Digital Personal Data Protection Act (DPDPA): Complete Guide for Beginners

If you're handling customer data in India, you need to understand the Digital Personal Data Protection Act (DPDPA). Once you break it down, the law is designed to be simple and practical.

The Indian government passed the DPDPA in August 2023 and, in November 2025, released the complete DPDP Rules, bringing the law into full operation. Whether you run a fintech startup, manage a healthcare platform, or operate any business collecting digital data, understanding DPDPA is essential.

What Is the DPDPA?

The Digital Personal Data Protection Act is India's first comprehensive data protection law. It sets clear rules for how organisations can collect, store, and use personal information.

Personal data means any information identifying a specific person. Your name, email, phone number, Aadhaar details, financial records, health information, and location history are all considered personal data.

The law applies if you process digital personal data in India, or process data outside India but offer goods or services to people in India. The scope focuses on digital formats only, different from GDPR, which covers paper records too.

Why DPDPA Matters for Your Business

Compliance isn't optional. The law can impose penalties of up to ₹250 crores or 4% of global annual turnover, whichever is higher, for serious violations. Beyond avoiding fines, following DPDPA builds customer trust.

The law follows the "SARAL" approach: Simple, Accessible, Rational, and Actionable Law. The rules use plain language instead of complex legal terms, making it easier for businesses to understand what's required.

Core Principles Of DPDPA You Need to Know

DPDPA rests on seven fundamental principles that guide every aspect of data handling:

• Consent and transparency: You must get clear permission before collecting personal data and explain exactly what you'll do with it
• Purpose limitation: Use data only for the specific reason you collected it
• Data minimization: Collect only the information you actually need, nothing extra
• Accuracy: Keep data correct and up to date
• Storage limitation: Don't hold onto data longer than necessary
• Security safeguards: Protect data from unauthorized access or breaches
• Accountability: Take responsibility for how you handle data

Key Terms Of DPDPA Explained

Data Principal

The individual whose personal data you're collecting. For children or persons with disabilities, their parent or guardian is included.

Data Fiduciary

Any person or organization that decides why and how to process personal data. If you collect customer information, you're a data fiduciary.

Significant Data Fiduciary (SDF)

Organizations identified by the government based on data volume, sensitivity, and risk. SDFs must appoint data protection officers and conduct audits.

Consent Manager

An intermediary registered with the Data Protection Board who helps individuals manage and withdraw consent across services.

Your Compliance Timeline for DPDPA

Core compliance requirements will become mandatory by May 13, 2027, giving companies approximately 18 months from when the rules were notified. Use this period to audit your data practices, identify gaps, and implement necessary changes.

What You Must Do to Comply with DPDPA

Key obligations as a data fiduciary:

Get proper consent

Before collecting personal data, you need to obtain clear and informed consent. The consent process must be as simple to withdraw as it was to give. You can't hide consent in lengthy terms or use pre-checked boxes. Consent platforms ensure organizations meet DPDPA's strict consent requirements.

Provide clear communication

Create a dedicated way for people to withdraw consent and exercise data rights. Redacto's ConsentFlow helps manage permissions efficiently.

Respond to data requests

You must respond to access, correction, or deletion requests within 90 days. Data subject access requests require identifying all systems storing personal information.

Report breaches quickly

If data is exposed or accessed without authorization, notify the Data Protection Board without delay. Detailed notification must be filed within 72 hours.

Follow retention limits

For e-commerce and social media platforms with 20 million+ Indian users, or gaming platforms with 5 million+ users, data can be retained for a maximum of 3 years.

Implement security measures

Put appropriate safeguards in place to protect personal data from unauthorized access. Data classification helps identify sensitive information requiring enhanced controls.

Individual Rights Under DPDPA

The law gives individuals control over their information. People can request access to the data you hold, ask you to correct errors, and request deletion.

The Data Protection Board

The DPDPA establishes the Data Protection Board of India as an independent watchdog with four members. The Board operates entirely digitally, allowing citizens to file complaints online and track cases through a portal and mobile app.

When violations occur, the Board can impose penalties, issue corrective directions, and ensure individuals get remedies. Appeals are heard by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Special Considerations

Children's data

Processing data of individuals under 18 requires verifiable parental consent.

Cross-border transfers

The government can restrict data transfers to certain countries.

Exemptions

The government can exempt certain activities for national security, legal proceedings, and research. However, these exemptions are narrow.

Getting Started with Compliance

Take these concrete steps:

• Map your data: Document what you collect, where it comes from, how you use it, and where it's stored. Data flow mapping identifies systems processing personal information across your organization.
• Review consent mechanisms: Ensure you're getting valid, informed consent before collecting data.
• Update privacy policies: Write clear privacy notices explaining your data practices.
• Implement security controls: Assess safeguards and strengthen them where needed.
• Create response procedures: Develop processes for handling requests and breach notifications.
• Train your team: Ensure everyone handling personal data understands their responsibilities.

For organizations in banking, financial services, insurance, and healthcare, Redacto's Privacy Engine automates data discovery and classification, acting as a GPS for sensitive data across your systems.

FAQ

What is the DPDPA?

India's comprehensive data protection law was passed in 2023. Establishes rules for how organisations must collect, process, store, and protect personal data.

Who needs to comply with DPDPA?

Any organization processing digital personal data in India. The law also applies to organizations outside India offering goods or services to individuals in India.

When do I need to comply?

Core compliance provisions come into effect by May 13, 2027 approximately 18 months from when the DPDP Rules were notified in November 2025.

What are the penalties for non-compliance?

Violations can result in penalties up to ₹250 crores or 4% of global annual turnover, whichever is higher.

How is DPDPA different from GDPR?

DPDPA applies only to digital data, whereas GDPR covers both digital and physical records. DPDPA is designed more simply for smaller businesses. Consent requirements, individual rights, and enforcement mechanisms differ.

Do I need to appoint a Data Protection Officer?

Only Significant Data Fiduciaries must appoint a DPO. Most small and medium businesses won't need one unless specifically notified.