IT Glossary · Compliance & Regulations

DPDP Act 2023 — India's Digital Personal Data Protection Law

The Digital Personal Data Protection (DPDP) Act 2023 is India's first comprehensive data privacy law — requiring businesses to get consent before processing personal data, protect it securely, and report breaches to a new regulatory body.

The Digital Personal Data Protection Act 2023 was enacted in August 2023 and establishes a framework for how Indian businesses must handle personal data of Indian citizens. Key principles include: lawful processing only with consent; purpose limitation (use data only for the declared purpose); data minimisation; accuracy; storage limitation; and security safeguards. The Act creates a Data Protection Board to adjudicate complaints and impose penalties. Significant Data Fiduciaries (large data processors) will face additional obligations including data audits and impact assessments. The Act also grants individuals rights — to access their data, correct it, and request erasure.

Related terms: GDPR, CERT-In, Data Privacy, Personal Data, Data Breach, Consent Management

Frequently Asked Questions

Does the DPDP Act apply to small businesses in India?

Yes, but with differentiation. All businesses processing personal data of Indian citizens must comply with basic DPDP principles. Significant Data Fiduciaries (large processors to be notified by the government) have additional obligations. Small businesses should focus on lawful basis, consent documentation, basic security, and breach reporting procedures.

When does the DPDP Act come into full effect?

The DPDP Act 2023 was enacted but most provisions require government-issued Rules to become enforceable. The Rules were expected in 2024–2025. Businesses should prepare now rather than wait, as implementation takes time and early preparation avoids penalties.

Get DPDP Act readiness assessment for your Indian business — data privacy compliance support from National IT Service.