DPDP Act 2023: compliance guide and checklist
India's Digital Personal Data Protection Act changes how every organisation handles personal data. Here is what you must do.
The Digital Personal Data Protection (DPDP) Act 2023 is India's dedicated privacy law. It governs how organisations collect, use, and protect the personal data of individuals in India, and it applies whether you are based in India or serving Indian users from abroad.
The Act introduces clear roles, consent obligations, individual rights, and significant penalties, up to Rs 250 crore for serious failures. This guide summarises the essentials and a practical checklist to get started.
- Applies to any organisation processing the personal data of individuals in India.
- Consent, clear notice, and purpose limitation are foundational obligations.
- Individuals get rights to access, correction, erasure, and grievance redressal.
- Penalties reach up to Rs 250 crore, enforced by the Data Protection Board of India.
Key terms
The Act defines a small set of roles you need to know:
- Data Principal: the individual whose personal data is processed.
- Data Fiduciary: the organisation that decides why and how data is processed.
- Data Processor: a party that processes data on a fiduciary's behalf.
- Significant Data Fiduciary: a fiduciary handling higher-volume or higher-risk data, with extra duties such as a Data Protection Officer, data protection impact assessments, and audits.
Core obligations
At a minimum, a data fiduciary must:
- Obtain valid, informed consent and give clear notice of purpose.
- Limit use to the stated purpose and retain data only as needed.
- Implement reasonable security safeguards to protect personal data.
- Enable data principal rights: access, correction, erasure, and grievance redressal.
- Report personal data breaches as required, and support the Data Protection Board.
A practical starting checklist
Turning the Act into action usually starts with knowing what data you hold and where it is exposed:
- Map the personal data you collect, where it lives, and who it is shared with.
- Fix consent and notice flows so they are clear and specific.
- Assess and reduce your external exposure, since a breach is both a security and a DPDP event.
- Extend the same scrutiny to vendors that process data on your behalf.
- Keep evidence of controls and incidents so you can demonstrate compliance.
Frequently asked questions
Start your DPDP readiness
A breach is a DPDP event. See where your personal data is exposed with a free outside-in check.
Run a free check