence systems — takes most organizations several quarters. Starting after Phase 2 is a credible way to miss Phase 3.

Where to start

A practical first month looks like this: map where personal data lives across your systems; identify your lawful basis (consent or legitimate use) for each processing purpose; stand up a consent notice and withdrawal flow; designate a grievance contact; and start keeping evidence of all of it.

This is where Data Adhikaar comes in. Built by Qodequay Technologies, Data Adhikaar is an agentic DPDPA compliance fabric — ten specialist AI agents that automate consent capture, data principal rights, breach response, DPIAs, vendor management, and audit evidence, with a human in the loop where the law demands one. Connect once via SDK, API, or MCP, and be compliant in days, not quarters.

Start with a free DPDPA readiness assessment — it takes minutes and shows you exactly where your gaps are.

Frequently Asked Questions

What is the DPDPA?

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection law. It governs how organizations collect, store, use, and share the digital personal data of individuals in India, and gives individuals enforceable rights over their data.

Who needs to comply with the DPDPA?

Any organization that processes the digital personal data of people in India — customers, employees, users, or vendors — is a Data Fiduciary with binding obligations, regardless of size. It also applies to foreign companies offering goods or services to people in India.

What are the DPDPA compliance deadlines?

The DPDP Rules were notified on November 13, 2025. The Data Protection Board is already operational; Consent Manager provisions take effect November 13, 2026; and the full substantive regime, including notices, consent, breach reporting, and security safeguards, applies from May 13, 2027.

What are the penalties for DPDPA non-compliance?

Penalties are set per instance in the Act's Schedule: up to ₹250 crore for failing to take reasonable security safeguards, up to ₹200 crore for failing to notify a breach or for violations involving children's data, and up to ₹150 crore for breach of Significant Data Fiduciary obligations.

This article is general guidance on the DPDP Act, 2023 and not legal advice. Consult a qualified professional for your specific compliance needs.

Author profile image

Shashikant Kalsha

As the CEO and Founder of Qodequay Technologies, I bring over 20 years of expertise in design thinking, consulting, and digital transformation. Our mission is to merge cutting-edge technologies like AI, Metaverse, AR/VR/MR, and Blockchain with human-centered design, serving global enterprises across the USA, Europe, India, and Australia. I specialize in creating impactful digital solutions, mentoring emerging designers, and leveraging data science to empower underserved communities in rural India. With a credential in Human-Centered Design and extensive experience in guiding product innovation, I’m dedicated to revolutionizing the digital landscape with visionary solutions.

Follow the expert : linked-in Logo

Have a project in mind?

Free 30-minute consultation with our team — or see our products in action.

Book a 30-min Consultation