What is the DPDP Act, 2023?

The Digital Personal Data Protection Act, 2023 ("DPDP Act") is India's first standalone law dedicated to protecting the personal data of individuals. It establishes how organisations may collect, store, use, and share digital personal data, and gives individuals enforceable rights over that data.

The two key roles

The Act revolves around two parties. A Data Principalis the individual whose personal data is being processed. AData Fiduciary is the organisation that decides why and how that data is processed. If you run a business that handles customer information, you are almost certainly a Data Fiduciary.

Core obligations

• Consent & notice — collect data only with clear, informed consent, preceded by a plain-language notice.
• Purpose limitation — use data only for the purpose the individual agreed to.
• Security safeguards — protect data with reasonable security measures.
• Breach reporting — notify the Data Protection Board and affected individuals of breaches.
• Honouring rights — let individuals access, correct, and erase their data, and withdraw consent.

Why it matters now

Non-compliance carries financial penalties of up to ₹250 crore per instance. Beyond the fines, DPDP readiness is fast becoming a baseline expectation from enterprise customers and partners. Getting consent, record-keeping, and audit trails right is now a competitive necessity.