Blue shield and padlock over a global digital network representing worldwide web security protection

India now has a comprehensive data-protection law with real teeth. The Digital Personal Data Protection (DPDP) Act, 2023 sets the rules for how organisations collect, use and protect the personal data of individuals in India—and with the DPDP Rules notified on 13 November 2025, the compliance clock is officially running. Full enforcement lands on 13 May 2027, and the penalties for getting it wrong reach ₹250 crore.

This guide explains what the DPDP Act requires in plain language, who it applies to, the key deadlines, and the practical steps Indian businesses should take now to become DPDPA-ready.

What is the DPDP Act, 2023?

The DPDP Act is India’s first standalone law dedicated to protecting digital personal data—any information about an identifiable individual, processed in digital form. It replaces the earlier, narrow rules under the IT Act and establishes a consent-first framework overseen by a new regulator, the Data Protection Board of India (DPBI).

It applies to any organisation processing the personal data of individuals in India, and—critically—it has extra-territorial reach: a business outside India that offers goods or services to people in India is also covered.

The language you need to know

  • Data Principal – the individual the personal data is about (elsewhere called a “data subject”).
  • Data Fiduciary – the organisation that decides why and how personal data is processed (the “controller”). This is most businesses.
  • Data Processor – a third party that processes data on the Fiduciary’s behalf (e.g. a SaaS vendor).
  • Consent Manager – a registered platform through which Data Principals give, manage and withdraw consent.
  • Significant Data Fiduciary (SDF) – larger or higher-risk Fiduciaries designated by the government, who carry additional obligations.

The DPDP compliance timeline: key dates

The Rules use a phased, roughly 18-month transition so organisations can prepare:

Date What happens
13 Nov 2025 DPDP Rules, 2025 notified. The Data Protection Board and complaint mechanisms become operational.
13 Nov 2026 Provisions relating to Consent Managers take effect (12 months).
13 May 2027 Hard enforcement date. Full compliance required—consent, notices, data-principal rights, breach protocols and security safeguards must all be in place (18 months).

In practice, May 2027 is the deadline to plan backwards from. Building a compliant consent and data-governance programme typically takes several months, so organisations that wait until 2027 will be under real pressure.

What the DPDP Act requires of businesses

1. Lawful processing and clear notice

You must process personal data only for a lawful purpose, based on the Data Principal’s freely given, specific and informed consent (or a recognised “legitimate use”). Consent requests must be accompanied by a clear notice describing what data is collected, the purpose, and how individuals can exercise their rights and complain to the Board.

2. Purpose and storage limitation

Data may be used only for the purpose it was collected for, and should not be retained once that purpose is served.

3. Reasonable security safeguards

Data Fiduciaries must implement reasonable security safeguards to prevent personal-data breaches—this is the obligation most closely tied to hands-on cybersecurity. Encryption, access control, logging, and regular vulnerability assessment and penetration testing all help demonstrate that safeguards are genuinely in place, not just on paper.

4. Personal-data breach notification

In the event of a breach, the Data Fiduciary must notify both the Data Protection Board and every affected Data Principal. Having a tested breach-response capability and digital forensics and incident response on call is what makes fast, accurate notification possible.

5. Honour Data Principal rights

Individuals gain the right to access their data, seek correction and erasure, nominate someone to act on their behalf, and lodge grievances. You need a workable process to receive and fulfil these requests within a reasonable time.

6. Extra duties for Significant Data Fiduciaries

If your organisation is designated an SDF, expect additional obligations: appointing a Data Protection Officer based in India, commissioning an independent data auditor, and conducting periodic Data Protection Impact Assessments (DPIAs).

What are the penalties?

The DPDP Act sets financial penalties per instance, imposed by the Board after inquiry. The headline figure is up to ₹250 crore for failure to take reasonable security safeguards to prevent a personal-data breach—making a strong technical security posture not just good practice but a direct financial risk-reduction measure. Other breaches (such as failing to notify, or breaching children’s-data rules) carry their own graded penalties.

DPDPA vs ISO 27001 and other frameworks

DPDPA is a legal obligation; frameworks like ISO/IEC 27001:2022 are voluntary standards—but they align well. An ISO 27001 information-security management system already delivers much of the “reasonable security safeguards” and governance the DPDP Act expects, which is why many Indian businesses use ISO 27001 as the backbone of their DPDPA programme. Organisations in regulated sectors will also be mapping DPDPA alongside their RBI and SEBI cyber-security obligations.

How to become DPDPA-ready: a practical checklist

  • Map your data. Know what personal data you hold, where it lives, why, and who it’s shared with.
  • Fix consent and notices. Redesign collection points to capture valid, revocable consent with clear notices.
  • Strengthen security safeguards. Encryption, access control, logging—validated by regular VAPT.
  • Build a breach-response plan. Define detection, containment, forensics and the Board/individual notification workflow.
  • Stand up data-principal rights processes. A clear intake and fulfilment path for access, correction and erasure.
  • Assign accountability. Ownership at leadership level—and a DPO if you may be an SDF. A virtual CISO is a practical option for organisations without an in-house security leader.

Frequently asked questions

When does the DPDP Act come into force?

The DPDP Rules were notified on 13 November 2025, with a phased transition. Full compliance is required by 13 May 2027.

Does DPDPA apply to small businesses?

Yes. The Act applies to any Data Fiduciary processing digital personal data of individuals in India, though Significant Data Fiduciaries carry heavier obligations. Startups may receive certain exemptions as notified by the government.

Does DPDPA apply to companies outside India?

Yes—if they offer goods or services to individuals in India, the Act applies extra-territorially.

What’s the maximum penalty under the DPDP Act?

Up to ₹250 crore per instance for failing to take reasonable security safeguards to prevent a personal-data breach.

Start your DPDPA journey with Selkey

Selkey Cyber Security helps Indian organisations translate the DPDP Act into an actionable programme—data-protection gap assessment, security-safeguard hardening validated by VAPT, breach-response readiness, and governance support. Our consultants hold credentials including ISO 27001 Lead Auditor, OSCP and CEH Master.

Explore Selkey’s DPDPA compliance services or book a readiness consultation →

This article is general information, not legal advice. Confirm your specific obligations against the current text of the DPDP Act and Rules, or with qualified counsel.

Leave A Comment

All fields marked with an asterisk (*) are required