India's Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023) is a compact law — 9 chapters and 44 sections — but it reshapes how every business in India must handle customer data. This is the whole law in plain English: who it covers, what it requires, the rights it grants, the penalties it carries, and when it all kicks in. Grab the free one-page guide at the end for your desk.
Quick Answer: What Is the DPDP Act in One Paragraph?
The DPDP Act 2023 governs how any business or person processes the digital personal data of individuals in India. It requires a lawful basis — consent or a "legitimate use" — plus a clear notice, reasonable security, breach reporting, deletion when data is no longer needed, and respect for individuals' rights. It is enforced by the Data Protection Board of India, with penalties up to ₹250 Crore. In force from 13 November 2025; core obligations apply from 13 May 2027.
The Act at a Glance: 9 Chapters
| Chapter | What it covers |
|---|---|
| I — Preliminary | Short title, commencement, definitions (Section 2), and application (Section 3) |
| II — Obligations of Data Fiduciary | Grounds for processing, notice, consent, legitimate uses, general obligations, children's data, Significant Data Fiduciaries (Sections 4–10) |
| III — Rights & Duties of Data Principal | Access, correction/erasure, grievance, nomination, and duties (Sections 11–15) |
| IV — Special Provisions | Cross-border transfer, exemptions including the startup power (Sections 16–17) |
| V — Data Protection Board of India | Establishment and composition of the Board |
| VI — Powers & Procedure of the Board | How the Board investigates and functions |
| VII — Appeals & Alternative Dispute Resolution | Appeals to the Appellate Tribunal, mediation |
| VIII — Penalties & Adjudication | The Schedule of penalties and how they are imposed (Section 33) |
| IX — Miscellaneous | Rule-making power and residual provisions |
Who Does It Apply To? (Section 3)
The Act applies to the processing of digital personal data:
- Collected in digital form — or collected on paper and then digitised (Section 3(a))
- From outside India, where the processing is connected to offering goods or services to individuals in India (Section 3(b)) — so a foreign company with Indian customers is covered
It does not apply to (Section 3(c)): personal data processed by an individual for a purely personal or domestic purpose, and personal data that has been made publicly available by the individual themselves or by someone under a legal obligation to publish it. There is no general small-business or turnover exemption — see our guide on whether DPDP applies to your business.
The Key Players
- Data Principal — the individual whose data is processed (your customer). See rights and duties.
- Data Fiduciary — the business that decides why and how data is processed (Section 2(i)). See business responsibilities.
- Data Processor — a vendor that processes data on the Fiduciary's behalf.
- Data Protection Board (DPB) — the regulator that investigates and imposes penalties.
The Core Obligations (Chapter II)
- Lawful basis (Section 4): process only with consent or a "legitimate use" (Section 7)
- Notice (Section 5): a clear, itemised notice before or at collection
- Consent (Section 6): free, specific, informed, unconditional, unambiguous — withdrawable as easily as given
- Security (Section 8(5)): reasonable safeguards; the DPDP Rules 2025 (Rule 6) list a minimum set
- Breach reporting (Section 8(6)): intimate the Board and affected people — see the 72-hour breach rule
- Erasure (Section 8(7)): delete data on withdrawal or when the purpose ends
- Children (Section 9): verifiable parental consent; no tracking or targeted ads at children
The Rights and Duties (Chapter III)
Individuals get four rights — access (Section 11), correction and erasure (Section 12), grievance redressal (Section 13), and nomination (Section 14) — plus five duties in Section 15. Full detail in our user rights guide.
Penalties and Deadlines
The Schedule sets maximum penalties per violation category: up to ₹250 Crore (security failure), ₹200 Crore (breach-notification failure), ₹200 Crore (children's data), ₹50 Crore (other), and ₹10,000 for a Data Principal who breaches their duties. See the complete penalties guide. The Act is in force from 13 November 2025; the core business obligations apply from 13 May 2027 (the timeline is in our DPDP Rules 2025 explainer).
What to Do Next
Start with our 14-step SMB checklist, confirm applicability with the free DPDP checker, and download the one-page summary above to share with your team.
References & Sources
- Ministry of Electronics & IT, Government of India — The Digital Personal Data Protection Act, 2023 (Chapters I–IX; the Schedule).
- The Digital Personal Data Protection Rules, 2025 (G.S.R. 846(E)) — operational rules and phased commencement.
- India Code — Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), official consolidated text.
This article is a general summary of the DPDP Act 2023 and DPDP Rules 2025, not legal advice. Section, chapter and rule references are cited from the official text; verify against the current notified version for your specific situation.