Learn · Data Privacy in India
Data Privacy Laws in India
The Complete 2026 Guide
India's principal data privacy law is the Digital Personal Data Protection Act, 2023 (the DPDP Act), operationalised by the DPDP Rules, 2025. This guide explains the whole landscape in plain English — what applies, the key concepts, how it compares to the GDPR, the penalties, and what businesses must do.
The DPDP Act replaces the older regime under the IT Act, 2000 (Section 43A and the 2011 SPDI Rules), and its obligations phase in on staggered timelines running into 2027 — with sectoral rules from the RBI, SEBI, and IRDAI layered on top.
DPDP Act 2023 · DPDP Rules 2025 · IT Act legacy · RBI / SEBI / IRDAI overlays · Last reviewed July 2026
Direct Answer
India's principal data privacy law is the Digital Personal Data Protection Act, 2023 (the DPDP Act). It is operationalised by the DPDP Rules, 2025, and it replaces the earlier framework under the Information Technology Act, 2000 — specifically Section 43A and the 2011 “Sensitive Personal Data or Information” (SPDI) Rules — which previously governed how organisations handled sensitive personal data. On top of the DPDP Act, several sectors carry their own data and security obligations: the RBI for banking and payments, SEBI for securities markets, and IRDAI for insurance. The DPDP Act's obligations phase in on staggered timelines running into 2027, so “data privacy laws in India” today means the DPDP Act and its 2025 Rules as the primary framework, the IT Act as the legacy layer being replaced, and sector-specific rules layered on top. The Act is enforced by the Data Protection Board of India, with penalties of up to ₹250 crore per instance.
The Landscape
What Counts as a Data Privacy Law in India
India does not have a single omnibus privacy code alone — it has a primary statute, the rules that operationalise it, a legacy regime being replaced, and sector-specific overlays. Here is how the pieces fit together.
DPDP Act, 2023
The Digital Personal Data Protection Act, 2023 — the primary law
India's dedicated data privacy statute. It governs the processing of digital personal data, defines Data Fiduciaries and Data Principals, sets consent and notice rules, grants rights, and establishes the Data Protection Board of India as the enforcement authority.
Role: The principal framework going forward.
DPDP Rules, 2025
The Digital Personal Data Protection Rules, 2025
The subordinate rules that operationalise the Act — filling in the operational detail on consent notices, Consent Managers, breach intimation, safeguards, children’s-data verification, and Board procedure. Obligations are phased in on staggered timelines running into 2027.
Role: The operational rulebook under the Act.
IT Act, 2000 (legacy)
Section 43A + the SPDI Rules, 2011
The earlier regime under the Information Technology Act, 2000 — Section 43A and the 2011 “Sensitive Personal Data or Information” (SPDI) Rules — which governed reasonable security practices for sensitive personal data. The DPDP Act supersedes this framework as it comes into effect.
Role: The legacy framework being replaced.
Sectoral overlays
RBI · SEBI · IRDAI and other regulators
Regulated sectors carry their own data and security obligations that sit alongside the DPDP Act — for example RBI directions for banking and payments, SEBI rules for securities markets, and IRDAI norms for insurers. Regulated businesses must comply with both.
Role: Sector-specific obligations, in addition to the DPDP Act.
Key Concepts
The DPDP Act's Core Concepts
Four terms carry most of the weight in India's data protection law. Understand these and the rest of the Act reads far more easily. The DPDP hub covers each in depth.
Data Principal
The individual whose personal data is being processed — the person the data is about. For a child, the Data Principal includes their parent or lawful guardian.
Data Fiduciary
Any person or organisation that, alone or with others, determines the purpose and means of processing personal data. Fiduciaries carry the core obligations under the Act.
Consent & Legitimate Uses
Processing is generally built on free, specific, informed, unconditional, and unambiguous consent — or on a short, defined list of “legitimate uses” set out in the Act.
Significant Data Fiduciary
A class of fiduciary the Central Government may notify based on volume and sensitivity of data and risk factors. SDFs carry extra duties — a Data Protection Officer, DPIAs, and independent audits.
India vs the World
Does India Have a GDPR Equivalent?
The DPDP Act is India's closest counterpart to the EU's General Data Protection Regulation, and it draws on similar principles — consent, purpose limitation, data-principal rights, and breach notification. But the two laws differ in important ways. The DPDP Act is consent-centric with no general legitimate-interest basis, covers only digital personal data, treats anyone under 18 as a child, and grants a narrower set of rights (no explicit portability or right to object). A mature GDPR programme is a strong head start on DPDP, but it does not make you compliant automatically.
For a clause-by-clause breakdown — scope, lawful basis, consent, rights, children's data, cross-border transfer, and penalties — see the full DPDP Act vs GDPR comparison.
