Scroll to top

Understanding DPDPA 2023

March 10, 2026 DPDPA 2023

The Digital Personal Data Protection Act 2023 (DPDPA) is India's first comprehensive data protection legislation. It applies to any organization processing digital personal data of individuals in India β€” regardless of where the organization is located. Here's what DPDPA actually requires and what organizations must do to comply.

  1. Who Must Comply with DPDPA

    DPDPA applies to 'Data Fiduciaries' β€” any entity that determines the purpose and means of processing personal data of 'Data Principals' (individuals). This covers virtually every Indian business that collects personal data digitally: e-commerce platforms, BFSI institutions, healthcare organizations, employers maintaining employee data, and technology companies. It also applies to foreign organizations processing personal data of individuals in India.

  2. Consent is the Foundation

    DPDPA requires 'free, specific, informed, unconditional and unambiguous' consent for processing personal data. Consent must be given through a 'consent notice' that is clear and plain, and must be specific to the purpose. Pre-ticked boxes, bundled consents, and vague purpose descriptions do not satisfy DPDPA consent requirements. Organizations must build consent management systems that capture, store, and honor consent decisions.

  3. Data Principal Rights

    DPDPA grants individuals (Data Principals) the right to: access information about their data being processed; correct or update inaccurate data; erase their data when it is no longer needed; withdraw consent at any time; and nominate another person to exercise rights on their behalf. Organizations must build mechanisms to receive and respond to these requests within the prescribed timelines.

  4. Data Protection Officer Requirements

    Significant Data Fiduciaries (a category to be defined by the government based on volume and sensitivity of data processed) must appoint a Data Protection Officer (DPO) who is a key managerial person, is responsible for compliance with DPDPA, and reports to the Board of Directors. The DPO must be based in India and be an accessible point of contact for Data Principals and the Data Protection Board.

  5. Breach Notification

    DPDPA requires Data Fiduciaries to notify the Data Protection Board and affected Data Principals of personal data breaches 'in such form and manner as may be prescribed.' The notification requirement applies to any breach that is likely to cause harm to Data Principals. Organizations must build breach detection and notification workflows that can operate within the regulatory timeline.

  6. VinfraSec's DPDPA Approach

    VinfraSec implements DPDPA compliance using data flow mapping, consent management platform implementation, DPO advisory, and IaC-based security controls. Our approach is architecture-led β€” DPDPA requirements are implemented as continuously enforced technical controls, not manual compliance checklists.

Need India Compliance Help?

Book a free gap assessment with VinfraSec.

Book Free Assessment

Free India Compliance Assessment

VinfraSec offers a free DPDPA, CERT-In, or RBI gap assessment. Book a 30-minute call.

Book Now