Explainer 9 min read · 1 July 2026

DPDP Act Summary: The Whole Law in Plain English (2026)

A plain-English summary of India's DPDP Act 2023 — all 9 chapters and 44 sections, who it covers, the key obligations, rights, penalties and deadlines — on one page, with a free downloadable guide.

S

Sedhu

Founder, EasyDP · Published 1 July 2026

Download the free one-page guide

Branded PDF summary with a QR code back to this guide — print it for your desk or team.

PDF →

India's Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) is a compact law — 9 chapters and 44 sections — but it reshapes how every business in India must handle customer data. This is the whole law in plain English: who it covers, what it requires, the rights it grants, the penalties it carries, and when it all kicks in. Grab the free one-page guide at the end for your desk.

Quick Answer: What Is the DPDP Act in One Paragraph?

The DPDP Act 2023 governs how any business or person processes the digital personal data of individuals in India. It requires a lawful basis — consent or a "legitimate use" — plus a clear notice, reasonable security, breach reporting, deletion when data is no longer needed, and respect for individuals' rights. It is enforced by the Data Protection Board of India, with penalties up to ₹250 Crore. In force from 13 November 2025; core obligations apply from 13 May 2027.

The Act at a Glance: 9 Chapters

ChapterWhat it covers
I — PreliminaryShort title, commencement, definitions (Section 2), and application (Section 3)
II — Obligations of Data FiduciaryGrounds for processing, notice, consent, legitimate uses, general obligations, children's data, Significant Data Fiduciaries (Sections 4–10)
III — Rights & Duties of Data PrincipalAccess, correction/erasure, grievance, nomination, and duties (Sections 11–15)
IV — Special ProvisionsCross-border transfer, exemptions including the startup power (Sections 16–17)
V — Data Protection Board of IndiaEstablishment and composition of the Board
VI — Powers & Procedure of the BoardHow the Board investigates and functions
VII — Appeals & Alternative Dispute ResolutionAppeals to the Appellate Tribunal, mediation
VIII — Penalties & AdjudicationThe Schedule of penalties and how they are imposed (Section 33)
IX — MiscellaneousRule-making power and residual provisions

Who Does It Apply To? (Section 3)

The Act applies to the processing of digital personal data:

  • Collected in digital form — or collected on paper and then digitised (Section 3(a))
  • From outside India, where the processing is connected to offering goods or services to individuals in India (Section 3(b)) — so a foreign company with Indian customers is covered

It does not apply to (Section 3(c)): personal data processed by an individual for a purely personal or domestic purpose, and personal data that has been made publicly available by the individual themselves or by someone under a legal obligation to publish it. There is no general small-business or turnover exemption — see our guide on whether DPDP applies to your business.

The Key Players

  • Data Principal — the individual whose data is processed (your customer). See rights and duties.
  • Data Fiduciary — the business that decides why and how data is processed (Section 2(i)). See business responsibilities.
  • Data Processor — a vendor that processes data on the Fiduciary's behalf.
  • Data Protection Board (DPB) — the regulator that investigates and imposes penalties.

The Core Obligations (Chapter II)

  • Lawful basis (Section 4): process only with consent or a "legitimate use" (Section 7)
  • Notice (Section 5): a clear, itemised notice before or at collection
  • Consent (Section 6): free, specific, informed, unconditional, unambiguous — withdrawable as easily as given
  • Security (Section 8(5)): reasonable safeguards; the DPDP Rules 2025 (Rule 6) list a minimum set
  • Breach reporting (Section 8(6)): intimate the Board and affected people — see the 72-hour breach rule
  • Erasure (Section 8(7)): delete data on withdrawal or when the purpose ends
  • Children (Section 9): verifiable parental consent; no tracking or targeted ads at children

The Rights and Duties (Chapter III)

Individuals get four rights — access (Section 11), correction and erasure (Section 12), grievance redressal (Section 13), and nomination (Section 14) — plus five duties in Section 15. Full detail in our user rights guide.

Penalties and Deadlines

The Schedule sets maximum penalties per violation category: up to ₹250 Crore (security failure), ₹200 Crore (breach-notification failure), ₹200 Crore (children's data), ₹50 Crore (other), and ₹10,000 for a Data Principal who breaches their duties. See the complete penalties guide. The Act is in force from 13 November 2025; the core business obligations apply from 13 May 2027 (the timeline is in our DPDP Rules 2025 explainer).

What to Do Next

Start with our 14-step SMB checklist, confirm applicability with the free DPDP checker, and download the one-page summary above to share with your team.

References & Sources

  1. Ministry of Electronics & IT, Government of India — The Digital Personal Data Protection Act, 2023 (Chapters I–IX; the Schedule).
  2. The Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E)) — operational rules and phased commencement.
  3. India Code — Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), official consolidated text.

This article is a general summary of the DPDP Act 2023 and DPDP Rules 2025, not legal advice. Section, chapter and rule references are cited from the official text; verify against the current notified version for your specific situation.

DPDP SummaryDPDP ActOverviewFree GuideIndia

Check Your DPDP Compliance

Free 2-minute checker — get your specific obligations and penalty exposure.