Enforcement
What Are the Penalties for Breaking the Law?
The DPDP Act is enforced by the Data Protection Board of India, which can impose monetary penalties of up to ₹250 crore per instance for the most serious defaults — failing to take reasonable security safeguards and personal data breaches. There is no percentage-of-turnover formula; the ceilings are fixed-rupee amounts set out in the Schedule to the Act, and they are applied per instance of non-compliance.
- Failure to take reasonable security safeguards, and personal data breaches — up to ₹250 crore.
- Failure to notify the Board and affected individuals of a breach — up to ₹200 crore.
- Non-compliance with children's-data obligations — up to ₹200 crore.
- Breach of Significant Data Fiduciary obligations — up to ₹150 crore.
For the full slab-by-slab schedule, the Board's powers, and the appeal route, see DPDP Act penalties & enforcement.
For Businesses
What Businesses Must Do
The DPDP Act applies to any organisation processing the digital personal data of individuals in India — regardless of the organisation's size or location. There is no government-issued “DPDP certificate” to obtain; compliance is an ongoing programme you build and evidence. In practice, the work looks like this:
- Map your data: what personal data you hold, where it lives, why you process it, and who you share it with.
- Rebuild consent and notices to be clear, itemised, and easy to withdraw — in plain language.
- Stand up Data Principal rights: access, correction, completion, updating, erasure, grievance redressal, and nomination.
- Implement reasonable security safeguards and a breach-intimation process for the Board and affected individuals.
- Handle children’s data with verifiable parental consent and no tracking or targeted advertising to children.
- If you may be notified as a Significant Data Fiduciary, prepare for a DPO, DPIAs, and independent data-protection audits.
Many organisations run this alongside an ISO 27001 ISMS — a genuine certification whose security controls overlap directly with the DPDP Act's safeguard requirements. If you would rather bring in help, our guide to DPDP consultants in India sets out how to choose one.
Data Privacy Laws in India — Common Questions
The questions people ask most about India's data protection laws.
What is the main data privacy law in India?
India's main data privacy law is the Digital Personal Data Protection Act, 2023 (the DPDP Act), operationalised by the DPDP Rules, 2025. It governs the processing of digital personal data, defines Data Fiduciaries and Data Principals, sets consent and notice rules, grants data-principal rights, and establishes the Data Protection Board of India as the enforcement authority. It replaces the earlier framework under the IT Act, 2000 (Section 43A and the 2011 SPDI Rules).
Is the DPDP Act in force?
The DPDP Act, 2023 was enacted in 2023, and the DPDP Rules, 2025 provide the operational detail. Rather than a single hard switch-on date, its obligations are being brought into effect and phased in on staggered timelines running into 2027, giving organisations time to build compliance. Businesses should treat it as the law they must be preparing for now, not a future possibility.
Does India have a GDPR equivalent?
The DPDP Act is India's closest equivalent to the EU's GDPR and shares many of its principles — consent, purpose limitation, data-principal rights, and breach notification. However, it differs: the DPDP Act is consent-centric with no general legitimate-interest basis, covers only digital personal data, treats anyone under 18 as a child, and grants a narrower set of rights (no explicit data portability or right to object). GDPR compliance is a strong head start but does not make you DPDP-compliant automatically.
What replaced the IT Act framework for data protection?
Before the DPDP Act, data protection in India was governed mainly by Section 43A of the Information Technology Act, 2000 and the 2011 Sensitive Personal Data or Information (SPDI) Rules, which required reasonable security practices for sensitive personal data. The DPDP Act, 2023 supersedes this older regime as it comes into effect, providing a dedicated, comprehensive data privacy law.
Who must comply with the DPDP Act?
The DPDP Act applies to any organisation — a 'Data Fiduciary' — that processes the digital personal data of individuals in India, regardless of its size or where it is located, including foreign companies offering goods or services to people in India. Regulated sectors such as banking, securities, and insurance must also comply with additional data and security obligations imposed by the RBI, SEBI, and IRDAI.
What are the penalties under the DPDP Act?
The Data Protection Board of India can impose monetary penalties of up to ₹250 crore per instance for the most serious defaults — failing to take reasonable security safeguards, and personal data breaches. Failing to notify a breach and non-compliance with children's-data obligations each carry up to ₹200 crore. The penalties are fixed-rupee ceilings set out in the Schedule to the Act, applied per instance — not a percentage of turnover.
Continue your data privacy research
- DPDP Act compliance hub — the full guide to the Act and the Rules 2025.
- DPDP Act vs GDPR — a clause-by-clause comparison.
- DPDP penalties & enforcement — the ₹250 crore schedule and the Board's powers.
- DPDP consultants in India — how to choose an advisor.
- More on the Learn hub, including data governance frameworks and GRC.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours