DPDP Act, 2023: Compliance Guide, Requirements & Penalties
Page Contents
Digital Personal Data Protection (DPDP) Act, 2023: Complete Compliance Guide, Requirements, Penalties & Implementation Framework
The Digital Personal Data Protection (DPDP) Act, 2023, regulates how organizations collect, use, share, store, and delete digital personal data of individuals (Data Principals). It applies to almost every business, startup, NGO, professional firm, e-commerce platform, employer, and service provider processing personal data in digital form.
The Digital Personal Data Protection (DPDP) Act, 2023 requires organizations to collect only necessary personal data, obtain valid consent, secure the data, respect user rights, promptly report breaches, and delete data when no longer needed, while maintaining strong governance and accountability across the organization
Applicability of the Digital Personal Data Protection (DPDP) Act,
The Act applies to personal data collected in digital form, personal data collected offline and later digitized, and processing of personal data within India. And processing outside India if goods or services are offered to individuals in India. The Act applies to
- Data Fiduciaries: Organizations deciding the purpose and means of processing personal data.
- The Data Processors: Third parties processing data on behalf of fiduciaries, such as Cloud providers, Outsourced service providers and Technology vendors
- Significant Data Fiduciaries: Entities notified by the government due to scale or sensitivity of data handled. These may need Data Protection Officer (DPO), periodic audits, and Data Protection Impact Assessments (DPIA).
Exclusions in Digital Personal Data Protection (DPDP) Act,
Digital Personal Data Protection (DPDP) Act, 2023 does not apply to personal or domestic activities, publicly available personal data, certain government functions, and approved research, archiving, and statistical purposes.
Why the DPDP Act Matters
Digital Personal Data Protection (DPDP) Act, 2023 aims to help businesses become compliant with the Digital Personal Data Protection (DPDP) Act, 2023 before enforcement actions begin. Key points mentioned in the proposal:
| Item | Details |
| Compliance Window | 18 months |
| Enforcement Date | 13 May 2027 |
| Maximum Penalty | INR 250 Crore |
| Coverage | Almost all organizations processing digital personal data of Indian individuals |
The proposal emphasizes that the Data Protection Board of India has been constituted, and enforcement is expected to begin from 13 May 2027.
What the DPDP Act Requires

Businesses must implement Clear and informed consent mechanisms, Privacy notices, Data minimization practices, Security safeguards, Breach notification systems, Grievance redressal processes, Protection for children’s data and User rights management procedures
Notice Requirement
Before collecting personal data, every data fiduciary must provide a clear privacy notice.
The notice must contain:
- What data is being collected: Name, Email, Mobile number, Aadhaar details, employment information, financial information, etc.
- Why it is being collected: Specific purpose must be stated. Examples: Account creation, Employee onboarding, Service delivery, marketing communication, and Payroll processing
- Rights of Data Principal Information regarding Access rights, Correction rights, Erasure rights, Nomination rights and Complaint mechanism
- Complaint Process: How users can approach Organization, grievance officer, and Data Protection Board
The notice must be clear, simple language, Itemized and available in English and/or an Eighth Schedule language.
Consent Requirements
Processing is principally based on consent. Consent must be free, specific, informed, unconditional, unambiguous, and Given through clear affirmative action. Following Examples:
✔ Tick-box
✔ App consent button
✔ Digital signature
✘ Pre-ticked boxes
✘ Implied consent
✘ Hidden clauses
Users must be allowed to withdraw consent as easily as they gave it.
Legitimate Uses (No Consent Required)
Personal data may be processed without consent in certain situations:
- Government Benefits: Subsidies, Licenses, Permits and Approvals
- Legal Compliance: Court orders, judgments, and Statutory obligations
- Emergencies: Medical emergencies, Disaster response, Public health emergencies and Epidemics
- Employment Purposes: Employee attendance, Payroll, Benefits administration, and Prevention of loss or liability to employer
- Voluntarily Provided Data: Where the individual voluntarily shares the data for a specific purpose.
Data Minimization Principle
Collect only data that is necessary. Example: For a newsletter, email is necessary. ✅
- Aadhaar number is unnecessary. ❌
For recruitment: Resume ✅ and PAN/Aadhaar only when justified ✅
Organizations should avoid excessive collection of personal information.
Purpose Limitation
Data must only be used for the purpose communicated at the time of collection. Example:
If email is collected for Service updates ✅
Then using it later for: Marketing campaigns ❌ (unless consent exists)
Security Safeguards
Organizations must implement “reasonable security safeguards.” The rules specifically mention the following:
- Technical Controls: Encryption, Data masking, Obfuscation, Access controls, User authentication, activity monitoring, and Log management
- Operational Controls: Incident response process, Backup systems, disaster recovery, and Business continuity planning
- Monitoring: Security reviews, continuous monitoring, retention of logs for at least one year, and failure may attract a penalty of up to INR 250 crore.
Personal Data Breach Reporting
When a breach occurs:
- Immediately Notify: Affected individuals and Data Protection Board
- Within 72 Hours: Submit a detailed report to the Board covering the nature of breach, Cause of breach, Data affected, mitigation actions, and Corrective measures
Failure can attract a penalty of up to INR 200 crore.
Data Principal Rights
Individuals receive the following rights.
- Right to Access: Can ask, “What data is held?” , Why is it being processed?, With whom is it shared?
- The Right to Correction: Can request correction of Name, Address, contact details, and Other inaccurate information
- Right to Erasure: Can request deletion where retention is no longer required.
- The Right to Grievance Redressal: Can complain about misuse or denial of rights.
- Right to Nominate: Can nominate another person to exercise rights upon death or incapacity.
Grievance Redressal Mechanism
Every data fiduciary must publish grievance contact details, create a complaint-handling process, provide online channels, and resolve grievances within 90 days.
Children’s Data Requirements
A child means a person below 18 years old. Before processing a child’s data:
- Mandatory: Obtain verifiable parental consent, verify age of child, and verify identity of parent/guardian.
- Prohibited: Behavioural monitoring, Tracking, profiling, and Targeted advertising directed at children
Penalties may reach INR 200 crore.
Persons with Disabilities
- Where a lawful guardian exists: The organization must verify guardian identity, verify guardianship appointment, and obtain verifiable consent from the guardian.
Data Retention & Deletion
- Organizations should not keep personal data forever. The following are requirements like defining a retention period, erasing data once the purpose is fulfilled, and retaining transaction logs for at least one year. And inform individuals 48 hours before deletion where applicable.
- Certain large e-commerce entities, social media platforms, and online gaming platforms must delete data after specified retention periods.
Cross-Border Data Transfer
The Digital Personal Data Protection (DPDP) Act, 2023, permits the transfer of personal data outside India. However, one must comply with restrictions notified by the central government and destination countries, and conditions may be prescribed in the future.
Significant Data Fiduciaries
The government may classify certain organizations as SDFs based on volume of data, sensitivity of data, risk to individuals, and impact on sovereignty and public interest. Additional obligations include:
- Annual DPIA: Data Protection Impact Assessment
- Required Annual Audit: Independent compliance audit
- Risk Assessments: Review algorithmic and automated processing systems
- Reporting to the Board: Submit important observations and findings.


