

The DPDP Act, short for the Digital Personal Data Protection Act, 2023, is India's first comprehensive data privacy law. In one line: if your business collects, stores, or uses anyone's personal information in digital form, this law tells you how you must handle it, and what happens if you don't.
"Digital personal data" simply means any information about an identifiable person that exists in digital form: a customer's name, email, phone number, address, an employee's payroll record, a patient's report, a student's admission form. Even data collected offline on paper counts once you digitize it, say, by typing it into a spreadsheet.
The law is no longer a "coming soon" story. With the DPDP Rules 2025 notified on 14 November 2025, the Act is fully operational, and penalties of up to ₹250 crore per violation are already legally active.
That's a short list on purpose. If you run an e-commerce store, clinic, school, agency, or SaaS product, assume the law applies to you. Not sure? Book a free DPDP audit and we'll tell you exactly where you stand.
| Year | Milestone |
|---|---|
| 2017 | Supreme Court's Puttaswamy judgment declares privacy a fundamental right of every Indian, setting the legal foundation for a data protection law |
| August 2023 | Parliament passes the DPDP Act on 9 August 2023; Presidential assent follows on 11 August 2023 |
| 14 November 2025 | DPDP Rules 2025 notified (23 rules and 7 schedules), the law becomes fully operational and the Data Protection Board of India goes live |
From here, the rollout continues in phases: consent rules become mandatory on 13 November 2026, and full enforcement of every obligation begins on 13 May 2027. See the full DPDP timeline for the complete journey.
Three roles you'll hear again and again. Here's what they actually mean.
The individual whose data it is: your customer, employee, patient, or student. The Act gives them legal rights to access, correct, and delete their data, and to withdraw consent anytime.
The business that decides why and how personal data is processed. That's you. Full legal responsibility sits here, including for anything your vendors do with the data.
A vendor that processes data on the fiduciary's behalf: your cloud host, payroll provider, or marketing agency. They work under contract, but you keep the liability.
Consent rules become mandatory on 13 November 2026, and full enforcement begins on 13 May 2027. Compliance setup typically takes 2-6 months, so the safe window to start is now.
Book Your Free DPDP AuditThis page covers the basics. Our main guide covers deadlines, penalties, the full compliance checklist, and how our services get you compliant.
Learn Everything About DPDP ComplianceIt's India's first comprehensive data privacy law. If your business handles anyone's personal data digitally, you must take clear consent, protect the data, and respect the individual's rights over it, or face penalties of up to ₹250 crore per violation.
Every business processing digital personal data in India, plus foreign companies serving people in India. There is no size exemption, and digitized offline data is covered too. Only personal/domestic use and most publicly available data are excluded.
Parliament passed the Act in August 2023, and it became fully operational when the DPDP Rules 2025 were notified on 14 November 2025. Consent rules become mandatory on 13 November 2026, with full enforcement from 13 May 2027.
The Data Principal is the individual whose data it is. The Data Fiduciary is the business deciding why and how the data is processed, and it carries full legal responsibility. A Data Processor is a vendor working on the fiduciary's behalf under contract.
A free audit shows you exactly which requirements you already meet and which ones need work.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.