Introduction
If you run a business in India and collect even a single piece of personal information — a customer’s name, a visitor’s phone number, an employee’s attendance log, or a face photo at reception — you are subject to India’s most significant data privacy law to date.
The Digital Personal Data Protection Act, 2023 (DPDP Act) came into operational effect on November 13, 2025, when the Government of India notified the DPDP Rules. The deadline for full compliance across organisations is May 13, 2027.
This guide explains, in plain English, what the DPDP Act is, why it matters, who it applies to, and what business leaders must do now.
Why India Needed a Data Protection Law
For years, personal data in India was governed by the Information Technology Act, 2000 and the IT (Reasonable Security Practices) Rules, 2011. These frameworks were designed for an earlier digital era — before smartphones, cloud infrastructure, biometric systems, and SaaS platforms became embedded in daily business operations.
In 2017, the Supreme Court of India in Justice K.S. Puttaswamy v. Union of India declared privacy a fundamental right under Article 21 of the Constitution. That ruling triggered the legislative journey toward comprehensive data protection reform.
After multiple drafts, consultations (including 6,915 stakeholder submissions before finalisation of the Rules), and parliamentary debate, the DPDP Act was enacted on August 11, 2023. The accompanying Rules were notified on November 14, 2025.
India now has a modern, enforceable data protection framework with significant penalties and a dedicated regulator.
What the DPDP Act Covers
The DPDP Act governs the processing of digital personal data.
This includes:
- Personal data collected digitally (web forms, apps, email, kiosks)
- Personal data collected offline but later digitised (paper forms entered into a system)
It does not apply to purely non-digital data that is never digitised.
The Act applies to:
- Any organisation processing personal data in India
- Any foreign organisation offering goods or services to individuals in India
Personal or domestic processing (e.g., maintaining a private address book) is excluded.
If your organisation processes personal data connected to individuals in India, the Act applies — regardless of where your servers are located.
Key Roles Under the DPDP Act
Understanding the three core roles in the Act is essential.
Data Principal
The individual whose personal data is processed.
In business contexts, this includes:
- Visitors entering your premises
- Employees using attendance or HR systems
- Customers interacting with your platform
- Contractors or vendors onsite
The law exists to protect the Data Principal. They have enforceable rights.
Data Fiduciary
The entity that determines the purpose and means of processing personal data.
If your organisation decides:
- Why data is collected
- What data is collected
- How it is used
You are the Data Fiduciary.
Most businesses fall into this category.
The Data Fiduciary carries primary compliance responsibility.
Data Processor
An entity that processes personal data on behalf of a Data Fiduciary, under instruction.
Typically:
- SaaS vendors
- IT service providers
- Cloud platforms
However, the Data Fiduciary remains accountable. Compliance liability cannot be outsourced.
You must ensure processors are compliant and execute a proper Data Processing Agreement (DPA).
The Seven Core Principles of the DPDP Act
The Act is principle-driven. These principles guide interpretation and enforcement.
Lawful Purpose
Personal data must be processed only for lawful purposes.
Processing must be based on:
- Valid consent, or
- A specified legitimate use under the Act
Consent-Led by Default
Consent must be:
- Free
- Specific
- Informed
- Unconditional
- Unambiguous
No pre-ticked boxes. No bundled consent. No implied agreement.
Data Minimisation
Collect only what is necessary.
If a visitor’s name and phone number suffice, do not request Aadhaar, date of birth, or home address.
Purpose Limitation
Use data only for the purpose declared at collection.
Secondary uses require fresh consent.
Storage Limitation
Retain personal data only as long as necessary.
“Keep it indefinitely” is no longer acceptable without lawful justification.
Security Safeguards
Implement proportionate technical and organisational safeguards, such as:
- Encryption
- Access controls
- Audit logs
- Multi-factor authentication
Security must match the sensitivity of data processed.
Accountability
The Data Fiduciary is accountable for compliance — including actions of its processors.
Legitimate Uses: When Consent Is Not Required
Section 7 provides limited exemptions where consent is not required, provided notice is given.
Common legitimate uses include:
- Employment-related processing (payroll, statutory filings)
- Contractual necessity
- Legal compliance
- Emergencies involving life or safety
- Government benefit administration
These exemptions are narrow.
For example, employment-related processing covers payroll and statutory compliance — not analytics-based employee profiling or marketing communications.
When in doubt, obtain consent.
Rights of Individuals Under the DPDP Act
Data Principals have enforceable rights:
Right to Access
Individuals can request details of personal data held and purposes of processing.
Right to Correction
Inaccurate or outdated data must be corrected upon request.
Right to Erasure
Data must be deleted once purpose is served or consent is withdrawn, unless retention is legally required.
Right to Grievance Redressal
Data Fiduciaries must provide a grievance contact mechanism.
Right to Nominate
Individuals may nominate someone to exercise rights in case of death or incapacity.
Right to Withdraw Consent
Withdrawal must be as easy as giving consent.
The Penalty Framework
The Act is enforced by the Data Protection Board of India (DPBI), operational since November 13, 2025.
Maximum penalties include:
- ₹250 crore for failure to implement adequate security safeguards
- ₹200 crore for failure to report breaches
- ₹200 crore for non-compliance with children’s data protections
- ₹50 crore for failure to fulfil Data Principal rights
- ₹50 crore for other violations
There is no minimum breach reporting threshold. All breaches must be reported.
Penalties apply per violation.
Compliance Timeline
November 13, 2025
DPBI operational; enforcement framework active.
November 13, 2026
Consent Manager registration opens.
May 13, 2027
Full compliance deadline. All obligations must be operational.
This includes:
- Privacy notices
- Consent management systems
- Security safeguards
- Breach notification processes
- Data retention controls
- Children’s data protections
- Data Principal rights workflows
What Business Leaders Should Do Now
Immediate actions:
- Map all personal data processed across your organisation
- Identify whether you act as Data Fiduciary, Processor, or both
- Review consent mechanisms
- Draft compliant privacy notices
- Audit third-party processors
- Define retention schedules
- Build deletion workflows
- Appoint a published grievance contact
Compliance requires operational planning. It cannot be achieved through policy documents alone.
The Bottom Line
The DPDP Act is fully operational law in India, backed by substantial financial penalties and an active regulator.
For most organisations, compliance affects daily operations — from reception desks to HR systems to SaaS platforms.
However, compliance is not merely defensive.
Organisations that embed privacy into operations strengthen trust, reduce regulatory risk, and build long-term credibility.
The organisations that begin structured compliance now will avoid crisis-driven implementation in 2027.
This article is for informational purposes only and does not constitute legal advice. For specific compliance requirements, consult a qualified data protection professional.
Onfra is a DPDP-aware workplace management platform helping Indian enterprises manage visitor, employee, contractor, and facility data in a privacy-compliant manner. Learn more about Onfra’s approach to DPDP compliance →