Major Penalties—Penalties Highlighted
| Violation | Maximum Penalty |
| Security safeguards failure—Failure to implement security safeguards | INR 250 Crore |
| Data breach notification failure- Failure to report breaches or violations involving children | INR 200 Crore |
| Children’s data violation | INR 200 Crore |
| SDF obligations violation | INR 150 Crore |
| Other Act violations | Up to INR 50 Crore |
| Data Principal duty violation | INR 10,000 |
The proposal also stresses reputational damage and business disruption risks beyond monetary penalties.
Digital Personal Data Protection Act 2023: Practical Compliance Checklist for Businesses
A business should immediately do the following:
- Conduct Data Mapping.
- Prepare Record of Processing Activities (RoPA).
- Update Privacy Policy.
- Implement Consent Management.
- Update Website/App Notices.
- Appoint Grievance Officer.
- Create Breach Response Plan.
- Review Vendor Agreements.
- Implement Encryption & Access Controls.
- Define Retention and Deletion Policy.
- Train Employees.
- Conduct DPDP Gap Assessment.
Digital Personal Data Protection (DPDP) Act, 2023 Services

- Phase 1 – Gap Assessment & Data Mapping includes Review current data practices, identify compliance gaps and Prepare data inventories and flow maps
- Phase 2 – Policy & Documentation includes Privacy Policies, consent notices, and Internal Compliance Frameworks
- Phase 3 – Implementation includes Consent management systems, Rights handling processes and Vendor agreement updates
- Phase 4 – Ongoing Compliance includes DPO-as-a-Service, Advisory support, employee training, and Breach-response readiness programs
Digital Personal Data Protection (DPDP) Act, 2023 Compliance Methodology: The compliance methodology/approach consists of four stages:
- Assess: Review current systems, policies, and data practices.
- Design: Create required policies, consent workflows, and procedures.
- Implement: Deploy controls across departments and vendors.
- Sustain: Provide ongoing compliance monitoring and training.
Value Proposition:
Digital Personal Data Protection (DPDP) Act, 2023 consultants claim to provide Practical implementation support rather than just legal advice, End-to-end compliance assistance, Customized solutions based on industry and organizational size, Ongoing advisory support after implementation.

What Rajput Jain and Associates offer
The Digital Personal Data Protection (DPDP) Act 2023 positions itself as an end-to-end consulting partner for data privacy compliance.
It provides financial, legal, and compliance consulting services; focuses on practical and actionable business solutions; works with professional experts across India; and helps organizations implement compliance without disrupting operations.
DPDP Act compliance and advisory services to help organizations prepare for India’s Digital Personal Data Protection (DPDP) Act, 2023. DPDP Act compliance and advisory services to help organizations prepare for India’s Digital Personal Data Protection (DPDP) Act, 2023.
As a proposal, it is well-structured and useful as a marketing/introduction document, but it currently lacks:
- Detailed scope of work
- Deliverables for each phase
- Project timelines
- Resource allocation
- Commercials/fees
- Service Level Agreements (SLAs)
- Responsibilities of client vs consultant
For conversion into a formal engagement proposal, It is recommended to add a detailed compliance roadmap, department-wise action plan (HR, IT, Marketing, Legal, Operations), deliverable matrix, implementation timeline, professional fee structure, risk assessment methodology, and sample DPDP compliance checklist.
Overall, it serves as a good business development and client acquisition proposal, but would need a more detailed technical and commercial section before execution

