DPDP Act Summary

The whole law in 5 minutes: key highlights, obligations, penalties, and deadlines
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

DPDP Act Summary: What Every Business Owner Should Know

Short on time? This DPDP Act summary gives you the key highlights of the Digital Personal Data Protection Act, 2023 in about five minutes: what the law says, who it covers, what you must do, what it costs to ignore, and how much time you have left.

The essentials: the DPDP Act is India's first comprehensive data privacy law, passed in August 2023 and made fully operational when the DPDP Rules 2025 were notified on 14 November 2025. It has 9 chapters and 44 sections, applies to all digital personal data processed in India (and to foreign entities serving people in India), and it has no small-business exemption. Collecting even one customer's email digitally makes you a Data Fiduciary.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Key Highlights: Principles and Lawful Bases

The 7 Core Principles

  • Lawful and transparent processing
  • Purpose limitation: use data only for stated purposes
  • Data minimization: collect only what you need
  • Accuracy of the data you hold
  • Storage limitation: delete when no longer needed
  • Security safeguards: encryption, access controls, backups
  • Accountability: you answer for your data and your vendors

Only 2 Lawful Grounds to Process Data

  • Consent: free, specific, informed, unconditional, unambiguous, and given by a clear affirmative action
  • Legitimate uses: a short list including voluntary provision, employment, government functions, medical emergencies, disasters, and legal obligations

There is no GDPR-style "legitimate interest" or "contract necessity" shortcut. If it is not consent or a listed legitimate use, you cannot process the data.

Your Core Obligations in One List

  • Take clear consent: no pre-ticked boxes, withdrawal as easy as giving consent
  • Publish a plain-language privacy notice in English plus any of the 22 scheduled Indian languages
  • Delete data when the purpose is served or consent is withdrawn
  • Honour user rights: access, correction, erasure, and grievances resolved within 90 days
  • Report every breach: users without delay, detailed report to the Board within 72 hours
  • Implement security safeguards: encryption, access controls, MFA, logs kept at least 1 year, backups
  • Sign vendor contracts: you stay legally responsible for your processors
  • Protect children's data: verifiable parental consent for under-18s, no targeted ads at minors

Want the clause-by-clause detail behind this summary? See our section-wise breakdown of the DPDP Act and check whether and how the Act applies to you.

Penalties at a Glance

Penalties apply per violation, with no discount for business size. A single incident can stack multiple violations.

ViolationMaximum Penalty
No reasonable security safeguardsRs 250 Crore
Failure to report a data breachRs 200 Crore
Misusing children's dataRs 200 Crore
Significant Data Fiduciary duty failuresRs 150 Crore
Other violationsRs 50 Crore

Deadlines: The Part of This Summary You Cannot Skip

  • 13 November 2026: consent rules become mandatory and soft enforcement ends
  • 13 May 2027: full enforcement of all obligations and penalties, no grace period after
  • Setup takes 2-6 months, so the safe window to start is now

Want the Complete DPDP Picture?

This was the 5-minute version. The full guide covers roles, rights, myths vs facts, the compliance checklist, and our services.

Learn Everything About DPDP Compliance

DPDP Act Summary: Frequently Asked Questions

What is the DPDP Act in simple words?

It is India's first comprehensive data privacy law. If you collect anyone's personal data digitally, you must take clear consent, keep the data secure, delete it when no longer needed, report every breach, and honour user rights, with penalties up to Rs 250 crore per violation.

You Read the Summary. Now See Where You Stand.

One free audit turns this summary into a personalized gap report for your business.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.