DPDP 2023

DPDP Act 2023, explained in plain English

India's Digital Personal Data Protection Act, 2023 (DPDP) is the country's first comprehensive data-protection law. If your organisation handles the personal data of people in India - customers, employees or leads - it almost certainly applies to you. Here is the whole thing, without the legalese.

Who the law speaks to

DPDP defines two roles:

The individual whose data is processed is the Data Principal. Some large organisations may additionally be notified as Significant Data Fiduciaries (SDFs), with extra duties like appointing a Data Protection Officer and running periodic audits.

The four things you must operationalise

1. Notice

Before or at the point of collection, tell people - in clear, plain language - what data you collect, the purpose, and how they can exercise their rights and complain to the Data Protection Board.

2. Consent

Where consent is your basis for processing, it must be free, specific, informed, unconditional and unambiguous, with a clear affirmative action. People must be able to withdraw consent as easily as they gave it, and you must be able to prove consent was obtained.

3. Data-principal rights

Individuals can access a summary of their data, request correction or erasure, nominate someone to act on their behalf, and seek grievance redressal. You must acknowledge and fulfil these requests within a reasonable time and keep evidence.

4. Security & breach reporting

You must apply reasonable security safeguards. If a breach occurs, you must notify the Data Protection Board and each affected Data Principal. Build the playbook before you need it - the window is short.

Rule of thumb: if you can answer "yes" to even one of "do we collect contact details, use analytics, collect IDs, market to people, or employ staff in India?" then DPDP applies. Take the 2-minute check →

Penalties

DPDP carries India's steepest data-protection penalties - up to ₹250 crore per instance for failure to take reasonable security safeguards to prevent a breach, and substantial penalties for other breaches of obligation. The Data Protection Board is operational, so this is a live, board-level exposure.

What good looks like

That's exactly the checklist Niyam operationalises - discovery, consent, rights, breach tracking and evidence - with expert DPO support when you want it.

This guide is a plain-English summary for orientation, not legal advice. For obligations specific to your organisation, talk to our compliance team.

See where your DPDP compliance stands.

Start a free gap analysis and get a prioritised plan to become DPDP-ready.