Parliament enacted the Digital Personal Data Protection Act on 11 August 2023. The law creates a full framework for the protection of digital personal data in India. The Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025. This marks the full operationalisation of the Digital Personal Data Protection Act, 2023 (DPDP Act). Together, the Act and the Rules form a clear and citizen-centred framework for the responsible use of digital personal data. They place equal weight on individual rights and lawful data processing. DPDP Act & DPDP Rules - Applicability & Compliance If you are using any of the below tools for performing any of the below acts or activities, DPDP Act may be applicable to YOU. Use of electronic devices, such as computers, laptops, tablets, smartphones, etc. - To collect, store, or process any information about individuals, e.g. their names, contact details, etc. Use of software applications, such as databases, spreadsheets, word processors, etc. - To manage or analyze any information about individuals, such as their transactions, behavior, patterns, etc. Use of cloud services, such as Google Drive, Dropbox, OneDrive, etc. - To store or access any information about individuals on the internet or on remote servers. Use of digital tools, such as scanners, cameras, printers, etc. - To convert any information about individuals from non-digital form to digital form. Use of any online platforms, such as websites, apps, social media, email, etc. - To communicate with or provide services to individuals, such as sending newsletters, taking orders, making payments, etc. These are examples only. There could be other tools, act or activities depending on what data you process and how you process it. Digital Personal Data Protection Act - An overview 1. What is Digital Personal Data according to DPDP Act Data collected offline but later digitised (e.g., paper forms scanned into a database). Data collected online (websites, apps, digital forms). Data processed in electronic form, regardless of how it was originally collected. 2. What is Personal Data according to DPDP Act Personal data means any information that can directly or indirectly identify an individual. Basic Identity Information - Name, date of birth, gender, address, email, phone number Government Identifiers - Passport number, Aadhaar number, PAN/tax ID, driving license, etc Financial Identifiers - Bank account details, credit/debit card numbers, salary information, transaction records, etc Online & Technical Identifiers - IP address, device ID, IMEI number, cookies, login credentials, etc Employment & Education Identifiers - Employee ID, academic transcripts, professional qualifications, performance reviews, etc Biometric & Health Identifiers - Fingerprints, facial recognition data, iris scans, DNA profiles, medical records, etc 3. Digital Personal Data Protection Act - Key Concepts Data - Representation of information, facts, concepts, opinions or instructions suitable for communication, interpretation or processing by humans or by automated means. Processing - Wholly or partly automated operation or set of operations performed on digital personal data. Automated - Any digital process capable of operating automatically in reponse to the instructions given or otherwise for the purpose of processing data Personal Data breach - Any unauthorised processing of personal data or its accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access that compromises its confidentiality, integrity or availability. Personal Data / Digital Personal Data - Any data about an individual who is identifiable by or in relation to such data; Digital personal data means data in digital form Data Principal - The individual to whom the personal data relates; includes the parents or lawful guardian of a child who has not completed 18 years of age and a lawful guardian of a person with disability. Data Fiduciary - Any person who alone or in conjunction With other persons determines the Purpose and means of processingof personal data. Data Processor - A person who processes personal data onbehalf of a Data Fiduciary. 4. Applicability of the Act 5. Key Stakeholders Data Principal - The individuals whose personal data is collected or processed by data fiduciaries ог data processors. Data Fiduciary - The persons or entities who decide the purpose and means of processing of personal data. Data Processor - The persons or entities who process personal data on behalf of data fiduciaries. Data Proteciton Board of India - The regulatory authority to oversee the implementation and compliance of the Act Government - The central government that is responsible for and enacting implementing the DPDP Act 2023. 