Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesIndia Compliance

DPDP Act 2023: compliance guide and checklist

India's Digital Personal Data Protection Act changes how every organisation handles personal data. Here is what you must do.

7 min read

The Digital Personal Data Protection (DPDP) Act 2023 is India's dedicated privacy law. It governs how organisations collect, use, and protect the personal data of individuals in India, and it applies whether you are based in India or serving Indian users from abroad.

The Act introduces clear roles, consent obligations, individual rights, and significant penalties, up to Rs 250 crore for serious failures. This guide summarises the essentials and a practical checklist to get started.

Key takeaways
  • Applies to any organisation processing the personal data of individuals in India.
  • Consent, clear notice, and purpose limitation are foundational obligations.
  • Individuals get rights to access, correction, erasure, and grievance redressal.
  • Penalties reach up to Rs 250 crore, enforced by the Data Protection Board of India.

Key terms

The Act defines a small set of roles you need to know:

  • Data Principal: the individual whose personal data is processed.
  • Data Fiduciary: the organisation that decides why and how data is processed.
  • Data Processor: a party that processes data on a fiduciary's behalf.
  • Significant Data Fiduciary: a fiduciary handling higher-volume or higher-risk data, with extra duties such as a Data Protection Officer, data protection impact assessments, and audits.

Core obligations

At a minimum, a data fiduciary must:

  • Obtain valid, informed consent and give clear notice of purpose.
  • Limit use to the stated purpose and retain data only as needed.
  • Implement reasonable security safeguards to protect personal data.
  • Enable data principal rights: access, correction, erasure, and grievance redressal.
  • Report personal data breaches as required, and support the Data Protection Board.

A practical starting checklist

Turning the Act into action usually starts with knowing what data you hold and where it is exposed:

  • Map the personal data you collect, where it lives, and who it is shared with.
  • Fix consent and notice flows so they are clear and specific.
  • Assess and reduce your external exposure, since a breach is both a security and a DPDP event.
  • Extend the same scrutiny to vendors that process data on your behalf.
  • Keep evidence of controls and incidents so you can demonstrate compliance.

Frequently asked questions

Who does the DPDP Act apply to?
Any organisation that processes the personal data of individuals in India, including organisations outside India that offer goods or services to Indian users.
What are the penalties under the DPDP Act?
Penalties are significant, reaching up to Rs 250 crore for serious failures such as inadequate security safeguards, and are enforced by the Data Protection Board of India.
What is a Significant Data Fiduciary?
A data fiduciary that the government designates based on factors like the volume and sensitivity of data processed. It carries extra duties, including appointing a Data Protection Officer, conducting impact assessments, and undergoing audits.
How does NMT help with DPDP readiness?
NMT helps you find and reduce exposure of personal data, extend checks to third parties, automate compliance evidence, and monitor for the breaches the Act requires you to prevent and report.

Start your DPDP readiness

A breach is a DPDP event. See where your personal data is exposed with a free outside-in check.

Run a free check
Related
DPDP Act compliance solution Guide: What is Third-Party Risk Management? See what attackers see about you