DPDP Act (Digital Personal Data Protection Act, India)
What is DPDP Act (Digital Personal Data Protection Act, India)?
DPDP Act (Digital Personal Data Protection Act, India)India's first comprehensive personal-data protection statute, enacted in August 2023 and being progressively operationalized, requiring lawful purpose for processing, consent notices, data-principal rights, breach notification, and a Data Protection Board of India.
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive privacy law, replacing the limited protections previously available under the Information Technology Act, Section 43A. It applies to processing of digital personal data within India, and to processing outside India that targets data principals in India. Core obligations on data fiduciaries (controllers) include processing only for a lawful purpose for which the data principal has given consent or for legitimate uses listed in the Act; serving itemized consent notices in plain language and 22 scheduled Indian languages; honouring rights of access, correction, erasure, grievance redressal, and nomination; notifying both the Data Protection Board of India and affected data principals of personal-data breaches; observing additional obligations for 'Significant Data Fiduciaries' (DPO, DPIAs, independent audits); and transferring data only to jurisdictions not blacklisted by the central government. Penalties scale to ₹250 crore (~US $30 million) per instance. The DPDP Rules, the operative regulations, began phased notification through 2024–2026.
● Examples
- 01
An Indian fintech ships consent notices in English plus the 22 scheduled languages and adds an in-app grievance redressal flow per DPDP Section 13.
- 02
A global SaaS provider serving Indian users designates an in-country grievance officer and updates its privacy notice to align with DPDP requirements.
● Frequently asked questions
What is DPDP Act (Digital Personal Data Protection Act, India)?
India's first comprehensive personal-data protection statute, enacted in August 2023 and being progressively operationalized, requiring lawful purpose for processing, consent notices, data-principal rights, breach notification, and a Data Protection Board of India. It belongs to the Compliance & Frameworks category of cybersecurity.
What does DPDP Act (Digital Personal Data Protection Act, India) mean?
India's first comprehensive personal-data protection statute, enacted in August 2023 and being progressively operationalized, requiring lawful purpose for processing, consent notices, data-principal rights, breach notification, and a Data Protection Board of India.
How does DPDP Act (Digital Personal Data Protection Act, India) work?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive privacy law, replacing the limited protections previously available under the Information Technology Act, Section 43A. It applies to processing of digital personal data within India, and to processing outside India that targets data principals in India. Core obligations on data fiduciaries (controllers) include processing only for a lawful purpose for which the data principal has given consent or for legitimate uses listed in the Act; serving itemized consent notices in plain language and 22 scheduled Indian languages; honouring rights of access, correction, erasure, grievance redressal, and nomination; notifying both the Data Protection Board of India and affected data principals of personal-data breaches; observing additional obligations for 'Significant Data Fiduciaries' (DPO, DPIAs, independent audits); and transferring data only to jurisdictions not blacklisted by the central government. Penalties scale to ₹250 crore (~US $30 million) per instance. The DPDP Rules, the operative regulations, began phased notification through 2024–2026.
How do you defend against DPDP Act (Digital Personal Data Protection Act, India)?
Defences for DPDP Act (Digital Personal Data Protection Act, India) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DPDP Act (Digital Personal Data Protection Act, India)?
Common alternative names include: Digital Personal Data Protection Act 2023, India DPDP.
● Related terms
- compliance№ 488
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- compliance№ 925
PIPL (Personal Information Protection Law, China)
China's comprehensive personal-information protection statute, effective November 2021, with GDPR-like data subject rights, strict cross-border transfer requirements, and substantial penalties enforced by the Cyberspace Administration of China.
- compliance№ 685
LGPD
Brazil's General Personal Data Protection Law (Law No. 13,709/2018), effective 18 September 2020, governing the processing of personal data by public and private entities.
- compliance№ 167
CCPA
The California Consumer Privacy Act, a U.S. state privacy law granting California residents rights over their personal information held by businesses.
- compliance№ 312
Data Protection Impact Assessment (DPIA)
A structured assessment, required by GDPR Article 35, that identifies and mitigates risks to individuals' rights and freedoms before high-risk personal data processing begins.
- privacy№ 317
Data Subject Access Request (DSAR)
A formal request from an individual to a controller asking which of their personal data is being processed and obtaining a copy of it, as guaranteed by GDPR Article 15 and similar laws.