DPDP Act 2023 — Digital Personal Data Protection Act
The Digital Personal Data Protection Act 2023 is Indian law. Every organisation that collects, stores, or processes personal data of individuals in India must comply — regardless of size, sector, or whether you are Indian or foreign. There is no opt-out. Penalties for non-compliance go up to ₹250 crore per instance.
Indian law
Enacted August 2023
All organisations
No sector or size exemption
₹250 Cr
Maximum penalty per instance of non-compliance
Your organisation processes personal data — customer data, employee data, user data — and the DPDP Act gives individuals specific rights over that data. Your job is to understand what personal data your function handles, follow your organisation's data handling procedures, and report any suspected data breach immediately.
Consent
Must be obtained before processing personal data
Rights
Individuals can access, correct, and erase their data
Breaches
Must be reported to the DPBI
Quick reference. DPDP Act 2023 enacted August 2023. Rules under the Act being notified in phases — monitor MeitY. Key provisions: Data Fiduciary (anyone processing personal data), Significant Data Fiduciary (SDF — designated by government, additional obligations), Data Principal (individual whose data is processed), DPBI (Data Protection Board of India — adjudicatory body). Consent must be free, specific, informed, unconditional, and unambiguous.
Aug 2023
Act enacted
DPBI
Data Protection Board of India
SDF
Significant Data Fiduciary — additional obligations
The Digital Personal Data Protection Act 2023 is India's comprehensive data privacy legislation. It replaced the IT Act's Section 43A provisions on reasonable security practices. India joins a global wave of privacy legislation following GDPR (EU 2018), PDPA (Singapore), and PIPEDA (Canada). The Act establishes the Data Protection Board of India as the adjudicatory body.
2023
DPDP Act enacted
DPBI
Data Protection Board of India
GDPR influence
Consent and rights framework similar
Indian law — mandatory for all organisations processing personal data of IndiansRules under the Act being notified — monitor developments at meity.gov.inSignificant Data Fiduciaries face additional obligations
What’s on this page
01 —What it isUnderstanding DPDP Act
India's data privacy law — what it requires from every organisation that processes personal data.
The Digital Personal Data Protection Act 2023 is India's comprehensive data privacy legislation. It was enacted in August 2023 and applies to any organisation that processes personal data of individuals in India — including foreign companies processing data of Indian users.
The Act establishes the Data Protection Board of India (DPBI) as the adjudicatory body for complaints and enforcement. Penalties can reach ₹250 crore per instance of non-compliance.
Significant Data Fiduciaries (SDFs) — organisations designated by the government based on volume of data processed, sensitivity, or risk to national security — face additional obligations including appointment of a Data Protection Officer (DPO) and mandatory data protection impact assessments.
The Rules under the Act are being notified in phases. The Act was enacted but specific procedural requirements (consent notice format, DPBI procedures, SDF designation criteria) are being notified through Rules. Monitor developments at meity.gov.in and engage a qualified privacy counsel to stay current. This page reflects the Act as enacted — specific rule requirements may have been notified since.
👥 Illustrative case — details changed for confidentiality
The business
E-commerce platform Mumbai · 180 employees, 2 million registered users
The trigger
India's Digital Personal Data Protection Act 2023 was notified. As a significant data fiduciary processing large volumes of personal data, they needed a compliance programme immediately.
The challenge
They had a privacy policy but no consent management platform, no formal data inventory, no data principal rights process, and no documented breach response procedure. Their legal team estimated they were exposed across multiple DPDP provisions.
Where Clicarity came in
They used Clicarity to manage the compliance programme itself — treating each workstream (consent, data inventory, security controls, rights processes) as a job with stages and owners. Customer data and employee data programmes ran as separate sub-jobs with different legal bases and obligations. When they rejoined at the annual board review, the complete compliance record across both workstreams was preserved.
The result
DPDP compliance programme implemented in 6 months. Board presented with documented evidence of compliance against all applicable provisions.
Treating compliance as a tracked project rather than a document exercise gave us visibility and accountability we didn't have before.
02 —Who needs itIs it right for you?
Do you actually need it? Honest answer.
