India's Digital Personal Data Protection Act 2023 is the country's first comprehensive data privacy law. If your business collects any personal information from Indian citizens — names, emails, phone numbers, health data — this law applies to you. Here is everything you need to know, explained simply.
What is the DPDP Act in Simple Terms?
The Digital Personal Data Protection Act 2023 (DPDP Act) is India's answer to GDPR. It is a law that gives Indian citizens control over their personal data and places legal obligations on businesses that collect and use that data.
In plain English: if you collect someone's name, phone number, email, health information, financial details, or any other personal data — you need their explicit permission, you need to protect that data, and you need to respect their rights to access, correct, or delete it.
The law was passed in August 2023 and enforcement is actively being implemented. The Data Protection Board of India has been established and is operational. Businesses that ignore this law face fines up to Rs 250 crore.
This Law Applies to You
The DPDP Act applies to any business — Indian or foreign — that processes personal data of people in India. This includes your website contact form, your customer database, your employee records, your patient files, your student database, and your app's user data. If you collect any personal information from Indian citizens, you are covered.
Key Terms You Need to Understand
Data Principal — This is the person whose data you are collecting. Your customer, your patient, your student, your employee. Under the DPDP Act, they have significant rights over their own data.
Data Fiduciary — This is your business. If you decide what personal data to collect and why, you are the Data Fiduciary. You carry the primary legal responsibility for DPDP compliance.
Data Processor — A third party that processes data on your behalf — like a cloud service, a marketing platform, or an analytics tool. You are responsible for ensuring your processors are also compliant.
Consent — Under the DPDP Act, consent must be freely given, specific, informed, and unambiguous. A pre-ticked checkbox does not count. Burying consent in your terms and conditions does not count. You need clear, active consent for each specific purpose.
What Does the DPDP Act Require Businesses to Do?
Get Explicit Consent — Before collecting personal data, clearly explain what you are collecting and why. Get active agreement — not assumed consent.
Use Data Only for Stated Purpose — If you collected an email for delivery notifications, you cannot use it for marketing without fresh consent.
Protect the Data — Implement reasonable security measures to protect personal data from breaches and unauthorized access.
Handle Data Deletion Requests — If someone asks you to delete their data, you must do so within 30 days and provide proof.
Notify Breaches — If personal data is compromised, notify the Data Protection Board and affected individuals promptly.
Maintain Records — Keep records of what data you process, why, and for how long. This is your ROPA document.
Appoint a Grievance Officer — Designate a point of contact for data-related complaints from data principals.
What Are the Penalties for Non-Compliance?
The DPDP Act has a tiered penalty structure:
Failure to implement security safeguards: Up to Rs 250 crore
Failure to notify data breach: Up to Rs 200 crore
Non-compliance with children's data provisions: Up to Rs 200 crore
Failure to respond to Data Subject Access Requests: Up to Rs 10,000 per day of delay
Other violations: Up to Rs 50 crore per instance
These are not theoretical numbers. The Data Protection Board of India is actively investigating complaints.
Who is Most at Risk?
Hospitals and Healthcare Providers — Health data is classified as sensitive personal data under DPDP — the highest risk category.
Fintech and Financial Services — Banks, NBFCs, payment apps, and lending platforms collect financial data, Aadhaar numbers, and PAN details.
Schools and Educational Institutions — Schools collect data of minors. The DPDP Act has special provisions for children's data requiring verifiable parental consent.
E-Commerce Platforms — Online retailers collect names, addresses, payment details, and purchase histories at scale.
How to Get Started with DPDP Compliance
Audit your data collection — List every place your business collects personal data.
Check your consent — Do you have clear, explicit consent for each data collection point?
Generate your ROPA — Create a Records of Processing Activities document.
Set up a consent management system — Record, store, and prove consent for every data collection.
Create a DSAR process — Know what to do when a customer asks for their data or requests deletion.
Designate a Grievance Officer — Appoint someone as the data protection point of contact.
Get DPDP Compliant in Days, Not Months
ClearDPDP automates the most complex parts of DPDP compliance — consent management, ROPA generation, DSAR tracking, and compliance reporting. Start your free trial today and see your compliance risk score in under 5 minutes.
Start Free 7-Day Trial at ClearDPDP — No credit card required.
Published by ClearDPDP — India's AI-first DPDP compliance platform. Visit ClearDPDP