India’s DPDP Act | What businesses need to know

India’s Digital Personal Data Protection Act, 2023 (DPDP Act), creates India’s first comprehensive framework for protecting digital personal data. It sets out the obligations of organizations handling personal data, known as Data Fiduciaries, and the rights and duties of individuals, known as Data Principals. 

The DPDP Act received presidential assent on August 11, 2023. The final Digital Personal Data Protection Rules, 2025 were notified in November 2025, marking the operationalization of the Act. The Rules provide a practical implementation framework for organizations with obligations under the Act.

In this article, we explain what businesses need to know to comply and how Ground Labs Enterprise Recon delivers the data intelligence needed for privacy, security and data posture management.

What is the Digital Data Protection Act (DPDP Act)?

The DPDP Act is India’s digital personal data protection law. It regulates how organizations collect, use, store, share and protect digital personal data. It gives individuals rights over their data and places obligations on organizations that determine how and why personal data is processed.

Who needs to comply with the DPDP Act?

The main regulated organizations under the DPDP Act are called Data Fiduciaries. These are equivalent to Data Controllers in the GDPR. Data Fiduciaries determine the purpose and means of processing personal data. Meanwhile, Data Processors process personal data on behalf of Data Fiduciaries.

Several types of organizations fall into scope of the DPDP Act, including:

• businesses collecting customer or employee data in the region

• foreign companies offering goods or services to individuals in India

• digital platforms, SaaS providers, e-commerce companies and financial services organizations

• healthcare, education, telecom, travel and retail organizations

• organizations using vendors or processors to handle personal data

The Central Government of India may notify some Data Fiduciary organizations as significant based on the volume and sensitivity of data they process, or the perceived risks they pose to individuals, sovereignty, democracy and national security. These organizations have additional obligations under the DPDP Act. 

What are the key obligations under the DPDPA?

Organizations need to understand what data they process, why they process it, what legal basis applies, how individuals can exercise their rights and how personal data is protected.

The main obligations of the DPDPA include:

1. Process personal data only for lawful purposes – Organizations must have a clear and lawful reason for processing personal data. This may be based on consent or another legitimate use allowed under the Act.

2. Provide clear notice of data processing – Individuals must be told what personal data is being collected, why it is being processed, how they can exercise their rights and how they can raise complaints. 

3. Obtain and manage consent – Consent must be granted by individuals through clear affirmative action, and must be freely given from an informed and unambiguous position. Additionally, organizations must make it easy to withdraw consent. For children and people with a lawful guardian, the Act requires businesses to obtain verifiable consent from the parent or lawful guardian.

4. Protect personal data – Organizations need to implement reasonable safeguards to protect personal information from unauthorized access and data breaches. These safeguards are defined in the Rule and include encryption, masking, access controls, logging and monitoring and remediation controls.

5. Mandatory breach notification – Organizations are required to notify the Data Protection Board of India and all affected individuals when a personal data breach occurs. 

6. Delete personal data when no longer required – Organizations are expected to erase personal data when consent is withdrawn or when the purpose for processing is concluded, unless the data is legally required.

7. Uphold individuals’ data rights – Individuals have the right to access information, request corrections and deletion of their personal data. Organizations are required to uphold these rights.

8. Manage third parties and processors – While Data Fiduciaries may use third parties and Data Processors, they remain accountable for personal data processed on their behalf. This means they need to ensure vendor contracts clearly define data security requirements, breach notification obligations and compliance responsibilities.

Additionally, Significant Data Fiduciaries need to appoint a Data Protection Office based in India, an independent auditor and undertaking Data Protection Impact Assessments.

What are the Digital Personal Data Protection Rules, 2025?

The DPDP Act sets the legal framework. The DPDP Rules, which were finalized in November 2025, explain the specific requirements organizations need to meet in practice.

They provide detailed implementation expectations covering notice of processing, consent management, security safeguards, breach notification, retention, processing children’s data, rights request processes, complaints handling, Significant Data Fiduciary obligations, Data Protection Board procedures and penalties.

