What Is the DPDP Act 2023?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's landmark data privacy legislation, enacted on 11 August 2023 and notified in the Official Gazette. It represents India's most comprehensive attempt at regulating how digital personal data is collected, processed, stored, and shared — applicable to nearly every business operating online in India.
Whether you run a startup collecting email IDs, a fintech processing financial data, a hospital managing patient records, or a global enterprise with Indian customers — the DPDP Act 2023 applies to you. Non-compliance can result in penalties up to ₹250 crore per violation.
Key Definition: The DPDP Act regulates the processing of "digital personal data" — any data about an identifiable individual collected in digital form, or data collected in non-digital form and subsequently digitised. This includes names, email IDs, phone numbers, financial data, health records, biometrics, and more.
Why Does the DPDP Act Matter for Your Business?
India has over 900 million internet users — the second-largest online population globally. Until DPDP, India lacked a unified data protection law, leaving businesses operating in a legal grey zone. The DPDP Act changes everything by establishing clear rules and significant consequences.
Legal Obligation
DPDP creates binding legal obligations on all businesses — domestic and foreign — processing personal data of Indian residents. Ignoring it is not an option.
Customer Trust
Compliance signals to customers that you respect their privacy. In a data-sensitive world, trust is a powerful competitive differentiator.
Penalty Avoidance
Violations can attract penalties ranging from ₹10,000 to ₹250 crore per breach. Proactive compliance is far cheaper than reactive fines.
Global Alignment
DPDP aligns India with global privacy standards like GDPR, enabling smoother cross-border data flows and international business partnerships.
Key Definitions Under DPDP Act 2023
Understanding the DPDP Act begins with understanding its core terminology. These definitions determine who is regulated, who has rights, and what obligations apply.
Data Fiduciary
Any person, company, or organisation that alone or jointly with others determines the purpose and means of processing personal data. Most businesses are Data Fiduciaries. They carry the primary compliance obligations under DPDP.
Data Principal
The individual to whom the personal data relates — i.e., your customer, user, employee, or subscriber. Data Principals have defined rights under the Act including right to access, correction, erasure, and grievance redressal.
Data Processor
Any person who processes personal data on behalf of a Data Fiduciary — for example, a cloud provider, analytics vendor, or payroll processor. Data Processors must follow instructions of the Data Fiduciary.
Significant Data Fiduciary (SDF)
Data Fiduciaries designated by the Government based on volume, sensitivity, or national security risk. SDFs carry additional obligations including Data Protection Impact Assessments (DPIAs) and appointment of a Data Protection Officer (DPO).
Personal Data
Any data about an identifiable individual. This is broadly defined and includes names, email addresses, phone numbers, IP addresses, device IDs, location data, financial details, health records, biometrics, and behavioural data.
Consent
Under DPDP, consent must be free, specific, informed, unconditional, and unambiguous. It must be given through a clear affirmative action. Pre-ticked boxes, bundled consent, and coercive consent are all invalid.
DPDP Act: Legislative Timeline
Key Obligations for Data Fiduciaries
If your business processes personal data of Indian residents, you are almost certainly a Data Fiduciary and must comply with the following obligations:
- Obtain Valid Consent: Collect explicit, purpose-specific consent before processing personal data. Use clear, plain language in the user's preferred language. Consent must be as easy to withdraw as to give.
- Give a Notice: Before or at the time of seeking consent, provide a clear and itemised notice describing the personal data being collected, the purpose of processing, and how data principals can exercise their rights.
- Purpose Limitation: Process personal data only for the specific purpose for which consent was obtained. Any new purpose requires fresh consent.
- Data Minimisation: Collect only the personal data that is necessary for the specified purpose. Collecting excessive data is a violation.
- Storage Limitation: Erase personal data when the purpose is served or when the data principal withdraws consent, whichever is earlier, unless retention is required by law.
- Data Accuracy: Take reasonable steps to ensure that personal data is accurate and up-to-date, especially where processing may significantly affect the data principal.
