Skip to main contentChat with us

Learn · Data Privacy in India

Data Privacy Laws in India
The Complete 2026 Guide

India's principal data privacy law is the Digital Personal Data Protection Act, 2023 (the DPDP Act), operationalised by the DPDP Rules, 2025. This guide explains the whole landscape in plain English — what applies, the key concepts, how it compares to the GDPR, the penalties, and what businesses must do.

The DPDP Act replaces the older regime under the IT Act, 2000 (Section 43A and the 2011 SPDI Rules), and its obligations phase in on staggered timelines running into 2027 — with sectoral rules from the RBI, SEBI, and IRDAI layered on top.

DPDPIndia's primary data privacy law (2023)
₹250 CrMaximum penalty per instance
2025DPDP Rules operationalising the Act

DPDP Act 2023 · DPDP Rules 2025 · IT Act legacy · RBI / SEBI / IRDAI overlays · Last reviewed July 2026

Direct Answer

India's principal data privacy law is the Digital Personal Data Protection Act, 2023 (the DPDP Act). It is operationalised by the DPDP Rules, 2025, and it replaces the earlier framework under the Information Technology Act, 2000 — specifically Section 43A and the 2011 “Sensitive Personal Data or Information” (SPDI) Rules — which previously governed how organisations handled sensitive personal data. On top of the DPDP Act, several sectors carry their own data and security obligations: the RBI for banking and payments, SEBI for securities markets, and IRDAI for insurance. The DPDP Act's obligations phase in on staggered timelines running into 2027, so “data privacy laws in India” today means the DPDP Act and its 2025 Rules as the primary framework, the IT Act as the legacy layer being replaced, and sector-specific rules layered on top. The Act is enforced by the Data Protection Board of India, with penalties of up to ₹250 crore per instance.

The Landscape

What Counts as a Data Privacy Law in India

India does not have a single omnibus privacy code alone — it has a primary statute, the rules that operationalise it, a legacy regime being replaced, and sector-specific overlays. Here is how the pieces fit together.

DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 — the primary law

India's dedicated data privacy statute. It governs the processing of digital personal data, defines Data Fiduciaries and Data Principals, sets consent and notice rules, grants rights, and establishes the Data Protection Board of India as the enforcement authority.

Role: The principal framework going forward.

DPDP Rules, 2025

The Digital Personal Data Protection Rules, 2025

The subordinate rules that operationalise the Act — filling in the operational detail on consent notices, Consent Managers, breach intimation, safeguards, children’s-data verification, and Board procedure. Obligations are phased in on staggered timelines running into 2027.

Role: The operational rulebook under the Act.

IT Act, 2000 (legacy)

Section 43A + the SPDI Rules, 2011

The earlier regime under the Information Technology Act, 2000 — Section 43A and the 2011 “Sensitive Personal Data or Information” (SPDI) Rules — which governed reasonable security practices for sensitive personal data. The DPDP Act supersedes this framework as it comes into effect.

Role: The legacy framework being replaced.

Sectoral overlays

RBI · SEBI · IRDAI and other regulators

Regulated sectors carry their own data and security obligations that sit alongside the DPDP Act — for example RBI directions for banking and payments, SEBI rules for securities markets, and IRDAI norms for insurers. Regulated businesses must comply with both.

Role: Sector-specific obligations, in addition to the DPDP Act.

Key Concepts

The DPDP Act's Core Concepts

Four terms carry most of the weight in India's data protection law. Understand these and the rest of the Act reads far more easily. The DPDP hub covers each in depth.

Data Principal

The individual whose personal data is being processed — the person the data is about. For a child, the Data Principal includes their parent or lawful guardian.

Data Fiduciary

Any person or organisation that, alone or with others, determines the purpose and means of processing personal data. Fiduciaries carry the core obligations under the Act.

Consent & Legitimate Uses

Processing is generally built on free, specific, informed, unconditional, and unambiguous consent — or on a short, defined list of “legitimate uses” set out in the Act.

Significant Data Fiduciary

A class of fiduciary the Central Government may notify based on volume and sensitivity of data and risk factors. SDFs carry extra duties — a Data Protection Officer, DPIAs, and independent audits.

India vs the World

Does India Have a GDPR Equivalent?

The DPDP Act is India's closest counterpart to the EU's General Data Protection Regulation, and it draws on similar principles — consent, purpose limitation, data-principal rights, and breach notification. But the two laws differ in important ways. The DPDP Act is consent-centric with no general legitimate-interest basis, covers only digital personal data, treats anyone under 18 as a child, and grants a narrower set of rights (no explicit portability or right to object). A mature GDPR programme is a strong head start on DPDP, but it does not make you compliant automatically.

