DPDP Act

The DPDP Act backs its obligations with substantial financial penalties. These are not token fines — they are designed to ensure that compliance is economically rational for organisations of all sizes. The Act prescribes penalties up to INR 250 crore (approximately USD 30 million) for the most serious violations, such as failure to implement reasonable […]

India’s digital economy is growing at an unprecedented pace. With over 950 million internet users, rapid 5G adoption, and the world’s largest WhatsApp and social media user bases, the volume of personal data flowing through Indian businesses is staggering. The DPDP Act recognises this reality and establishes a framework to ensure that economic growth does

India’s DPDP Act and the European Union’s GDPR share a common objective: protecting individuals’ personal data rights. Both establish consent-based processing, purpose limitation, data minimisation, and individual rights as core principles. But the similarities end at the surface. In application, enforcement, and structure, the two laws diverge significantly. For multinational companies operating in both jurisdictions,

The Central Government has the authority to classify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on factors such as the volume and sensitivity of data processed, the risk to data principal rights, and the potential impact on India’s sovereignty, security, and integrity. While the specific criteria for designation

India’s DPDP Act introduces mandatory data breach notification for the first time in Indian law. Prior to this legislation, there was no clear legal obligation to report data breaches to regulators or affected individuals. The CERT-In reporting requirements existed but were primarily focused on cybersecurity incidents rather than personal data breaches. Under the new framework,

As businesses continue to go digital, the amount of personal data being collected is growing rapidly. From websites to mobile apps, organizations collect user information to improve services. But who is responsible for managing this data? This is where the concept of a data fiduciary comes in. Understanding Data Fiduciary A data fiduciary is an

The DPDP Act places consent at the centre of its regulatory architecture. Unlike some jurisdictions that offer multiple legal bases for processing (legitimate interest, contractual necessity, etc.), the DPDP Act primarily relies on consent and a narrow set of “legitimate uses” defined in Section 7. This means that for most commercial data processing, obtaining valid

The DPDP Act empowers Indian citizens with a set of enforceable rights over their personal data. These rights shift the balance of power from organisations that collect data to the individuals who own it. For the first time in Indian law, individuals have a clear, statutory mechanism to control how their data is used. These

India’s data protection journey has been long and complex. For years, the Information Technology Act, 2000, and its 2011 rules on reasonable security practices were the only guardrails. These provisions were widely regarded as inadequate — they lacked a dedicated regulatory body, did not define individual rights comprehensively, and imposed no meaningful penalties for data

Data protection in India has entered a decisive new chapter. After years of legislative deliberation and public consultation, the Ministry of Electronics and Information Technology (MeitY) notified the final Digital Personal Data Protection (DPDP) Rules on November 13, 2025. These rules operationalise the DPDP Act, 2023 and give every Data Fiduciary operating in India the