- Security Safeguards: Implement appropriate technical and organisational security measures to prevent personal data breaches. The measures must be proportionate to the risk.
- Breach Notification: In the event of a personal data breach, notify both the Data Protection Board and the affected data principals in the prescribed manner and within the prescribed time.
- Grievance Redressal: Establish a mechanism for data principals to register and resolve grievances. Appoint a Data Protection Officer (DPO) if designated as a Significant Data Fiduciary.
- Children's Data Protection: Obtain verifiable consent from parents/guardians before processing children's data. Do not process data likely to harm children's well-being or engage in behavioural monitoring of children.
Rights of Data Principals
The DPDP Act empowers individuals — Data Principals — with enforceable rights over their personal data. Businesses must have systems in place to honour these rights:
Right to Access
Data Principals can request a summary of their personal data being processed and information about the Data Fiduciary's processing activities.
Right to Correction & Erasure
Individuals can request correction of inaccurate or misleading personal data and erasure of data that is no longer necessary for the purpose it was collected.
Right to Withdraw Consent
Data Principals may withdraw consent at any time. Withdrawal must be as easy as giving consent, and the Data Fiduciary must stop processing upon withdrawal.
Right to Grievance Redressal
Every Data Principal has the right to a readily available grievance redressal mechanism and can escalate unresolved grievances to the Data Protection Board.
Right to Nominate
In the event of the data principal's death or incapacity, a nominated individual may exercise these rights on their behalf.
The Role of Consent Managers Under DPDP
The DPDP Act introduces the concept of a Consent Manager — a registered entity that acts as a single-window platform enabling data principals to give, manage, review, and withdraw consent across multiple Data Fiduciaries.
This is where ConsentiQo by KavachOne becomes essential. ConsentiQo is India's purpose-built DPDP consent management platform that helps businesses:
- Capture granular, purpose-wise consent with full audit trail
- Display consent notices in all 22 scheduled Indian languages
- Enable one-click consent withdrawal for data principals
- Manage Data Subject Access Requests (DSARs) seamlessly
- Maintain 7-year consent logs for regulatory audits
- Integrate with existing CRMs, websites, and mobile apps
DPDP Act Penalties & Enforcement
The DPDP Act establishes a tiered penalty structure enforced by the Data Protection Board of India. These are civil monetary penalties — not criminal sanctions — but they are significant enough to be taken extremely seriously.
| Violation Type | Maximum Penalty |
|---|---|
| Failure to take security safeguards to prevent personal data breach | ₹250 Crore |
| Failure to notify Data Protection Board and affected data principals of a breach | ₹200 Crore |
| Non-compliance with additional obligations for Significant Data Fiduciaries (SDFs) | ₹150 Crore |
| Non-compliance with obligations for processing children's data | ₹200 Crore |
| Non-compliance with other provisions of the Act | ₹50 Crore |
| Breach of a voluntary undertaking given to the Data Protection Board | ₹10,000 |
⚠️ Important: The Data Protection Board can impose penalties per instance of non-compliance. Multiple violations can result in cumulative penalties far exceeding these maximums. Early compliance is the most cost-effective strategy.
Exemptions Under the DPDP Act
The DPDP Act provides for certain exemptions where some or all provisions do not apply. Understanding these is critical to calibrating your compliance effort:
State & National Security
The Central Government may exempt any agency from the Act's provisions in the interest of sovereignty, integrity, security of India, or maintenance of public order.
Research, Archival & Statistics
Personal data processed for research, archival, or statistical purposes with appropriate safeguards may be exempt from certain provisions including data erasure timelines.
Legitimate Uses
Processing for employment, medical emergencies, public interest functions, and other "legitimate uses" specified in the Rules may not require explicit consent.
Personal & Domestic Purposes
Processing personal data for purely personal or domestic purposes — such as maintaining a personal contact list — is outside the scope of the Act.
How to Achieve DPDP Act Compliance: Step-by-Step
Compliance with the DPDP Act is not a one-time project — it is an ongoing programme. Here is a structured roadmap that KavachOne recommends: