India's Privacy Frontier

Digital Personal Data Protection Act, 2023

A comprehensive roadmap for CIOs, CISOs, and IT Leaders to navigate the new landscape of data governance, privacy rights, and operational compliance.

Download Act View Roadmap

At a Glance

Active Enforcement Pending

1. 1. Non-Compliance with Data Fiduciary Obligations
  - Penalties for failing to implement proper notice, consent, or security measures.
  - Penalty: Up to ₹250 crore
1. 2. Breach of Data Principal Rights
  - Fines for denying access, correction, erasure, or grievance redressal.
  - Penalty: Up to ₹150 crore
1. 3. Data Breach & Incident Reporting Violations
  - Strict 72-hour reporting requirement; heavy penalties for delays or non-reporting.
  - Penalty: Up to ₹200 crore
1. 4. Non-Compliance with Regulatory Directions
  - Ignoring DPBI orders or failing audits can lead to monetary fines or operational restrictions.
  - Penalty: Up to ₹50 crore

The Repository

Access the core documentation and industry-standard research curated for leadership teams.

Official Gazette

View the complete Digital Personal Data Protection Act, 2023 as enacted by the Parliament of India.

Insights for IT Leaders

Actionable guidance on DPDP, data protection, and cybersecurity for modern IT leadership teams.

DPDP at a Glance

A three-page summary highlighting essential definitions and a step-by-step DPDP compliance roadmap.

Journey to Compliance

Major milestones from the bill’s inception to today’s enforcement.

Present Stage: Rule Drafting

2017

Legal Origins

Privacy declared a fundamental right.

11 Aug 2023

DPDP Act Enacted

DPDP Act, 2023 receives Presidential assent.

3 Jan 2025

Draft Rules & Consultation

Draft DPDP Rules released for comments.

13 Nov 2025

Rules Notification & Phase-Wise Enforcement

DPDP Rules notified; Data Protection Board established.

Nov 2025

Phased Compliance Timeline (Phase I)

Legal provisions & DPBI active.

Nov 2026

Phase II

Consent manager framework operational

May 2027

Phase III

Full compliance enforcement (fiduciary obligations, data principal rights, breach reporting).

Strategic Compliance Framework

Governance & Oversight

Compliance team, roles, policies

Data Mapping & Classification

Identify, document, classify data

Consent & Notice Management

Transparent consent, notices, opt-in/out

Security & Risk Controls

Safeguards, encryption, access control

Breach Management & Reporting

Incident response, 72-hour reporting

Rights Management

Access, correction, erasure, grievance redressal

Monitoring & Audit

Regular audits, updates, compliance tracking

Technical Readiness Checklist

Data Inventory & Mapping Consent & Notice Management Security Controls Breach Preparedness Rights Management Systems Audit & Monitoring

Community Insights

Governance Q&A Forum

Real-world scenarios asked by professionals and answered by compliance experts.

Anita Mehra

CIO

"How does the Act treat legacy data collected before 2023?"

Expert Answer

Under Section 5(2), organizations must issue a fresh notice to users describing the data held and its purpose. You may continue processing the data unless the user explicitly withdraws consent.

Vikram Joshi

IT Head

"Can we store personal data in global clouds like AWS or Azure while remaining DPDP compliant?"

Expert Answer

Yes. The DPDP Act does not mandate strict data localization, but some countries may be restricted via government notifications. Best practices include:

Use cloud providers with encryption, access controls, and logging.
Conduct regular audits for data transfers.
Maintain DPDP-compliant contractual clauses with vendors.

Vikram Joshi

IT Head

"Can a Consent Manager be an external third party?"

Expert Answer

Yes. Consent Managers can be registered entities that manage consent workflows for data fiduciaries while ensuring DPDP compliance.

Anita Mehra

CIO

"Do we need to encrypt all personal data?"

Expert Answer

The Act requires “reasonable security safeguards,” which include encryption at rest and in transit for sensitive personal data. Organizations should implement end-to-end encryption, key management, and regular vulnerability assessments.

Need guidance on data protection and compliance?

Ask our panel of privacy and cybersecurity experts.