India's Digital Personal Data Protection Act, 2023 (DPDP) is the country's first comprehensive data-protection law. If your organisation handles the personal data of people in India - customers, employees or leads - it almost certainly applies to you. Here is the whole thing, without the legalese.
Who the law speaks to
DPDP defines two roles:
- Data Fiduciary - the organisation that decides why and how personal data is processed. That's most likely you. Fiduciaries carry the core obligations.
- Data Processor - a vendor that processes data on a fiduciary's behalf (your cloud, CRM or payroll provider). You remain accountable for them.
The individual whose data is processed is the Data Principal. Some large organisations may additionally be notified as Significant Data Fiduciaries (SDFs), with extra duties like appointing a Data Protection Officer and running periodic audits.
The four things you must operationalise
1. Notice
Before or at the point of collection, tell people - in clear, plain language - what data you collect, the purpose, and how they can exercise their rights and complain to the Data Protection Board.
2. Consent
Where consent is your basis for processing, it must be free, specific, informed, unconditional and unambiguous, with a clear affirmative action. People must be able to withdraw consent as easily as they gave it, and you must be able to prove consent was obtained.
3. Data-principal rights
Individuals can access a summary of their data, request correction or erasure, nominate someone to act on their behalf, and seek grievance redressal. You must acknowledge and fulfil these requests within a reasonable time and keep evidence.
4. Security & breach reporting
You must apply reasonable security safeguards. If a breach occurs, you must notify the Data Protection Board and each affected Data Principal. Build the playbook before you need it - the window is short.
Rule of thumb: if you can answer "yes" to even one of "do we collect contact details, use analytics, collect IDs, market to people, or employ staff in India?" then DPDP applies. Take the 2-minute check →
Penalties
DPDP carries India's steepest data-protection penalties - up to ₹250 crore per instance for failure to take reasonable security safeguards to prevent a breach, and substantial penalties for other breaches of obligation. The Data Protection Board is operational, so this is a live, board-level exposure.
What good looks like
- A current map of the personal data you hold and where it lives.
- Consent and notice mechanisms you can evidence.
- A working data-principal request (DSAR) process.
- A breach-response plan with tracked timelines.
- Vendor governance over every processor that touches your data.
- An evidence trail that makes an audit boring.
That's exactly the checklist Niyam operationalises - discovery, consent, rights, breach tracking and evidence - with expert DPO support when you want it.
This guide is a plain-English summary for orientation, not legal advice. For obligations specific to your organisation, talk to our compliance team.