IT Glossary · Compliance & Regulations
The Digital Personal Data Protection (DPDP) Act 2023 is India's first comprehensive data privacy law — requiring businesses to get consent before processing personal data, protect it securely, and report breaches to a new regulatory body.
The Digital Personal Data Protection Act 2023 was enacted in August 2023 and establishes a framework for how Indian businesses must handle personal data of Indian citizens. Key principles include: lawful processing only with consent; purpose limitation (use data only for the declared purpose); data minimisation; accuracy; storage limitation; and security safeguards. The Act creates a Data Protection Board to adjudicate complaints and impose penalties. Significant Data Fiduciaries (large data processors) will face additional obligations including data audits and impact assessments. The Act also grants individuals rights — to access their data, correct it, and request erasure.
Related terms: GDPR, CERT-In, Data Privacy, Personal Data, Data Breach, Consent Management
Yes, but with differentiation. All businesses processing personal data of Indian citizens must comply with basic DPDP principles. Significant Data Fiduciaries (large processors to be notified by the government) have additional obligations. Small businesses should focus on lawful basis, consent documentation, basic security, and breach reporting procedures.
The DPDP Act 2023 was enacted but most provisions require government-issued Rules to become enforceable. The Rules were expected in 2024–2025. Businesses should prepare now rather than wait, as implementation takes time and early preparation avoids penalties.
Get DPDP Act readiness assessment for your Indian business — data privacy compliance support from National IT Service.