India's Digital Personal Data Protection Act 2023 became operational on 13 November 2025 with the notification of the DPDP Rules. The compliance clock now runs on a phased schedule — most substantive obligations land on 13 May 2027. That is not as far away as it sounds. This page is the working brief for organisations operating in or into India, with the practitioner work the new regime actually triggers.
The Rules take effect in three waves over 18 months. Phase I — the institutional foundation — is already live. Consent Manager provisions land in November 2026. The substantive compliance load — DSR machinery, security safeguards, breach reporting, children's data, SDF obligations — falls due on 13 May 2027.
The Act applies to digital personal data — collected digitally or digitised after collection — and reaches both Indian-resident processing and foreign processing tied to offering goods or services to Data Principals in India. The regime distinguishes Data Fiduciaries (controllers), Data Processors (processors) and Significant Data Fiduciaries (SDFs — additional obligations).
Any person who, alone or with others, determines the purpose and means of processing of digital personal data. Under DPDP, Data Fiduciaries carry the substantive compliance load — consent, notice, security, breach notification, DSR response, cross-border governance.
Section 2(i) · Section 8 obligationsAny person who processes personal data on behalf of a Data Fiduciary. Bound by the contractual instructions of the Fiduciary and by the security obligations under the Act and Rules. Liability flows primarily to the Fiduciary, but processor obligations are real.
Section 2(k) · Section 8(2)Notified Data Fiduciaries — designated by the Central Government based on volume, sensitivity, sovereignty and democratic risk factors. Carry additional obligations: DPO appointment, periodic DPIA, annual audit, technical due-diligence, cross-border restrictions per government-notified committee.
Section 10 · Rule 12Foreign entities offering goods or services to Data Principals located in India fall within the Act's reach. The extra-territorial provision mirrors GDPR's Article 3(2) but is narrower in formulation — limited to "offering goods or services" rather than monitoring of behaviour.
Section 3(b) · Extra-territorial reachThe substantive compliance load rests on six core obligation areas. Each has interlocking provisions in the Act and operational detail in the Rules. The list below maps each obligation to the section and rule references your DPO will live with for the next decade of Indian privacy practice.
Processing must rest on consent or one of the prescribed legitimate uses. Consent must be free, specific, informed, unconditional, unambiguous, with clear affirmative action — and capable of withdrawal as easily as it was given.
Notice must accompany the request for consent — clear, plain language, specifying the personal data and purpose. The Rules prescribe content, format, language accessibility and the obligation to make the notice independently understandable.
Right to information, correction, completion, erasure and grievance redressal. Right to nominate. Each must be operationally exercisable through the Data Fiduciary, with documented response timelines and an escalation path to the DPB.
Section 16 takes a restricted-list approach — transfer permitted unless the destination is restricted by Central Government notification. The Rules layer additional restrictions for SDFs based on data categories identified by a notified committee.
Verifiable parental consent required for processing children's personal data. Tracking, behavioural monitoring and targeted advertising directed at children prohibited. Persons with disabilities under guardianship covered under analogous protections.
Notification to the Board and to affected Data Principals — without undue delay. Rule 7 prescribes the operational protocol, content, format and timeline. The DPB notification regime overlaps but does not replace existing CERT-In 6-hour reporting.
SDF status is not self-determined. The Central Government notifies an entity as an SDF based on volume of personal data processed, sensitivity of data categories, risk to electoral democracy, security of the State and public order. SDFs face five additional obligations on top of the Data Fiduciary baseline.
Once notified as an SDF, the entity has a defined window to operationalise the additional regime. The Rules clarified the technical due-diligence and cross-border committee provisions in November 2025 — with effective date in Phase III, May 2027.
India-resident, reporting to the board. Single point of contact for Data Principals and the Board.
Annual audit by an Independent Data Auditor on compliance with the Act and Rules.
DPIA on processing operations posing significant risk; periodic review against rights, risks and Rules.
Verification that algorithmic and technical measures do not pose risk to Data Principal rights — clarified by Rules.
Restriction on transferring categories of personal data outside India as identified by a Central Government committee.
Any further obligations the Government may prescribe by Rules — open-ended provision; the regime can expand.
