The Complete Guide to India's DPDP Act 2023
India's Digital Personal Data Protection Act 2023 is the country's first comprehensive data privacy legislation. This guide breaks down all 44 sections across 9 chapters plus 23 DPDP Rules 2025 in plain English, with compliance checklists, penalty amounts up to ₹250 Crore, and an AI Clause Finder.
Topic Hubs
- Consent & Notice — Lawful basis, privacy notices, consent capture, and withdrawal.
- Security & Breach — Safeguards, breach notification, and penalty exposure.
- Data Principal Rights — Access, erasure, grievance, nomination, and individual duties.
- Children's Data — Parental consent, tracking restrictions, and SDF obligations.
- Cross-Border Transfers — Transfers outside India and exemptions.
- Board & Penalties — DPBI powers, inquiries, and financial penalties.
Act ↔ Rules Mapping | Penalty Schedule | DPDP FAQs (36 answers)
Chapters Overview
- Chapter 1: Preliminary (Sections 1–3) — Short title, definitions, and territorial scope of the DPDP Act 2023.
- Chapter 2: Obligations of Data Fiduciary (Sections 4–10) — Consent, notice, security safeguards, children's data, and Significant Data Fiduciary duties.
- Chapter 3: Rights and Duties of Data Principal (Sections 11–15) — Access, correction, erasure, grievance, nomination, and duties of individuals.
- Chapter 4: Special Provisions (Sections 16–17) — Cross-border transfers and government exemptions.
- Chapter 5: Data Protection Board of India (Sections 18–26) — Establishment, composition, and governance of the DPBI.
- Chapter 6: Powers, Functions and Procedure of Board (Sections 27–28) — Inquiry powers and adjudication procedure before the Board.
- Chapter 7: Appeal and Alternate Dispute Resolution (Sections 29–32) — TDSAT appeals, ADR, and voluntary undertakings.
- Chapter 8: Penalties and Adjudication (Sections 33–34) — Financial penalties up to ₹250 crore and crediting of fines.
- Chapter 9: Miscellaneous (Sections 35–44) — Rule-making, consistency with other laws, and consequential amendments.
Key Penalties Under DPDP Act 2023
| Violation | Max Penalty |
|---|---|
| Failure to implement security safeguards | ₹250 Crore |
| Breach notification failure | ₹200 Crore |
| Children's data violations | ₹200 Crore |
| Consent/notice violations | ₹200 Crore |
| SDF obligation breaches | ₹150 Crore |
Implementation Timeline
- August 2023: Act passed by Parliament
- January 2025: DPDP Rules 2025 notified
- November 2025: Data Protection Board established
- November 2026: Consent Manager registration opens
- May 2027: Full compliance enforcement begins
Frequently Asked Questions
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law, establishing rights for individuals and obligations for organizations processing personal data in digital form.
Who does the DPDP Act apply to?
It applies to all organizations processing digital personal data within India and to those processing data of Indian individuals from outside India when offering goods/services.
What are the maximum penalties?
The highest penalty is ₹250 Crore for failure to implement reasonable security safeguards leading to a data breach.
Start Your DPDP Compliance Assessment | Calculate Compliance Cost | Explore DPDP Platform