✓ Mandatory for you
Every organisation processing personal data of individuals in India
E-commerce platforms, apps, and digital services with Indian users
Hospitals, schools, and HR departments handling employee data
Foreign companies with Indian users or processing Indian data offshore
∼ Additional obligations if designated SDF
Significant Data Fiduciaries — designated by government based on data volume, sensitivity, and risk
SDF designation criteria being notified via Rules
— Limited personal data processing
Organisations processing only employee data for HR purposes may have lighter obligations — verify against current Rules
There is no size threshold. Unlike GDPR which has SME-specific provisions, the DPDP Act does not exempt small businesses. All Data Fiduciaries must comply with the core provisions.
03 —What it requiresWhat is checked
What the DPDP Act requires from every Data Fiduciary.
1
Lawful basis for processing — consent or legitimate use
Personal data may only be processed with the Data Principal's consent, or for specific legitimate uses defined in the Act (employment, medical emergency, State functions, legal obligation).
E.g. Before collecting a customer's mobile number and email for marketing, a consent notice must be given and free, specific, informed consent obtained.Most common gap: Implied consent or pre-ticked boxes are not valid. Consent must be unambiguous and specific to the stated purpose.
2
Consent notice requirements
Before collecting personal data, a notice must be given explaining: what data will be collected, the purpose, the rights of the Data Principal, and how to contact the grievance officer.
E.g. A pop-up or form at data collection point stating: data collected, purpose, how long kept, how to withdraw consent.
3
Data Principal rights — access, correction, erasure, grievance
Individuals have the right to: obtain a summary of their data, correct inaccurate data, erase data, and raise a grievance. Processes to fulfil these rights must be in place.
E.g. A request form or email address for access, correction, and erasure requests. Response within the timeframe set by Rules.Most common gap: Privacy policy mentions rights but no actual process exists to fulfil a request.
4
Data minimisation and purpose limitation
Collect only the personal data needed for the stated purpose. Do not use it for other purposes without fresh consent.
E.g. A delivery company collecting only name, address, and phone — not date of birth or financial data.
5
Security safeguards
Reasonable security measures to prevent unauthorised access, disclosure, alteration, or loss of personal data.
E.g. Encryption at rest and in transit, access controls, audit logs, regular security assessments.
6
Data breach notification
Any personal data breach must be notified to the DPBI and affected Data Principals within the timeframe specified in Rules.
Certain categories of personal data may be required to be stored in India. Monitor Rules for current data localisation requirements.
E.g. Sensitive personal data — check current Rules at meity.gov.in.
What inspectors really check
The DPBI investigates complaints from Data Principals and can initiate suo motu investigations. They will ask for: evidence of valid consent at collection, the Data Principal rights fulfilment process, and breach response records. Inability to demonstrate valid consent is the most common enforcement trigger.
Gap analysis checklist — tick what you already have
Personal data inventory completed — what data, what purpose, what legal basis
Privacy policy updated to reflect DPDP Act requirements
Current and accurate.
0 of 8 complete
04 —Official bodyWho certifies in India
Who issues this in India — and how to verify it.
The DPDP Act is administered by the Ministry of Electronics and Information Technology (MeitY). The Data Protection Board of India (DPBI) is the adjudicatory body — it hears complaints and has enforcement powers.
Engage qualified legal counsel for DPDP compliance. The Rules under the Act are being notified in phases with specific procedural requirements. This page provides an overview of the Act's core provisions — it is not legal advice. Engage a qualified privacy lawyer or data protection consultant for your organisation's specific compliance programme.
MeitY — DPDP Act text and Rules
Ministry of Electronics — official Act text and rule notifications.
Every category of personal data your organisation collects, from whom, for what purpose, and for how long.
Step 2
Consent notices and withdrawal
Update consent notices for DPDP Act requirements. Implement consent withdrawal.
Step 3
Rights processes
Implement access, correction, erasure, and grievance processes.
Step 4
Security safeguards
Proportionate security controls for data you hold.
Step 5
Breach response
Document and test your breach response procedure.
Ongoing
Monitor Rules
DPDP Rules being notified in phases — stay current at meity.gov.in.
▶Where to begin: Use the checklist in Section 3 to assess your readiness before contacting any CB.
Act enacted
August 2023
Rules being notified in phases. Monitor meity.gov.in.
Max penalty
₹250 crore per instance
Non-compliance with security safeguards is the highest penalty category.
DPBI
Data Protection Board
Adjudicatory body. Hears complaints and initiates investigations.
SDF
Additional obligations
Designated by government. Includes DPO appointment and DPIAs.
The Rules are still being notified. The Act was enacted but specific procedural details are in the Rules. Do not wait for all Rules before starting — the core obligations (consent, rights, security, breach notification) are already law.
