

Short on time? This DPDP Act summary gives you the key highlights of the Digital Personal Data Protection Act, 2023 in about five minutes: what the law says, who it covers, what you must do, what it costs to ignore, and how much time you have left.
The essentials: the DPDP Act is India's first comprehensive data privacy law, passed in August 2023 and made fully operational when the DPDP Rules 2025 were notified on 14 November 2025. It has 9 chapters and 44 sections, applies to all digital personal data processed in India (and to foreign entities serving people in India), and it has no small-business exemption. Collecting even one customer's email digitally makes you a Data Fiduciary.
No cost. No obligation. Get your compliance gap report.
There is no GDPR-style "legitimate interest" or "contract necessity" shortcut. If it is not consent or a listed legitimate use, you cannot process the data.
Want the clause-by-clause detail behind this summary? See our section-wise breakdown of the DPDP Act and check whether and how the Act applies to you.
Penalties apply per violation, with no discount for business size. A single incident can stack multiple violations.
| Violation | Maximum Penalty |
|---|---|
| No reasonable security safeguards | Rs 250 Crore |
| Failure to report a data breach | Rs 200 Crore |
| Misusing children's data | Rs 200 Crore |
| Significant Data Fiduciary duty failures | Rs 150 Crore |
| Other violations | Rs 50 Crore |
This was the 5-minute version. The full guide covers roles, rights, myths vs facts, the compliance checklist, and our services.
It is India's first comprehensive data privacy law. If you collect anyone's personal data digitally, you must take clear consent, keep the data secure, delete it when no longer needed, report every breach, and honour user rights, with penalties up to Rs 250 crore per violation.
No size exemption, only two lawful bases (consent and legitimate uses), strong user rights, all-breach reporting within 72 hours, the strictest rules for children's data, a dedicated Data Protection Board, and penalties up to Rs 250 crore per violation.
The Rules were notified on 14 November 2025, making the law operational. Consent rules become mandatory on 13 November 2026, and full enforcement begins on 13 May 2027. The government has even proposed shortening the timeline, so November 2026 may effectively become final.
With a gap assessment. Our free DPDP audit reviews the data you collect, your consent flows, policies, and security, and gives you a gap report with a risk score and a step-by-step fix roadmap.
One free audit turns this summary into a personalized gap report for your business.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.