6. Obligations of Data Fiduciary - DPDP Act Processing for Lawful purpose - Processing of personal data for lawful purpose only for which Data Principal has given consent Accuracy and completeness of data When used in decision making effecting Data Principal When the data is Likely to be disclosed to another Data Fiduciary Notice, Consent and legitimate uses Notice before consent Consent to certain characteristics Consent not required for processing in case of defined legitimate uses Technical and Organisational Meashures - Appropriate measure to effective ensure adherence with the provisions of the Act Procedure for grievance redressal and contact information of DPO Grievance redressal Procedure to be in place. Publishing of business contact information of DPO, if applicable Security safegurad to prevent data brrach and Breach Notification Reasonable measures to prevent data breach; Notification of breach to the Board and every affected Data Principal Engage, apppint or use Data Processor - Involvement of data processor to process personal data under a valid contract only Erasure of data On withdrawal of consent by Data Principal When Purpose of retention is no longer served 7. Consent of a Data Principal - Digital Personal Data Protection Act The Act requires that personal data of a Data Principal can only be processed for a lawful purpose with the Data Principal's consent. The Act also specifies the features that the consent should have, such as being lawful, informed, clear, and specific. Consent of a Data Principal Must be free, specific, informed, unambiguous, unconditional and affirmative To signify an agreement of Data Principal to the processing of data for specified purposes Cannot seek for infringing this Act or any other law Request for consent notice in preferred language - Data Principal can request for the consent notices to be made available to them in any scheduled Indian language. Right to withdraw Consent Option of consent through Consent Manager The Act provides for certain "legitimate uses" for which a data fiduciary may process personal data of Data Principals, without obtaining the specific consent of the Data Principal. Data Processing is permitted for legitimate uses such as Employment reason including prevention of espionage, securing trade secret, IP etc Voluntarily giving of data by Data Principal State functions e.g. issuing subsidy, license, permits etc. Medical Treatment during epidemic etc. Responding to Medical Emergency Complying with law requiring disclosure of info. to the state Complying with Judgement or Order State functions under any law or for integrity and sovereignty of India 8. Right of Data Principal Right to correction, completion, erasure etc. of personal data - In accordance with the applicable laws and in such manner as may be prescribed Right to information from Data Fiduciary A summary of the personal data being processed and the processing activities undertaken. Identities of other Data Fiduciary /Data Processors with whom the personal data has been shared along with the description of personal data so shared. Any other information as may be prescribed. Right to nominate - To nominate any other individual to exercise the rights in case of death of incapacity Right of grievance redressal To readily available means of registering a grievance with a Data Fiduciary. To approach the Board in case of dissatisfaction with Data Fiduciary. 9. Penalties under Digital Personal Data Protection Act Up to INR 250 Cr. - Failure of Data Fiduciary to take reasonable security safeguards to prevent personal data breach. Up to INR 150 Cr. - Non-fulfilment of additional obligations of Significant Data Fiduciary. Up to INR 200 Cr. - Failure to notify the Board and affected Data Principals in the event of a personal data breach. Up to INR 200 Cr. - Non-fulfilment of additional obligations in relation to Children. Up to INR 50 Cr. - Other non compliances with the act, or rules made thereunder. While determining the penalty, the Data Protection Board will consider following factors the nature, gravity and duration of the breach, the type and nature of personal data affected by the breach, repetitive nature of the breach, whether a person has realized a gain or avoided a loss as a result of the breach, whether a person has taken any action to mitigate the effects of the breach, and the timeliness and effectiveness of such steps, and the likely impact of the penalty on the person. DPDP Act - Broad Framework of Implementation for Data Fiduciary Data Fiduciaries are required to undertake these activities for implementing DPDP Act. Conduct Data Audit. Review and update policies. Implement strong data governance. Enhance IT & data security measures. Conduct employee training. Send notice & obtain valid consent. Establish Data Protection Agreements. Develop Data Principal's rights management. Establish Vendor Management. Establish Digital Asset Management. Identify Processing Activities of Personal Data. Develop breach response plan. Maintain Records of Processing Activities. Stay updated and seek legal advice. Sources Digital Personal Data Protection Act 2023 Digital Personal Data Protection Rules 2025