What Is the DPDP Act?

India's data protection law explained in plain language, no legal jargon
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

What Is the DPDP Act? A Plain-Language Answer

The DPDP Act, short for the Digital Personal Data Protection Act, 2023, is India's first comprehensive data privacy law. In one line: if your business collects, stores, or uses anyone's personal information in digital form, this law tells you how you must handle it, and what happens if you don't.

"Digital personal data" simply means any information about an identifiable person that exists in digital form: a customer's name, email, phone number, address, an employee's payroll record, a patient's report, a student's admission form. Even data collected offline on paper counts once you digitize it, say, by typing it into a spreadsheet.

The law is no longer a "coming soon" story. With the DPDP Rules 2025 notified on 14 November 2025, the Act is fully operational, and penalties of up to ₹250 crore per violation are already legally active.

Who Does the DPDP Act Apply To?

Covered by the Act

  • Every business processing digital personal data in India
  • Foreign companies offering goods or services to people in India
  • Offline data that is later digitized
  • Businesses of every size: there is no small-business exemption
  • Anyone collecting even one customer's email digitally, that alone makes you a Data Fiduciary

Not Covered

  • Data used for purely personal or domestic purposes
  • Most publicly available data

That's a short list on purpose. If you run an e-commerce store, clinic, school, agency, or SaaS product, assume the law applies to you. Not sure? Book a free DPDP audit and we'll tell you exactly where you stand.

How the DPDP Act Came to Be: A Short History

YearMilestone
2017Supreme Court's Puttaswamy judgment declares privacy a fundamental right of every Indian, setting the legal foundation for a data protection law
August 2023Parliament passes the DPDP Act on 9 August 2023; Presidential assent follows on 11 August 2023
14 November 2025DPDP Rules 2025 notified (23 rules and 7 schedules), the law becomes fully operational and the Data Protection Board of India goes live

From here, the rollout continues in phases: consent rules become mandatory on 13 November 2026, and full enforcement of every obligation begins on 13 May 2027. See the full DPDP timeline for the complete journey.

Key Terms Under the DPDP Act

Three roles you'll hear again and again. Here's what they actually mean.

Data Principal

The individual whose data it is: your customer, employee, patient, or student. The Act gives them legal rights to access, correct, and delete their data, and to withdraw consent anytime.

Data Fiduciary

The business that decides why and how personal data is processed. That's you. Full legal responsibility sits here, including for anything your vendors do with the data.

Data Processor

A vendor that processes data on the fiduciary's behalf: your cloud host, payroll provider, or marketing agency. They work under contract, but you keep the liability.

The Clock Is Already Running

Consent rules become mandatory on 13 November 2026, and full enforcement begins on 13 May 2027. Compliance setup typically takes 2-6 months, so the safe window to start is now.

Book Your Free DPDP Audit

Want the Complete DPDP Picture?

This page covers the basics. Our main guide covers deadlines, penalties, the full compliance checklist, and how our services get you compliant.

Learn Everything About DPDP Compliance

What Is the DPDP Act: Frequently Asked Questions

What is the DPDP Act in simple words?

It's India's first comprehensive data privacy law. If your business handles anyone's personal data digitally, you must take clear consent, protect the data, and respect the individual's rights over it, or face penalties of up to ₹250 crore per violation.

Now You Know What the DPDP Act Is. Do You Know Where You Stand?

A free audit shows you exactly which requirements you already meet and which ones need work.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.