DPDP Act 2023 · Knowledge Hub
DPDP Act 2023
Knowledge Hub
Your comprehensive resource for understanding India's Digital Personal Data Protection Act 2023 and the newly released DPDP Rules 2025. From foundational guides to advanced implementation strategies, templates, and expert-level analysis - everything you need for complete compliance.
Obligations phase in through 2027 under the DPDP Rules 2025, and penalties reach ₹250 crore per instance — this hub maps every obligation, right, and deadline.
DPDP Act 2023 + DPDP Rules 2025 · Last reviewed June 2026
Direct Answer
What is the DPDP Act 2023 — and who must comply?
India's Digital Personal Data Protection Act, 2023 (DPDP Act) is the country's first comprehensive data privacy law, and the DPDP Rules 2025 convert its principles into operational obligations. Together they regulate every data fiduciary — any organization that determines why and how the digital personal data of individuals in India is processed. That includes Indian startups and enterprises as well as foreign companies that process personal data in connection with offering goods or services to people in India, regardless of where their servers sit.
Compliance is arriving in phases that run into 2027. The Act received assent in August 2023, and the Rules notified in 2025 stagger the operative duties — consent notices, verifiable parental consent, security safeguards, and breach reporting land first, while Consent Manager registration and Significant Data Fiduciary (SDF) obligations follow. SDFs, designated for high-volume or high-risk processing, must additionally appoint an India-based Data Protection Officer, commission independent data audits, and run periodic Data Protection Impact Assessments.
The stakes are significant: the Data Protection Board can impose penalties of up to ₹250 crore per instance for failures such as inadequate security safeguards — you can model your exposure with our DPDP penalty calculator. A typical SME compliance program costs ₹1.5–4 lakhs (indicative) and is best started 6–9 months before your obligations crystallize.
This hub is the map. Start with our DPDP Rules 2025 deep dive, then work through the guides below covering obligations, rights, consent, breach response, and cross-border transfers. When you want hands-on help, our DPDP compliance consulting team has delivered 500+ audits to date — see the verified outcomes on our proof page — or compare providers in our review of the top DPDP consultants in India.
The Guides
Explore the DPDP Knowledge Hub
Fourteen in-depth guides covering every obligation, right, rule, and sector under the DPDP Act 2023 and the DPDP Rules 2025.
DPDP Rules 2025
Comprehensive guide to the newly released Digital Personal Data Protection Rules 2025 with 23 rules and 7 schedules.
Data Fiduciary Obligations
Understanding Sections 4-10 covering grounds for processing, notice requirements, consent, and general obligations.
Data Principal Rights
Complete guide to Sections 11-15 covering rights to access, correction, erasure, grievance redressal, and nomination.
Consent Management
Deep dive into Section 6 consent requirements and Rule 4 Consent Manager registration and obligations.
Data Breach Notification
Rule 7 requirements for intimation of personal data breach, timelines, and notification procedures.
Cross-Border Transfer
Section 16 and Rule 15 requirements for transferring personal data outside India.
Penalties & Enforcement
Sections 33-34 penalty framework with fines up to ₹250 Crores and enforcement mechanisms.
DPDP Penalty Calculator
Interactive tool to estimate your organization's potential DPDP fine exposure based on violation type, company size, and data volume.
Significant Data Fiduciary
Section 10 and Rule 13 additional obligations for SDFs including DPIA, audits, and DPO requirements.
DPDP Compliance Checklist
Practical step-by-step compliance checklist for organizations to achieve DPDP Act compliance.
Implementation Roadmap
12-month implementation timeline with phases, resource allocation, indicative budgets (₹1.5–4 Lakhs), and critical milestones.
DPDP vs GDPR Comparison
Side-by-side comparison of DPDP Act and GDPR covering 12 key aspects with practical guidance for dual compliance.
Templates & Resources
Comprehensive templates for Privacy Notice, DPA, Consent Forms, DPIA, Breach Notifications, and Data Inventory.
Sectoral Analysis
Industry-specific DPDP guidance for Fintech, Healthcare, SaaS, E-commerce, HR Tech, and EdTech sectors.
Advanced Topics
Expert-level guidance on consent management, cross-border transfers, children's data, legitimate uses, and conflict resolution.
DPDP Act — Frequently Asked Questions
Straight answers to the questions Indian and global teams ask before starting DPDP compliance.
Who must comply with the DPDP Act 2023?
Every data fiduciary — any organization that decides the purpose and means of processing digital personal data of individuals in India. The Act also applies extraterritorially to foreign companies that process personal data in connection with offering goods or services to data principals in India. Obligations scale with risk: high-volume or high-risk processors can be designated Significant Data Fiduciaries with additional duties.
What is the deadline for DPDP compliance?
Compliance is phased. The Act received assent in August 2023, and the DPDP Rules 2025 stagger the operative obligations over a runway extending into 2026–27 — consent notices, security safeguards, and breach reporting arrive first, with Consent Manager registration and Significant Data Fiduciary duties following. Because data mapping, consent re-engineering, and vendor contract updates take months, most organizations should start 6–9 months before their obligations bite.
What are the penalties under the DPDP Act?
The Data Protection Board can impose monetary penalties of up to ₹250 crore per instance for failing to maintain reasonable security safeguards, up to ₹200 crore for breach-notification and children’s-data violations, and lower slabs for other defaults. Penalties apply per instance, so a single incident that touches several obligations can compound quickly.
What is a Significant Data Fiduciary (SDF)?
An SDF is a class of data fiduciary designated by the central government based on factors such as the volume and sensitivity of personal data processed and the risk to data principals, electoral democracy, state security, or public order. SDFs must appoint an India-based Data Protection Officer, engage an independent data auditor, and conduct periodic Data Protection Impact Assessments and audits.
How much does DPDP compliance cost in India?
For most SMEs and mid-market companies, an end-to-end DPDP compliance program — gap assessment, data mapping, policies, consent flows, breach playbooks, and training — costs ₹1.5–4 lakhs (indicative). The final figure depends on your data footprint, the number of processing activities, and whether Significant Data Fiduciary obligations apply.
We already comply with GDPR — does that cover DPDP?
A GDPR program gives you a strong head start but does not equal DPDP compliance. The DPDP Act is consent-centric with no legitimate-interest ground, introduces India-specific concepts like Consent Managers and Significant Data Fiduciaries, and requires breach notification to both the Data Protection Board and affected data principals. The DPDP vs GDPR comparison in this hub details the deltas you still need to close.
Written By Expert Auditors
Keep Exploring
Related Reading
DPDP Act Overview
India's Digital Personal Data Protection Act, explained.
Read moreDPDP Rules 2025
The subordinate rules under the DPDP Act — timelines, obligations, SDF thresholds.
Read moreDPDP Compliance Checklist
A step-by-step checklist for DPDP Act readiness.
Read moreDPDP Penalties & Enforcement
Penalty tiers up to ₹250 Cr and the Data Protection Board process.
Read moreDPDP Consent Management
Lawful consent collection, withdrawal and record-keeping under the DPDP Act.
Read moreDPDP vs GDPR
Side-by-side comparison for companies subject to both regimes.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours