What is the DPDP Act (India)?
The Digital Personal Data Protection Act 2023 (DPDP Act) is India's comprehensive privacy law governing the processing of digital personal data of Indian residents. It applies to any organization, Indian or foreign, that processes personal data in connection with goods or services offered to individuals in India.
In more detail
The DPDP Act was passed by the Indian Parliament in August 2023 and is the country's first comprehensive data protection statute. It establishes rights for data principals (individuals), duties for data fiduciaries (organizations deciding purpose and means), and creates the Data Protection Board of India for enforcement. Penalties can reach INR 250 crore (roughly $30M) per contravention.
Key obligations include notice before collection, consent management, purpose limitation, data minimization, breach notification, and reasonable security safeguards. The Act allows cross-border data transfer to countries not restricted by the Central Government, making it workable for international remote staffing arrangements.
How it works
- Give clear notice before collecting personal data.
- Obtain free, specific, informed, unambiguous consent.
- Process only for the stated purpose.
- Implement reasonable technical and organizational safeguards.
- Notify the Board and affected individuals of breaches.
- Honor data principal rights (access, correction, erasure, grievance).
Related terms
Mini FAQ
If you offer goods or services to individuals in India, or process data in connection with such offerings, yes.
DPDP is narrower. It applies only to digital personal data of Indian residents and has fewer data subject rights.
Up to INR 250 crore per contravention for serious breaches such as failing to implement reasonable safeguards.