The DPDP Act sets out specific penalty ceilings in its Schedule, by category of violation. The Data Protection Board levies these penalties after inquiry — with appeal rights to TDSAT. Unlike the percentage-of-turnover model in GDPR, the Indian penalties are absolute rupee figures, ceiling-capped per the Schedule.
| Penalty ceiling | Triggering violation | Practical scope |
|---|---|---|
| ₹250 crore Top tier | Failure to take reasonable security safeguards to prevent personal data breach. | The headline penalty. Tied to security-control failure leading to a breach. Aligned with Section 8(5) baseline obligations and Rule 6 minimum technical safeguards. Schedule, Item 1 |
| ₹200 crore High tier | Failure to notify the Board or affected Data Principals of a breach. Violations relating to children's data. | Two distinct trigger paths at the same ceiling. Notification failure attaches to the Section 8(6) duty. Children's data violations attach to Section 9 and Rule 10. Schedule, Items 2 — 3 |
| ₹150 crore SDF tier | Significant Data Fiduciary breaches the additional obligations under Section 10. | Triggered by SDF non-compliance with DPO appointment, audit, DPIA, technical due-diligence or cross-border committee restrictions. Applies only post-notification as an SDF. Schedule, Item 4 |
| ₹50 crore Catch-all | Any other violation of the Act or Rules by a Data Fiduciary. | Residual catch-all band. Notice failures, consent-mechanism defects, DSR-response failures and other procedural breaches typically land here. Schedule, Item 6 |
| ₹10,000 Data Principal | Breach of duty by a Data Principal. | Frivolous or vexatious DSR; false impersonation; breach of Section 15 duties. Rare in practice but on the books. Schedule, Item 5 |
The Board sets the actual penalty within the ceiling. Section 33 directs the Board to consider nature, gravity and duration of the violation, type of personal data affected, repetitive conduct, gain or benefit, mitigating action and public interest. Ceilings are maxima, not the default.
A practitioner-grade reference for the DPDP Act's structure. Useful for quickly orienting where a particular obligation, right or remedy lives within the Act — and which sections fall in which Chapter for cross-reference against the Rules.
What an organisation actually has to do — between today and 13 May 2027 — to be defensibly DPDP-compliant. Each workstream below maps to an obligation area. Some land harder than others depending on whether you are likely to be notified as an SDF, where your data sits, and who your Data Principals are.
Diagnostic against the full Act and Rules. Gap report against current state, prioritised remediation map, board-ready findings register. The starting point for every engagement.
Assessment of likely SDF notification probability based on data volume, sensitivity, sectoral overlay. Pre-positioning the SDF additional regime — DPO, audit, DPIA, technical due-diligence — for organisations with material exposure.
Consent flow design that meets the affirmative-action, withdrawal-symmetry, and Consent Manager interoperability requirements. Multi-language notice support per the Eighth Schedule. Consent record-keeping infrastructure.
Plain-language notice library mapped to processing purposes — separated by audience, channel, and language. Independent comprehensibility tested. Versioned and traceable to each consent collection event.
Operational mechanism to receive, process and respond to Data Principal Requests within the timelines prescribed by Rule 13. Workflow ownership, response templates, escalation path to the DPB.
Verifiable parental consent flows. Age-determination architecture. Tracking, behavioural-monitoring and targeted-advertising controls. Persons-with-disabilities pathway.
Inventory of cross-border flows. Restricted-list monitoring. SDF-specific committee scope tracking. Contractual mechanisms for permitted transfers.
For SDFs — DPO recruitment or fractional DPO function via DPOaaS. India-resident DPO mandate. Reporting line, board engagement, regulator-facing role.
For SDFs — DPIA methodology, library of completed DPIAs by processing operation, periodic review cycle. Trigger criteria for DPIA refresh on material change.
For SDFs — Independent Data Auditor selection, annual audit programme, finding remediation, board readout. The audit is not optional and not internal.
Section 8(6) and Rule 7 notification protocol. Severity rating, Board notification, individual notification scoping. CERT-In 6-hour overlay handled in parallel where IT Act applies.
DPDP work is delivered through one of three engagement shapes — depending on whether you need the program built, the program operated, or specialist input on a defined question. The right shape depends on whether you are likely to be designated as an SDF, the maturity of your existing privacy function, and the timeline pressure you are under.
For organisations that need the DPDP program built end to end before May 2027. Readiness assessment, consent architecture, notice library, DSR machinery, breach playbook. Finite scope, fixed-fee, milestone-billed.
For organisations notified as Significant Data Fiduciaries — or expecting to be — who need a named, India-resident DPO function without a full-time hire. DPO carried by us, regulator-facing, board-engaged.
For organisations with an in-house privacy function who need senior backup on harder DPDP questions — SDF determination, cross-border committee tracking, DPIA peer review, breach decisioning. Block-hour retainer.
The questions below come up consistently when organisations engage on DPDP for the first time — particularly post-Rules notification, when the May 2027 deadline becomes operationally real. If yours is not here, the contact form is the right place.
Most DPDP programs need 12 — 16 weeks of build work, plus operational runway before they can defensibly carry the load. That puts the realistic latest start date in the back half of 2026. A 30-minute scoping call costs nothing — we will tell you honestly where you sit, what the gap is, and what the right next step looks like for your organisation.
Schedule a call