For a clause-by-clause breakdown — scope, lawful basis, consent, rights, children's data, cross-border transfer, and penalties — see the full DPDP Act vs GDPR comparison.

Enforcement

What Are the Penalties for Breaking the Law?

The DPDP Act is enforced by the Data Protection Board of India, which can impose monetary penalties of up to ₹250 crore per instance for the most serious defaults — failing to take reasonable security safeguards and personal data breaches. There is no percentage-of-turnover formula; the ceilings are fixed-rupee amounts set out in the Schedule to the Act, and they are applied per instance of non-compliance.

  • Failure to take reasonable security safeguards, and personal data breaches — up to ₹250 crore.
  • Failure to notify the Board and affected individuals of a breach — up to ₹200 crore.
  • Non-compliance with children's-data obligations — up to ₹200 crore.
  • Breach of Significant Data Fiduciary obligations — up to ₹150 crore.

For the full slab-by-slab schedule, the Board's powers, and the appeal route, see DPDP Act penalties & enforcement.

For Businesses

What Businesses Must Do

The DPDP Act applies to any organisation processing the digital personal data of individuals in India — regardless of the organisation's size or location. There is no government-issued “DPDP certificate” to obtain; compliance is an ongoing programme you build and evidence. In practice, the work looks like this:

  • Map your data: what personal data you hold, where it lives, why you process it, and who you share it with.
  • Rebuild consent and notices to be clear, itemised, and easy to withdraw — in plain language.
  • Stand up Data Principal rights: access, correction, completion, updating, erasure, grievance redressal, and nomination.
  • Implement reasonable security safeguards and a breach-intimation process for the Board and affected individuals.
  • Handle children’s data with verifiable parental consent and no tracking or targeted advertising to children.
  • If you may be notified as a Significant Data Fiduciary, prepare for a DPO, DPIAs, and independent data-protection audits.

Many organisations run this alongside an ISO 27001 ISMS — a genuine certification whose security controls overlap directly with the DPDP Act's safeguard requirements. If you would rather bring in help, our guide to DPDP consultants in India sets out how to choose one.

Data Privacy Laws in India — Common Questions

The questions people ask most about India's data protection laws.

What is the main data privacy law in India?

India's main data privacy law is the Digital Personal Data Protection Act, 2023 (the DPDP Act), operationalised by the DPDP Rules, 2025. It governs the processing of digital personal data, defines Data Fiduciaries and Data Principals, sets consent and notice rules, grants data-principal rights, and establishes the Data Protection Board of India as the enforcement authority. It replaces the earlier framework under the IT Act, 2000 (Section 43A and the 2011 SPDI Rules).

Is the DPDP Act in force?

The DPDP Act, 2023 was enacted in 2023, and the DPDP Rules, 2025 provide the operational detail. Rather than a single hard switch-on date, its obligations are being brought into effect and phased in on staggered timelines running into 2027, giving organisations time to build compliance. Businesses should treat it as the law they must be preparing for now, not a future possibility.

Does India have a GDPR equivalent?

The DPDP Act is India's closest equivalent to the EU's GDPR and shares many of its principles — consent, purpose limitation, data-principal rights, and breach notification. However, it differs: the DPDP Act is consent-centric with no general legitimate-interest basis, covers only digital personal data, treats anyone under 18 as a child, and grants a narrower set of rights (no explicit data portability or right to object). GDPR compliance is a strong head start but does not make you DPDP-compliant automatically.

What replaced the IT Act framework for data protection?

Before the DPDP Act, data protection in India was governed mainly by Section 43A of the Information Technology Act, 2000 and the 2011 Sensitive Personal Data or Information (SPDI) Rules, which required reasonable security practices for sensitive personal data. The DPDP Act, 2023 supersedes this older regime as it comes into effect, providing a dedicated, comprehensive data privacy law.

Who must comply with the DPDP Act?

The DPDP Act applies to any organisation — a 'Data Fiduciary' — that processes the digital personal data of individuals in India, regardless of its size or where it is located, including foreign companies offering goods or services to people in India. Regulated sectors such as banking, securities, and insurance must also comply with additional data and security obligations imposed by the RBI, SEBI, and IRDAI.

What are the penalties under the DPDP Act?

The Data Protection Board of India can impose monetary penalties of up to ₹250 crore per instance for the most serious defaults — failing to take reasonable security safeguards, and personal data breaches. Failing to notify a breach and non-compliance with children's-data obligations each carry up to ₹200 crore. The penalties are fixed-rupee ceilings set out in the Schedule to the Act, applied per instance — not a percentage of turnover.

Continue your data privacy research

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations