DPDP Act 2023

The Digital Personal Data Protection Act 2023 in detail: structure, principles, scope, and exemptions
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

The DPDP Act 2023: India's Data Protection Law in Detail

The Digital Personal Data Protection Act, 2023 (often written as DPDP Act or DPDPA) is India's first comprehensive data privacy law. Passed by Parliament on 9 August 2023 with Presidential assent on 11 August 2023, it grew out of the 2017 Supreme Court Puttaswamy ruling that made privacy a fundamental right.

The Act is compact by global standards: 9 chapters and 44 sections, plus a penalty schedule. Those 44 sections cover everything from definitions and consent rules to the duties of Data Fiduciaries, the rights of Data Principals, the Data Protection Board of India, and penalties of up to ₹250 crore per violation.

With the DPDP Rules 2025 notified on 14 November 2025, the DPDP Act 2023 is now fully operational. This page walks through the law's structure, principles, lawful bases, scope, and exemptions.

The 7 Core Principles of the DPDP Act 2023

Every obligation in the Act flows from these seven principles. If your data practices follow them, you are most of the way to compliance.

Lawful & Transparent Processing

Process personal data only on a valid legal basis and be open with people about what you're doing with their data.

Purpose Limitation

Use data only for the specific purpose it was collected for, no quiet repurposing of customer lists later.

Data Minimization

Collect only what you actually need. If a delivery needs a phone number, don't also ask for a date of birth.

Accuracy

Keep the personal data you hold correct and up to date, and fix it when the individual asks for a correction.

Storage Limitation

Delete data once its purpose is served or consent is withdrawn. "Keep everything forever" is no longer legal.

Security Safeguards & Accountability

Protect data with encryption, access controls, and logging, and be able to prove it. Security failures carry the top ₹250 Cr penalty tier.

Only 2 Lawful Bases for Processing Data

Unlike GDPR's six legal bases, the DPDP Act 2023 gives businesses exactly two grounds to process personal data.

1. Consent

Consent must be free, specific, informed, unconditional, and unambiguous, given through a clear affirmative action. No pre-ticked boxes, no consent buried in terms and conditions, and withdrawing consent must be as easy as giving it.

2. Legitimate Uses (Section 7)

  • Data voluntarily provided by the individual for a stated purpose
  • Employment-related purposes
  • Government functions and legal obligations
  • Medical emergencies and disaster response

Notably absent: GDPR-style "legitimate interest" and "contract necessity". If your processing doesn't fit a Section 7 legitimate use, you need valid consent, which is why consent systems sit at the heart of DPDP compliance.

Scope, Applicability & Exemptions

Covered by the DPDP Act 2023Excluded
Digital personal data processed in IndiaPurely personal or domestic use of data
Foreign entities offering goods or services to people in IndiaMost publicly available data
Offline data that is later digitizedThere is NO small-business, startup, or turnover-based exemption
Businesses of every size and sector, from a solo shop to an enterprise

Practically, if you collect even one customer's email digitally, the Act treats you as a Data Fiduciary. Also worth knowing: the Act applies only to digital personal data (paper records stay outside until digitized), and it treats all personal data uniformly, with no separate "sensitive data" category like GDPR.

The DPDP Act 2023 Is Live. Enforcement Is Phasing In.

Consent rules become mandatory on 13 November 2026, and full enforcement begins on 13 May 2027. Setup takes 2-6 months, so start now.

Book Your Free DPDP Audit

Want the Complete DPDP Picture?

See deadlines, penalties, the compliance checklist, and our services in one place.

Learn Everything About DPDP Compliance

DPDP Act 2023: Frequently Asked Questions

What is the structure of the DPDP Act 2023?

The Act has 9 chapters and 44 sections plus a penalty schedule, covering definitions, consent and notice, fiduciary duties, Data Principal rights, the Data Protection Board of India, and penalties of up to ₹250 crore per violation.

The Law Is Detailed. Your Next Step Doesn't Have to Be.

One free audit tells you which of the Act's 44 sections actually create work for your business, and how to close the gaps.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.