The Rules also lay out a staggered implementation timeline running from November 2025 to May 2027.

What is the timeline to comply?

The most important deadline for most organizations is May 2027, when the main substantive obligations of the DPDP Act become enforceable. 

What are the penalties for non-compliance?

The DPDP Act gives the Data Protection Board of India the power to impose significant monetary penalties.

The highest penalty is tied to failure to take reasonable security safeguards to prevent a personal data breach, which can attract penalties of up to ₹250 crore. Meanwhile, failure to notify the Board or affected individuals of a breach can attract penalties of up to ₹200 crore. 

Breaches of obligations relating to children’s data can also reach ₹200 crore, while breaches of additional obligations for Significant Data Fiduciaries can reach ₹150 crore. Other breaches of the Act or Rules can attract penalties of up to ₹50 crore.

Why DPDPA compliance relies on data intelligence

DPDP Act compliance depends on being able to answer practical questions about personal data and how it is used.

Organizations need to know what personal data they collect, where it is stored, which systems process it, what purpose it is used for, who can access it and whether it is properly protected.

Data intelligence means more than finding personal data. It is also about assessing its security posture, prioritizing risks and supporting actions to reduce unnecessary data exposure.

How Enterprise Recon supports DPDP Act readiness

Ground Labs Enterprise Recon supports DPDP Act readiness by helping organizations build the data intelligence needed for privacy, security and data posture management.

For DPDP readiness, this supports four key outcomes:

1. Identifying personal data – Enterprise Recon helps organizations identify where personal data resides across their digital estate, supporting data mapping, gap analysis, retention planning and breach investigation.

2. Data classification – Enterprise Recon PRO supports classification labelling of data based on its sensitivity. This can be used to identify high-risk information such as children's data among other sensitive data types that may need stronger security controls.

3. Data risk scoring – Ground Labs Enterprise Recon supports risk scoring of sensitive data profiles over time, to enable organizations to evaluate their overall data risk profile.

4. Exposure management and risk mitigation – Enterprise Recon delivers on-demand remediation for personal information including encryption, masking and deletion, as well as the intelligence to support data minimization, retention cleanup and access governance reviews. 

Enterprise Recon acts as a data intelligence layer for privacy and security teams. It helps organizations move from uncertainty to visibility, from visibility to action and from action to sustainable compliance.

Build your DPDPA readiness foundation with data intelligence

See how Ground Labs Enterprise Recon helps organizations identify personal data, assess exposure and reduce risk across complex environments. 

DPDP Act frequently asked questions

What is the DPDP Act?

The DPDP Act is India’s digital personal data protection law. It regulates the processing of digital personal data, gives individuals rights over their data and places obligations on organizations that determine how and why personal data is processed.

Who does the DPDP Act apply to?

The Act applies to digital personal data processed in India where data is collected digitally or later digitized. It also applies outside India where processing relates to offering goods or services to individuals in India.

What are the DPDP Rules 2025?

The DPDP Rules 2025 are the operational rules that explain how the DPDP Act works in practice, covering notice, consent, security safeguards, breach notification, retention, children’s data, Data Principal rights, Consent Managers and SDF obligations.

When do the DPDP Rules become enforceable?

Some provisions came into force on November 13, 2025. Consent Manager provisions come into force one year later, and the main substantive obligations come into force eighteen months after publication, in May 2027.

What is a Data Fiduciary?

A Data Fiduciary is a person or organization that determines the purpose and means of processing personal data, alone or with others.

What is a Significant Data Fiduciary?

A Significant Data Fiduciary is a Data Fiduciary or class of Data Fiduciaries notified by the Central Government based on factors such as volume and sensitivity of personal data, risk to individuals and broader public interest factors.

What are the penalties under the DPDP Act?

Penalties can reach up to ₹250 crore for failure to take reasonable security safeguards, up to ₹200 crore for breach notification failures or children’s data violations, up to ₹150 crore for SDF obligation breaches and up to ₹50 crore for other breaches.