Decoding the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection (DPDP) Act, 2023 is India’s first comprehensive digital privacy law. Enacted by Parliament on August 11, 2023, it establishes a full framework for how personal data may be collected and used. The law balances people’s right to protect their data with the need for companies to use data lawfully.

It follows a “SARAL” (Simple, Accessible, Rational and Actionable) approach, using plain language so ordinary citizens and businesses can understand their obligations. On November 14, 2025, the government notified the DPDP Rules, 2025 – fully operationalizing the Act. Together, the Act and Rules form a citizen-centric data protection framework.

Who does the DPDP Act Protect and What are Data Fiduciaries and Data Principals?

The law protects individuals (called “Data Principals”) and their personal data. A Data Principal is a person whose digital personal data is being collected, stored, or used by an organisation or digital device. In other words, it’s you – any internet user, customer or citizen.

A Data Fiduciary is any entity (company, organization or individual) that decides why and how to process personal data. In practice, this means any website, app or business that collects your data. The Act also defines Data Processors (who process data on behalf of a fiduciary) and Consent Managers (platforms that help users manage consent). By naming these roles, the law makes it clear who has rights (data principals) and who has duties (data fiduciaries) when it comes to personal data.

What Rights Do Individuals Have Over Their Personal Data?

The DPDP Act gives people several clear rights over their data. In short, you control your data. For example, you have the right to:

• Give or Refuse Consent – Companies must get your clear, informed permission to collect or use your data. You can always withdraw consent later.
• Know How Data is Used – You can ask any company what data of yours they have, why they collected it, and how they are using it.
• Access your Data – You can request a copy of all personal data a company holds about you.
• Correct or Update Data – If some of your details are wrong or have changed (like a new address or phone number), you can ask for corrections or updates.
• Erase Data – In certain cases, you can ask a company to delete your personal data and it must comply if conditions are met.

These rights must be honoured promptly – companies have up to 90 days to respond to your request.

What Is a Consent Manager and Why Does It Matter?

A Consent Manager is a neutral platform that helps you manage how your personal data is used. Think of it as a control panel where you can give, withdraw, review, or manage consent for different services – all in one place.

Key points:

• It must be a company based in India and registered with the Data Protection Board.
• It ensures that consent requests are transparent, interoperable, and easy to understand.
• It empowers users to make informed choices across multiple platforms (like apps or websites) without needing to visit each one separately.

In essence, the Consent Manager is your ally in staying in control of your data permissions across the digital world.

What Happens If There’s a Conflict Between the DPDP Act and Other Sectoral Laws?

In case of a conflict between the DPDP Act and any sector-specific law (like RBI guidelines, health data rules, or telecom laws), the sectoral regulation will prevail.

Here’s how it works:

• The DPDP Act is designed to coexist with existing sectoral regulations.
• If a specific law (like the RBI’s data localization norms) mandates stricter rules, those will take precedence.
• This prevents regulatory overlap and ensures that privacy is maintained without disrupting sector-specific safeguards.

So, the DPDP Act acts as a broad umbrella, but existing specialized laws remain valid and enforceable where applicable.

Who Oversees the Implementation? Introducing the Data Governance Body

The DPDP Act introduces the Data Protection Board of India as the main body to oversee enforcement. However, it’s also part of a larger data governance ecosystem aimed at ensuring compliance, transparency, and digital trust.

The governance structure includes:

• The Board: Handles complaints, conducts inquiries, and issues penalties or directions.
• Appellate Tribunal (TDSAT): Hears appeals against Board decisions.
• Government oversight: The central government may issue policy directives and define broader frameworks.

Together, these bodies create a digital-first, user-centric data governance system to enforce privacy laws across India.

What Is a Data Processor?

A Data Processor is an entity that processes personal data on behalf of a Data Fiduciary. It does not decide why the data is processed—it just performs the task assigned to it.

Example:

• A payment gateway or cloud storage service hired by an e-commerce platform is a Data Processor.
• They may handle sensitive data like your payment info or delivery address, but only under the instructions of the e-commerce company (the Data Fiduciary).

Under the DPDP Act:

• Processors must follow security and privacy obligations as directed by the Data Fiduciary.
• Fiduciaries are accountable for any action their processors take, so they must choose vendors responsibly.

What Obligations Does the DPDP Act Place on Organizations?

Companies (Data Fiduciaries) have a number of new duties to protect your data and act transparently. Key obligations include:

• Clear Consent Notices
  Before collecting any data, firms must give you a separate, easy-to-understand notice explaining exactly what data they want and why. Consent for each purpose must be explicit.
• Data Minimisation and Safeguards
  Companies should only collect data necessary for the stated purpose. They must protect data with reasonable security measures (encryption, firewalls, access controls, backups, etc.). Logs should be maintained of who accessed data (for example, keeping access logs for investigation). Significant data fiduciaries (like big tech companies) have even stricter duties, such as independent privacy audits and impact assessments.
• Breaches and Transparency
  If a breach occurs, firms must promptly inform affected individuals in clear language (explaining what happened, its impact and steps taken). They must also notify the Data Protection Board. Companies must display a clear point-of-contact (like a Data Protection Officer or grievance officer) for any data queries.

In practice, this means you should see companies requesting explicit opt-in consent, providing privacy notices, and making it easy to reach someone about your data. The rules are designed to ensure businesses handle data responsibly and stay accountable.

What Happens in Case of a Data Breach Under the DPDP Act?

If a data breach occurs, the Act requires companies to act immediately. They must inform all affected users without delay in simple language. The breach notice should explain the nature of the breach, its likely impact on users, and the steps being taken to mitigate any harm.

For example, official guidance says the message should include what happened, its timing, consequences and any safety measures you can take. Companies also must notify the Data Protection Board. In practical terms, this means if your personal information is leaked or accessed unlawfully, you should get a prompt alert (for instance via email or app notification) telling you the basics of what happened and who to contact for help. Fast notification lets you take protective actions (like changing passwords or cancelling cards).

What Penalties can Companies Face for Non-Compliance?

The DPDP Act imposes hefty fines to ensure compliance. For serious violations, penalties can reach up to ₹250 crore. For example, failing to implement reasonable security safeguards can attract a penalty up to ₹250 crore. Not notifying the Board or individuals about a breach (or mishandling children’s data) can incur fines up to ₹200 crore. 

Other violations (like not following procedures) can attract penalties up to ₹50 crore. In short, data breaches or rule-breaking by companies can lead to huge financial penalties. This is intended to make firms take data protection seriously.

When Will These Rules Take Effect for Companies and Apps?

The government has given businesses some time to comply with the new law. The DPDP Rules introduce an 18-month phased implementation period. This means companies have up to a year and a half from November 2025 to fully adjust their systems. 

Core duties like mandatory consent notices and breach reporting will come into force by about a year from now. The phased approach is meant to give businesses, especially smaller ones, time to update their practices without disrupting services. However, some basic provisions (like providing privacy notices and security safeguards) become effective immediately with the rules. Overall, expect apps and websites to gradually update their privacy flows – for example, asking for your consent in new ways and giving you easier data-management options over the next year.