Digital Personal Data Protection Act 2023: What Every Indian Enterprise Must Know

Why the DPDP Act 2023 is Different From Everything Before It

India's Digital Personal Data Protection Act 2023 is not a privacy policy refresh. It is a statutory framework that creates legally enforceable obligations for every organisation that collects, processes, or stores personal data of Indian citizens — with penalties that reach ₹250 crore for serious violations.

Unlike sector-specific rules that existed before it (RBI guidelines, SEBI circulars, UIDAI directions), the DPDP Act applies horizontally across all sectors. A bank, a hospital, a fintech, an e-commerce company — all are Data Fiduciaries under the same Act, subject to the same core obligations.

This article is a practitioner's guide to what the Act actually requires, how it creates obligations in practice, and where most enterprises are currently falling short.

The Architecture of the Act

The DPDP Act 2023 is structured in six chapters covering 44 sections. The operative provisions fall into three categories:

Obligations on Data Fiduciaries (Chapters II and IV)

A Data Fiduciary is any person who determines the purpose and means of processing personal data. In BFSI terms: every bank, NBFC, insurer, broker, and payment aggregator is a Data Fiduciary.

Core obligations under §8:

• Accuracy: Personal data must be accurate and updated where necessary for the specified purpose
• Security safeguards: Reasonable and appropriate technical and organisational measures to prevent breach
• Data minimisation: Only collect data necessary for the stated purpose
• Storage limitation: Personal data must be erased when the purpose is fulfilled unless retention is required by law
• Breach notification: Report breaches to the Data Protection Board and affected data principals within the prescribed timeline (72 hours under DPDP Rules 2025)

Rights of Data Principals (Chapter III)

A Data Principal is the individual whose data is being processed. Under Chapter III, every data principal has:

Consent Framework (§6)

Processing personal data in India requires either:

1. Consent — specific, informed, unconditional, freely given, and revocable at any time; or
2. Legitimate use — one of seven defined categories including employment obligations, medical emergencies, court orders, and state functions

Consent under the DPDP Act is not a “I accept terms and conditions” checkbox. It must:

• Be preceded by a notice that specifies the data to be collected, the purpose, and how to exercise rights
• Be separate from other terms and conditions
• Be as easy to withdraw as it is to give
• Use clear plain language — with optional use of preferred languages

What the DPDP Rules 2025 Add

The DPDP Rules were notified by MeitY on 13 November 2025. They operationalise the Act with specific:

Breach notification format: The Rules prescribe the format and minimum content of breach notices to the Data Protection Board. This includes: nature of the breach, categories and approximate number of affected data principals, likely consequences, and measures taken.

Consent Manager framework: Registered Consent Managers maintain consent records on behalf of data principals. They are interoperable entities registered with the Data Protection Board — enterprises must either integrate with them or maintain equivalent consent record systems.

SDF designation criteria: The criteria for classifying an entity as a Significant Data Fiduciary include: volume and sensitivity of personal data processed, potential risk to national security, rights of data principals, and impact on sovereignty.

Children’s data provisions: Processing children’s data (below 18 years) requires verifiable parental consent. Enterprises cannot process children’s data for tracking or behavioural monitoring.

Significant Data Fiduciaries — Additional Obligations

Organisations designated as SDFs under §10 carry additional obligations that go beyond the baseline:

• Annual Data Protection Impact Assessment (DPIA) for all high-risk processing activities
• Annual audit by an independent data auditor
• Appointment of a Data Protection Officer — a senior employee accountable to the board
• Data localisation compliance as may be prescribed for specific categories
• Periodic assessment of algorithms and AI systems that process personal data

Most major banks, NBFCs, insurance companies, payment aggregators, and large fintechs will qualify as SDFs. MeitY’s designation list has not been fully published, but the criteria make classification near-certain for large BFSI entities.

The Penalty Framework

The Act establishes a tiered penalty framework under §33:

Penalties are per incident. Multiple violations in a single breach event are assessed separately.

Where Most Enterprises Are Falling Short

Based on compliance assessments run through the CreativeCyber DPDP Assurance Platform, the most common gaps are:

1. No documented ROPA — Enterprises know what systems they use, but have no structured record mapping processing activities to legal basis, data categories, retention periods, and security controls. This is a §19(4) violation.

2. Consent that doesn’t meet the standard — Bundled consent in terms and conditions, pre-ticked boxes, or language that doesn’t specify purpose. These don’t satisfy §6.

3. No DPIA programme — High-risk processing activities (credit scoring, KYC biometrics, automated underwriting) have never been assessed for privacy risk, let alone had a formal DPIA with approval workflow.

4. No breach response procedure — When asked “what would you do in the first 72 hours after discovering a data breach?” most teams cannot describe a procedure. The DPDP Rules require notification to the Board in that window.

5. No data principal rights mechanism — No documented process for receiving, validating, and responding to access, correction, or erasure requests within the statutory timeframe.

How the CreativeCyber DPDP Assurance Platform Maps to the Act

Every module in the platform corresponds to a specific Act obligation: