Understanding the Digital Personal Data Protection Act, 2023: A Complete Overview

The Author, Himanshu Bodwal, is the Principal Founder of Medhavi Law Partners. He has over seven years of standing as an Advocate before the Hon’ble High Court of Delhi and Trial Courts all over Delhi, NCR

The Union Government notified the Digital Personal Data Protection Act, 2023 (DPDP Act) on 13^th November 2025 for enforcement marking one of the most significant milestones in India’s Digital Regulatory landscape. The DPDP Rules, 2025 are also a significant step forward in compliance with the Supreme Court’s K.S. Puttaswamy v. Union of India, 2017 judgment affirming the Right to Privacy under Article 21 of the Constitution of India. With this, India enters a new phase of structured, rights-based and accountable data governance.

Background of the Digital Personal Data Protection Act, 2023 (DPDP Act)

In the Modern Era which is defined by Rapid Technological expansion and Emergence of self-trainable Artificial Intelligence, the Digital Personal Data Protection Act (DPDP Act), 2023 has been introduced to establish a comprehensive legal framework for safeguarding the Digital Personal Data of the citizens of India.

It was an urgent need of the hour, as other countries have already developed regulations safeguarding their citizen’s Personnel Information from the emerging threats of AI revolution, such as Europe’s General Data Protection Regulation (GDPR), Singapore’s Personal Data Protection Act (PDPA), Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) (English: General Personal Data Protection Law) and others.

As India emerges as a Global IT hub & Digital Headquarters for leading tech giants, the necessity for a privacy-focused law which balances innovation and protection became an urgent requirement.
 

The Act aims to ensure that personal data is processed lawfully, transparently, securely, and for legitimate purposes, while giving individuals more control over their digital footprint.

Notification and Enforcement Details

The Government of India has formally operationalised the Digital Personal Data Protection Act, 2023 through a series of notifications published in the Official Gazette of India on 13^th November 2025. These notifications lay down the rules, timelines and institutional framework necessary for the Act’s implementation.

1. Release of the Digital Personal Data Protection Rules, 2025 — G.S.R. 846(E)

The long-anticipated DPDP Rules, 2025 have been officially notified, providing the detailed regulatory architecture required to give practical effect to the Act. These Rules serve as the cornerstone for compliance, governance mechanisms and procedural obligations.

2. Phased Enforcement Timeline — G.S.R. 843(E)

The Government has also issued a structured, phased timeline for the enforcement of various provisions of the Act. The schedule is as follows:

• Enforced Immediately: Section 1(2), Section 2, Sections 18–26, Sections 35, 38–43, and Section 44(1) & 44(3).
• Within One Year: Section 6(9) and Section 27(1)(d).
• Within Eighteen Months: Sections 3–5; Sections 6(1)–6(8) & 6(10); Sections 7–17; Sections 28–34; Sections 36–37; and Section 44(2).

This staggered approach allows organisations and public bodies adequate time to align their systems, processes and data management practices with statutory requirements.

3. Constitution of the Data Protection Board of India — G.S.R. 844(E)

Through a separate notification, the Government has formally established the DATA PROTECTION BOARD OF INDIA, hereafter referred to as ‘the Board,’ which becomes functional with immediate effect.

• The Board’s Head Office will be located in the National Capital Region (NCR), positioning it at the administrative centre of governance.

4. Composition of the Data Protection Board — G.S.R. 845(E)

Further, the Government has specified the composition of the Board under Section 19 of the Act.  As notified, the Data Protection Board of India will comprise of Four Members, who will collectively oversee adjudication, compliance scrutiny and enforcement under the DPDP framework. This marks the beginning of a unified and codified system governing Data Handling practices across Digital Platforms and Organisations in India.

Key Terminologies of the Act:

• Data: It means representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
• Personal Data: It means any Data about an individual who is identifiable by or in relation to such data. It covers any information which is digital, physical data which has been digitised or inferred that can be used to identify a person.
• Data Principal: The Individual to whom the Personal Data relates to. It includes the parents / lawful guardians for children and guardians for persons with disabilities who cannot give legally binding decisions.
• Data Fiduciary: It means any person alone or in conjunction with other persons that determines the purpose and means of processing personal data.
• Data Processor: Any person or entity that processes personal data on behalf of a Data Fiduciary.
• Significant Data Fiduciary:  It means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under Section 10.
• Consent Manager: A Person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
• Personal Data Breach: Defined in Section 2(u) as any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
• Data Protection Officer (DPO): It refers to a person assigned by Data Fiduciary who can be contacted by the Data Principal regarding his rights as Data Principal or regarding any query related to the processing of their personnel data.
• Data Protection Board of India (DPBI): An independent adjudicatory body established for enforcement, breach inquiries, penalties, and overseeing compliance.

Key Features of the DPDP Act

RIGHTS OF THE DATA PRINCIPAL UNDER THE DPDP ACT, 2023

The Data Principal is entitled to exercise several fundamental rights concerning the processing and retention of their personal data. These rights empower the individual to control and manage their personal data held by a Data Fiduciary. The rights are as follows: -

1. 1. Right to Access Information about Personal Data.
   2. Right to Correction and Erasure.
   3. Right to Grievance Redressal.
   4. Right to Nominate.

Right to Access Information, Correction and Erasure

The Data Protection law gives every individual important right over their personal data. One of these is the Right to Access Information, which means you can ask a company or organisation (called a Data Fiduciary) about what Personal Data they have about you. Along with this, you also have the right to ask for your data to be corrected, completed or updated. This ensures that the Data Fiduciary takes reasonable steps to keep your information accurate, complete and consistent.

Another important right is the Right to Erasure. This Right ensures that a Data Fiduciary must delete your personal data once the original purpose for collecting it has been fulfilled. They can keep it only if the law requires them to do so. Before deleting your data, the Data Fiduciary must inform you at least 48 hours in advance that your data will be erased. This notification is not required if you contact them yourself for using their services or to exercise your rights. To help individuals use these rights easily, every Data Fiduciary must clearly publish on their website or app the details of how a Data Principal can make such request. This includes the method, the information he needs to provide and the steps involved.

Grievance Redressal and Nomination

The DPDP Rules mandate robust mechanisms for a Data Principal to seek recourse and ensure their rights are respected. The Right to Grievance Redressal is facilitated by the requirement that every Data Fiduciary and Consent Manager shall prominently publish, on its website or app, its grievance redressal system. This system must be capable of responding to the Data Principal's grievances within a reasonable period not exceeding 90 (Ninety) Days. To ensure the effectiveness of this system, the Data Fiduciary must implement appropriate technical and organisational measures. Additionally, the rules provide a mechanism for managing incapacity. A Data Principal may nominate one or more individuals to exercise their rights under the Act, in accordance with the Terms of Service of the Data Fiduciary and any applicable law.

OBLIGATIONS OF DATA FIDUCIARIES (ENTITIES PROCESSING DATA)

The Data Fiduciaries who collect and use personnel data will have about one year of time i.e., till November 2026, to comply with certain provisions such as putting out the details of their designated DATA PROTECTION OFFICER (DPO) as per Section 6(9) of the Act. Also, Section 27(1)(d) will also come into effect after 1 year which allows ‘the Board’ to penalize the Data Fiduciary for having to breach of any condition of registration of a Consent Manager.

 Special Provisions for Significant Data Fiduciaries

The Digital Personal Data Protection Rules, 2025 impose additional, mandatory obligations on a Significant Data Fiduciary (SDF), recognizing the greater risk they pose due to the volume, sensitivity or potential impact of the personal data they process.

Data Protection Impact Assessments and Audits

A Significant Data Fiduciary (SDF) must undertake a Data Protection Impact Assessment (DPIA) and an audit at least once every twelve months from the date it is notified or included in the class of SDFs. The purpose of these exercises is to ensure the effective observance of the provisions of the Act and the Rules made thereunder. The SDF must ensure that the person carrying out the DPIA and audit furnishes a report to ‘the Board’ containing significant observations from the assessment and audit. Furthermore, the SDF must observe due diligence to verify that technical measures, including algorithmic software adopted by it for various processing activities (hosting, display, storage, etc.) are not likely to pose a risk to the Rights of Data Principals.

Data Protection Officer (DPO) and Enhanced Measures

While the rules outline the requirement for a Significant Data Fiduciary to undertake impact assessments and audits. However, the requirement for a standard Data Fiduciary to publish the contact information of the Data Protection Officer or a person who can answer questions about processing of the personnel data suggests the role's importance, which would naturally extend to an SDF. Given the rigorous compliance standards expected out of an SDF, these entities are required to undertake measures to ensure that personal data and the traffic data pertaining to its flow are not transferred outside the territory of India for certain data specified by the Central Government based on the recommendations of a committee.

THE DATA PROTECTION BOARD OF INDIA

The DATA PROTECTION BOARD (the Board) is the specialised enforcement body established under the Digital Personal Data Protection Act, 2023, and detailed in the Rules, empowered to inquire into breaches, impose penalties, and oversee corrective measures.

Functions and Structure

The Board's primary function is to enforce the provisions of the Act and the Rules made thereunder. It is constituted by the Central Government, which is responsible for appointing the Chairperson and other Members after considering the suitability of individuals recommended by specific Search-cum-Selection Committees.

The Board is designed to function as a Digital Office. This means that without prejudice to its power to summon and enforce the attendance of any person and examine him/her under oath, it may adopt techno-legal measures to conduct proceedings in a manner that does not require the physical presence of any individual. This principle is also applied to the Appellate Tribunal for appeals against the Board's orders or directions.

Operational Procedures and Inquiry

Key procedural aspects of the Board include:

• Quorum: One-third of the total membership of the Board constitutes the quorum for its meetings.
• Decision Making: Questions are decided by a majority of the votes of Members present and voting.
• Conflict of Interest: A Member who has an interest in any item of business cannot participate in or vote on that item.
• Inquiry Period: The inquiry by the Board must be completed within six months from the date of receipt of the intimation, complaint, reference or direction under section 27 of the Act. This period can be extended by a further period not exceeding three months at a time, for reasons to be recorded in writing.

