Compliance
DPDP Act Compliance Consulting for Indian Enterprises
The Digital Personal Data Protection Act, 2023 creates new obligations for every Indian organisation that processes personal data. We help you comply — practically, not just on paper.
The law explained
What the DPDP Act requires
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data protection law. It received presidential assent on 11 August 2023 and creates a framework governing how organisations collect, store, process, and share the personal data of Indian residents.
The Act applies to any entity — a company, school, hospital, startup, or government body — that processes digital personal data within India, or processes personal data outside India if it relates to activities of offering goods or services to individuals in India.
Consent requirements
Data Fiduciaries must obtain free, specific, informed, unconditional, and unambiguous consent before processing personal data. Consent must be as easy to withdraw as it is to give. Pre-ticked boxes and bundled consents are not permitted.
Data Principal rights
The Act gives individuals (called Data Principals) the right to access their personal data, correct inaccurate data, erase data that is no longer necessary, and nominate a representative to exercise their rights in the event of their death or incapacity. Organisations must respond to these requests within defined timelines.
Data Fiduciary obligations
Data Fiduciaries — those who determine the purpose and means of processing — must implement appropriate technical and organisational measures to protect personal data from breaches. They must also implement purpose limitation (not use data beyond the consented purpose) and data minimisation (collect only what is necessary).
Cross-border data transfers
The Act allows the central government to restrict transfers of personal data to certain countries. Organisations must track where personal data is transferred and to which jurisdictions, and must ensure that cross-border transfers comply with any restrictions notified by the government.
Breach notification
In the event of a personal data breach, Data Fiduciaries must notify the Data Protection Board and affected Data Principals in the manner and within the timeframe prescribed by the rules. Failure to notify is itself a violation.
Penalties
The Act prescribes penalties of up to ₹250 crore (approximately $30 million) for significant violations, including failure to implement adequate security safeguards. Smaller violations carry penalties of ₹50 crore to ₹200 crore. The Data Protection Board of India will adjudicate complaints and impose penalties.
Key obligations at a glance
- Obtain valid consent before processing
- Respond to data access requests
- Allow data erasure on request
- Implement data security safeguards
- Notify breaches to the Board
- Appoint DPO (if significant fiduciary)
- Maintain processing records
- Purpose limitation and data minimisation
Maximum penalty
₹250 crore
for significant data protection violations
Affected sectors
Who needs DPDP compliance?
Schools & EdTech
Student records, parent data, admission forms, learning analytics — all subject to the DPDP Act.
BFSI
KYC data, transaction records, insurance information — among the most sensitive data categories under the Act.
Healthcare
Patient records constitute sensitive personal data under the Act, with heightened obligations for Data Fiduciaries.
E-commerce & Retail
Customer purchase data, delivery addresses, payment details — all must be handled with explicit consent and purpose limitation.
Our service
Our 3-phase compliance service
Phase 1 — Data Audit
2 weeksWe map all personal data your organisation collects, stores, and processes. We identify who has access, where data is stored, and what the legal basis for processing is.
Deliverable: Audit report with gap analysis
Phase 2 — Implementation
4–8 weeksWe implement consent frameworks, update privacy notices, put technical controls in place, and train your staff on their obligations under the Act.
Deliverable: Compliance documentation + implemented controls
Phase 3 — Ongoing DPO Support
Monthly retainerWe monitor for regulatory updates, assist with breach notification, respond to data principal requests, and conduct an annual compliance review.
Deliverable: Ongoing regulatory support
Compliance FAQ
DPDP Act questions answered
Get a free DPDP readiness assessment
A 45-minute call to assess where your organisation stands and what needs to change. No obligation.