06 —Find certified companiesHow to verify
How to find and verify certified organisations.
DPDP Act compliance is an internal organisational matter — there is no national public register of compliant organisations. The DPBI publishes decisions and orders on its official platform.
How to verify: To confirm whether any organisation holds a current DPDP Act certification, use the official register. Verify the issuing CB's accreditation at nabcb.qci.org.in.
Map every category of personal data your organisation collects — this week
Name every data type: customer names, phone numbers, email addresses, payment data, employee data, health data. For each: what is collected, why, from whom, for how long. This is your starting point for everything else.
2
Update your consent notices and privacy policy to DPDP Act requirements
Your current privacy policy may pre-date the Act. Update it to reflect: purpose of processing, Data Principal rights, grievance officer contact, and withdrawal mechanism.
Engage qualified legal counsel for your specific compliance programme
The DPDP Rules are being notified in phases. Engage a privacy lawyer to ensure your programme reflects the current state of the law.
08 —How Clicarity fitsProcess tracking
Good records are the foundation. A process tracker builds them automatically.
Clicarity — Live Job Process Tracker & Bottleneck Identifier
Clicarity doesn't provide legal advice on DPDP Act compliance. It tracks your compliance programme — ensuring every workstream has an owner, a stage record, and a sign-off.
DPDP Act compliance involves multiple parallel workstreams: consent mechanisms, data inventory, security controls, data principal rights processes, and breach response procedures. Each workstream involves multiple steps, multiple teams, and multiple sign-offs. In Clicarity, each workstream is a job. Customer data and employee data programmes run as separate sub-jobs with their own stages, owners, and completion criteria. When they rejoin at the annual board review, the complete evidence record of every workstream is preserved — ready for regulatory review.
Each compliance workstream assigned as a stage with a named owner — no workstream falls through the gaps because ownership is visible in real time.
Customer data and employee data tracked as separate sub-jobs — different legal bases, different retention periods, different rights obligations all managed independently.
Breach response procedure tracked as a stage — the procedure itself must be documented, approved, and tested before the job closes.
Clicarity shows which compliance stages are overdue — visible bottlenecks in the programme that surface accountability issues before they become regulatory exposure.
▼ Job splits — each component tracked independently
#DPDP-2026-01-A
Customer data — digital channels
▼DPA updated
▼Grievance officer named
▼Rights process tested
#DPDP-2026-01-B
Employee data — HR systems
▼HR policy updated
▼Data retention reviewed
▼Access controls confirmed
▲
Components rejoin as #DPDP-2026-01 — complete record of every branch, every data point, every sign-off preserved.
Data Principal rights implementation
▼Access request process
▼Correction request process
▼Erasure request process
#Response time SLA (days)
▼Process tested
→
Breach response procedure
▼Breach detection process
#Notification timeline (hours)
▼DPBI notification process
▼Procedure tested
▼Legal sign-off
→
Annual review
📅Review date
▼DPO sign-off
▼Board noted
✎Key changes made
▼Next review date set
Wastage tracked:▰ Customer and employee data programmes tracked independently — different obligations▰ Breach response procedure tested before going live▰ Annual review captures all changes made during the year
ⓘ Fields and stage names are fully customisable. This illustrates a typical organisation — DPDP Act 2023 compliance programme setup.
👥 Illustrative case — details changed for confidentiality
The business
E-commerce platform Mumbai · 180 employees, 2 million registered users
The trigger
India's Digital Personal Data Protection Act 2023 was notified. As a significant data fiduciary processing large volumes of personal data, they needed a compliance programme immediately.
The challenge
They had a privacy policy but no consent management platform, no formal data inventory, no data principal rights process, and no documented breach response procedure. Their legal team estimated they were exposed across multiple DPDP provisions.
Where Clicarity came in
They used Clicarity to manage the compliance programme itself — treating each workstream (consent, data inventory, security controls, rights processes) as a job with stages and owners. Customer data and employee data programmes ran as separate sub-jobs with different legal bases and obligations. When they rejoined at the annual board review, the complete compliance record across both workstreams was preserved.
The result
DPDP compliance programme implemented in 6 months. Board presented with documented evidence of compliance against all applicable provisions.
Treating compliance as a tracked project rather than a document exercise gave us visibility and accountability we didn't have before.
Clicarity is a process tracking tool. It does not provide certification, consulting, or audit services.