Any person aggrieved by an order or direction of the Board may prefer an appeal before the Appellate Tribunal. The appeal must be filed in Digital Form.

The Digital Personal Data Protection (DPDP) Act, 2023, is backed by a stringent penalty regime designed to ensure high levels of compliance from Data Fiduciaries and enforce accountability. The heaviest financial penalties are reserved for the most serious violations, such as data security failures and improper handling of children's data.

Heavy Financial Penalties

The penalties for non-compliance are substantial, with the maximum fine set at ₹ 250 crore for a single serious violation. These penalties are adjudicated and imposed by the Data Protection Board (the Board), which has powers akin to a civil court.

Key violations and their maximum penalty caps include:

• Failure to take reasonable security safeguards to prevent a personal data breach: Up to ₹250 crore.
• Failure to notify the Board and affected Data Principals of a data breach: Up to ₹200 crore.
• Breach of additional obligations related to children's data (e.g., failure to obtain verifiable parental consent or engaging in targeted advertising u/s 9 of the Act): Up to ₹200 crore.
• Breach of additional obligations of Significant Data Fiduciaries (e.g., failure to conduct audits or impact assessments): Up to ₹150 crore.
• Non-fulfilment of Data Principal rights (e.g., access, correction, erasure): Up to ₹50 crore.

The Act focuses on financial penalties and does not impose criminal sanctions like imprisonment for non-compliance. The Goal is to deter non-compliance and incentivize businesses to implement robust data security and consent management practices.

 Impact of the DPDP Framework on Businesses and Organisations

The implementation of the Digital Personal Data Protection (DPDP) framework necessitates significant operational adjustments for all businesses—domestic or foreign—operating in India that process personal data. These changes are crucial for aligning data management practices with the new legal requirements, ultimately enhancing digital trust and harmonizing with global compliance standards like the GDPR.

Key Operational Adjustments Required for Compliance

The DPDP Rules impose concrete responsibilities on Data Fiduciaries, requiring them to overhaul their data practices:

• Implementing Robust Consent Systems: Businesses must adapt to the requirement for mandatory consent-based data processing by implementing systems that allow the Data Principal to give specific and informed consent and to easily withdraw his/her consent, with the ease of doing so being comparable to that with which consent was given. The notice preceding consent must be presented in clear and plain language and include an itemized description of the personal data and the specified purpose of its processing.
• Reworking Privacy Policies: Data Fiduciaries must ensure their policies, often found on their websites or apps, are updated to facilitate the exercise of Data Principal rights. This includes publishing the means and particulars required for a Data Principal to make a request for exercising their rights.
• Strengthening Cybersecurity Protocols: Businesses must adopt reasonable security safeguards to prevent a personal data breach. This involves implementing appropriate data security measures like encryption, obfuscation, masking, or the use of virtual tokens, controlling access to computer resources, and maintaining visibility on access through appropriate logs, monitoring, and review.
• Conducting Compliance Audits: For Significant Data Fiduciaries (SDFs), the need for compliance is formalized through mandatory actions. An SDF must undertake a Data Protection Impact Assessment and an audit at least once every Twelve Months to ensure the effective observance of the Act and the Rules. Even non-SDFs must retain logs and personal data for a minimum of One Year for specific purposes.
• Re-evaluating Vendor and Third-party Arrangements: Accountability for processing is not offloaded to vendors. The Data Fiduciary must protect personal data processed by it or on its behalf by a Data Processor, requiring an appropriate provision in the contract between the Fiduciary and the Processor for taking reasonable security safeguards. A Data Fiduciary must also ensure its Data Processor retains data and associated logs for the requisite period before erasure.

These operational adjustments ensure adherence to the principles of data minimization, security, and accountability across the entire data lifecycle.

Impact of the DPDP Framework on Citizens (Data Principals)

The Digital Personal Data Protection (DPDP) Act, 2023, and its Rules significantly strengthen the concept of Digital Autonomy for citizens (Data Principals). This foundational shift ensures that users are better informed, more empowered and have assured mechanisms to challenge the misuse of their personal data, thus laying the foundation for a more responsible digital ecosystem.

Conclusion: A Transformative Moment for India's Digital Future

The enforcement of the Digital Personal Data Protection (DPDP) Act is indeed a significant national shift toward Rights-based Digital Governance that will profoundly shape India's Digital future. This legislation is designed to ensure that the nation's rapid growth in high-tech domains like AI, fintech and e-commerce is sustainably balanced with core Principles of accountability, privacy and security.

By enforcing the DPDP Act, India takes a significant step toward a transparent, secure and technologically resilient future. The establishment of the Data Protection Board as a specialized, digitally functioning enforcement body ensures that these standards are not merely aspirational but are rigorously enforced, backed by heavy financial penalties for non-compliance. This comprehensive approach not only builds Digital Trust within India but also aligns its legal ecosystem with Global Data Protection regimes, enhancing its credibility in cross-border Digital Trade and International Cooperation.