What is the DPDP Act?
The Digital Personal Data Protection (DPDP) Act, 2023, is India's first comprehensive legislation dedicated to data privacy. It establishes a legal framework that balances the right of individuals to protect their personal data with the need for organizations to process data for lawful purposes. The Act aims to build trust in the digital economy by making organizations accountable for how they handle personal information, impacting everyone from large corporations and startups to government agencies.
Scope & Applicability
Within India
Applies to all processing of digital personal data within India, whether the data is collected online or collected offline and later digitized.
Outside India (Extraterritorial)
Applies to data processing outside India if it's related to offering goods or services to individuals in India, or profiling them.
The Key Roles Explained
The Act defines several key roles to create a clear accountability structure for data processing. Understanding these roles is the first step to navigating the compliance landscape. Click on each role to learn more about its definition and responsibilities.
The Pillars of Data Protection
The DPDP Act is built on a foundation of core principles that govern how personal data must be handled. These principles are designed to empower individuals and ensure ethical data practices. At the same time, the Act grants individuals (Data Principals) a robust set of rights to control their personal information. This section explores both the foundational principles organizations must follow and the rights individuals can exercise.
Foundational Principles
Rights of the Data Principal
The Organizational Compliance Hub
Achieving compliance with the DPDP Act requires a proactive and strategic approach. It's not just a legal formality but a fundamental shift in data governance. This hub provides practical guidance for organizations, starting with the core obligations for all Data Fiduciaries and offering tailored insights for different industry sectors. Use the filter below to explore the specific challenges and priorities relevant to your business.
Core Obligations for Data Fiduciaries
Sector-Specific Implications
Select an industry to see its specific compliance priorities.
Enforcement & Penalties
The Act is enforced by the Data Protection Board of India (DPBI), an independent body with significant powers to investigate breaches and impose penalties. Non-compliance can result in substantial financial fines, designed to be a strong deterrent against negligent data handling. The chart below visualizes the maximum penalties for various breaches, highlighting the serious financial risks involved.
The Data Protection Board of India (DPBI)
The DPBI is the primary authority for adjudicating non-compliance. It functions as a digital-first body, allowing individuals to file complaints and participate in proceedings online. Its key powers include: