{"id":32398,"date":"2026-07-12T13:34:38","date_gmt":"2026-07-12T08:04:38","guid":{"rendered":"https:\/\/carajput.com\/blog\/?p=32398"},"modified":"2026-07-12T13:45:35","modified_gmt":"2026-07-12T08:15:35","slug":"dpdp-act-2023-compliance-guide-requirements-penalties","status":"publish","type":"post","link":"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/","title":{"rendered":"DPDP Act, 2023: Compliance Guide, Requirements &#038; Penalties"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_58 counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Page Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a536a107f5f2\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #000000;color:#000000\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #000000;color:#000000\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a536a107f5f2\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Digital_Personal_Data_Protection_DPDP_Act_2023_Complete_Compliance_Guide_Requirements_Penalties_Implementation_Framework\" title=\"Digital Personal Data Protection (DPDP) Act, 2023: Complete Compliance Guide, Requirements, Penalties &amp; Implementation Framework\">Digital Personal Data Protection (DPDP) Act, 2023: Complete Compliance Guide, Requirements, Penalties &amp; Implementation Framework<\/a><ul class='ez-toc-list-level-3'><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Applicability_of_the_Digital_Personal_Data_Protection_DPDP_Act\" title=\" Applicability of the Digital Personal Data Protection (DPDP) Act, \"> Applicability of the Digital Personal Data Protection (DPDP) Act, <\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Exclusions_in_Digital_Personal_Data_Protection_DPDP_Act\" title=\"Exclusions in Digital Personal Data Protection (DPDP) Act,\u00a0\">Exclusions in Digital Personal Data Protection (DPDP) Act,\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Why_the_DPDP_Act_Matters\" title=\"Why the DPDP Act Matters\">Why the DPDP Act Matters<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#What_the_DPDP_Act_Requires\" title=\"What the DPDP Act Requires\">What the DPDP Act Requires<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Notice_Requirement\" title=\" Notice Requirement\"> Notice Requirement<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Consent_Requirements\" title=\" Consent Requirements\"> Consent Requirements<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Legitimate_Uses_No_Consent_Required\" title=\" Legitimate Uses (No Consent Required) \"> Legitimate Uses (No Consent Required) <\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Data_Minimization_Principle\" title=\" Data Minimization Principle \"> Data Minimization Principle <\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Purpose_Limitation\" title=\" Purpose Limitation\"> Purpose Limitation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Security_Safeguards\" title=\" Security Safeguards\"> Security Safeguards<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Personal_Data_Breach_Reporting\" title=\" Personal Data Breach Reporting \"> Personal Data Breach Reporting <\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Data_Principal_Rights\" title=\" Data Principal Rights\"> Data Principal Rights<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Grievance_Redressal_Mechanism\" title=\" Grievance Redressal Mechanism\"> Grievance Redressal Mechanism<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Childrens_Data_Requirements\" title=\" Children&#8217;s Data Requirements\"> Children&#8217;s Data Requirements<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Persons_with_Disabilities\" title=\" Persons with Disabilities\"> Persons with Disabilities<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Data_Retention_Deletion\" title=\" Data Retention &amp; Deletion\"> Data Retention &amp; Deletion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Cross-Border_Data_Transfer\" title=\" Cross-Border Data Transfer\"> Cross-Border Data Transfer<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Significant_Data_Fiduciaries\" title=\" Significant Data Fiduciaries \"> Significant Data Fiduciaries <\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Major_Penalties%E2%80%94Penalties_Highlighted\" title=\"Major Penalties\u2014Penalties Highlighted\">Major Penalties\u2014Penalties Highlighted<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Digital_Personal_Data_Protection_Act_2023_Practical_Compliance_Checklist_for_Businesses\" title=\"Digital Personal Data Protection Act \u00a02023: Practical Compliance Checklist for Businesses\">Digital Personal Data Protection Act \u00a02023: Practical Compliance Checklist for Businesses<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Digital_Personal_Data_Protection_DPDP_Act_2023_Services\" title=\"Digital Personal Data Protection (DPDP) Act, 2023 Services\">Digital Personal Data Protection (DPDP) Act, 2023 Services<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#Value_Proposition\" title=\" Value Proposition: \"> Value Proposition: <\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/carajput.com\/blog\/dpdp-act-2023-compliance-guide-requirements-penalties\/#What_Rajput_Jain_and_Associates_offer\" title=\"What Rajput Jain and Associates offer\u00a0\">What Rajput Jain and Associates offer\u00a0<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-32399\" src=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0001.jpg\" alt=\"Digital Personal Data Protection (DPDP) Act 1\" width=\"1300\" height=\"1813\" srcset=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0001.jpg 1300w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0001-215x300.jpg 215w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0001-734x1024.jpg 734w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0001-768x1071.jpg 768w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0001-1101x1536.jpg 1101w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0001-800x1116.jpg 800w\" sizes=\"(max-width: 1300px) 100vw, 1300px\" \/><\/h2>\n<h2><span class=\"ez-toc-section\" id=\"Digital_Personal_Data_Protection_DPDP_Act_2023_Complete_Compliance_Guide_Requirements_Penalties_Implementation_Framework\"><\/span><span style=\"color: #000080;\">Digital Personal Data Protection (DPDP) Act, 2023: Complete Compliance Guide, Requirements, Penalties &amp; Implementation Framework<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Digital Personal Data Protection (DPDP) Act, 2023, regulates how organizations collect, use, share, store, and delete digital personal data of individuals (Data Principals). It applies to almost every business, startup, NGO, professional firm, e-commerce platform, employer, and service provider processing personal data in digital form.<\/p>\n<p>The Digital Personal Data Protection (DPDP) Act, 2023 requires organizations to collect only necessary personal data, obtain valid consent, secure the data, respect user rights, promptly report breaches, and delete data when no longer needed, while maintaining strong governance and accountability across the organization<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Applicability_of_the_Digital_Personal_Data_Protection_DPDP_Act\"><\/span><span style=\"color: #000080;\"><strong> Applicability of the Digital Personal Data Protection (DPDP) Act, <\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The Act applies to personal data collected in digital form, personal data collected offline and later digitized, and processing of personal data within India. And processing outside India if goods or services are offered to individuals in India. The Act applies to<\/p>\n<ul>\n<li>Data Fiduciaries: Organizations deciding the purpose and means of processing personal data.<\/li>\n<li>The Data Processors: Third parties processing data on behalf of fiduciaries, such as Cloud providers, Outsourced service providers and Technology vendors<\/li>\n<li>Significant Data Fiduciaries: Entities notified by the government due to scale or sensitivity of data handled. These may need Data Protection Officer (DPO), periodic audits, and Data Protection Impact Assessments (DPIA).<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Exclusions_in_Digital_Personal_Data_Protection_DPDP_Act\"><\/span><span style=\"color: #000080;\"><strong>Exclusions in Digital Personal Data Protection (DPDP) Act,\u00a0<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Digital Personal Data Protection (DPDP) Act, 2023 does not apply to personal or domestic activities, publicly available personal data, certain government functions, and approved research, archiving, and statistical purposes.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Why_the_DPDP_Act_Matters\"><\/span><span style=\"color: #000080;\"><strong>Why the DPDP Act Matters<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Digital Personal Data Protection (DPDP) Act, 2023 aims to help businesses become compliant with the Digital Personal Data Protection (DPDP) Act, 2023 before enforcement actions begin. Key points mentioned in the proposal:<\/p>\n<table style=\"height: 340px;\" width=\"829\">\n<tbody>\n<tr>\n<td><strong>Item<\/strong><\/td>\n<td><strong>Details<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Compliance Window<\/td>\n<td>18 months<\/td>\n<\/tr>\n<tr>\n<td>Enforcement Date<\/td>\n<td>13 May 2027<\/td>\n<\/tr>\n<tr>\n<td>Maximum Penalty<\/td>\n<td>INR 250 Crore<\/td>\n<\/tr>\n<tr>\n<td>Coverage<\/td>\n<td>Almost all organizations processing digital personal data of Indian individuals<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The proposal emphasizes that the Data Protection Board of India has been constituted, and enforcement is expected to begin from 13 May 2027.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_the_DPDP_Act_Requires\"><\/span><span style=\"color: #000080;\"><strong>What the DPDP Act Requires<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-32400\" src=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0002.jpg\" alt=\"Digital Personal Data Protection (DPDP) Act 2\" width=\"1300\" height=\"1813\" srcset=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0002.jpg 1300w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0002-215x300.jpg 215w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0002-734x1024.jpg 734w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0002-768x1071.jpg 768w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0002-1101x1536.jpg 1101w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0002-800x1116.jpg 800w\" sizes=\"(max-width: 1300px) 100vw, 1300px\" \/><\/p>\n<p>Businesses must implement Clear and informed consent mechanisms, Privacy notices, Data minimization practices, Security safeguards, Breach notification systems, Grievance redressal processes, Protection for children&#8217;s data and User rights management procedures<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Notice_Requirement\"><\/span><span style=\"color: #000080;\"><strong> Notice Requirement<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Before collecting personal data, every data fiduciary must provide a clear privacy notice.<\/p>\n<p>The notice must contain:<\/p>\n<ul>\n<li>What data is being collected: Name, Email, Mobile number, Aadhaar details, employment information, financial information, etc.<\/li>\n<li>Why it is being collected: Specific purpose must be stated. Examples: Account creation, Employee onboarding, Service delivery, marketing communication, and Payroll processing<\/li>\n<li>Rights of Data Principal Information regarding Access rights, Correction rights, Erasure rights, Nomination rights and Complaint mechanism<\/li>\n<li>Complaint Process: How users can approach Organization, grievance officer, and Data Protection Board<\/li>\n<\/ul>\n<p>The notice must be clear, simple language, Itemized and available in English and\/or an Eighth Schedule language.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Consent_Requirements\"><\/span><span style=\"color: #000080;\"><strong> Consent Requirements<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Processing is principally based on consent. Consent must be free, specific, informed, unconditional, unambiguous, and Given through clear affirmative action. Following Examples:<\/p>\n<p>\u2714 Tick-box<\/p>\n<p>\u2714 App consent button<\/p>\n<p>\u2714 Digital signature<\/p>\n<p>\u2718 Pre-ticked boxes<\/p>\n<p>\u2718 Implied consent<\/p>\n<p>\u2718 Hidden clauses<\/p>\n<p>Users must be allowed to withdraw consent as easily as they gave it.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Legitimate_Uses_No_Consent_Required\"><\/span><span style=\"color: #000080;\"><strong> Legitimate Uses (No Consent Required) <\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Personal data may be processed without consent in certain situations:<\/p>\n<ul>\n<li>Government Benefits: Subsidies, Licenses, Permits and Approvals<\/li>\n<li>Legal Compliance: Court orders, judgments, and Statutory obligations<\/li>\n<li>Emergencies: Medical emergencies, Disaster response, Public health emergencies and Epidemics<\/li>\n<li>Employment Purposes: Employee attendance, Payroll, Benefits administration, and Prevention of loss or liability to employer<\/li>\n<li>Voluntarily Provided Data: Where the individual voluntarily shares the data for a specific purpose.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Data_Minimization_Principle\"><\/span><span style=\"color: #000080;\"><strong> Data Minimization Principle <\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Collect only data that is necessary. Example: For a newsletter, email is necessary. \u2705<\/p>\n<ul>\n<li>Aadhaar number is unnecessary. \u274c<\/li>\n<\/ul>\n<p>For recruitment: Resume \u2705 and PAN\/Aadhaar only when justified \u2705<\/p>\n<p>Organizations should avoid excessive collection of personal information.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Purpose_Limitation\"><\/span><span style=\"color: #000080;\"><strong> Purpose Limitation<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Data must only be used for the purpose communicated at the time of collection. Example:<\/p>\n<p>If email is collected for Service updates \u2705<\/p>\n<p>Then using it later for: Marketing campaigns \u274c (unless consent exists)<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Security_Safeguards\"><\/span><span style=\"color: #000080;\"><strong> Security Safeguards<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Organizations must implement &#8220;reasonable security safeguards.&#8221; The rules specifically mention the following:<\/p>\n<ul>\n<li>Technical Controls: Encryption, Data masking, Obfuscation, Access controls, User authentication, activity monitoring, and Log management<\/li>\n<li>Operational Controls: Incident response process, Backup systems, disaster recovery, and Business continuity planning<\/li>\n<li>Monitoring: Security reviews, continuous monitoring, retention of logs for at least one year, and failure may attract a penalty of up to INR 250 crore.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Personal_Data_Breach_Reporting\"><\/span><span style=\"color: #000080;\"><strong> Personal Data Breach Reporting <\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>When a breach occurs:<\/p>\n<ul>\n<li>Immediately Notify: Affected individuals and Data Protection Board<\/li>\n<li>Within 72 Hours: Submit a detailed report to the Board covering the nature of breach, Cause of breach, Data affected, mitigation actions, and Corrective measures<\/li>\n<\/ul>\n<p>Failure can attract a penalty of up to INR 200 crore.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Data_Principal_Rights\"><\/span><span style=\"color: #000080;\"><strong> Data Principal Rights<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Individuals receive the following rights.<\/p>\n<ul>\n<li>Right to Access: Can ask, &#8220;What data is held?&#8221; , Why is it being processed?, With whom is it shared?<\/li>\n<li>The Right to Correction: Can request correction of Name, Address, contact details, and Other inaccurate information<\/li>\n<li>Right to Erasure: Can request deletion where retention is no longer required.<\/li>\n<li>The Right to Grievance Redressal: Can complain about misuse or denial of rights.<\/li>\n<li>Right to Nominate: Can nominate another person to exercise rights upon death or incapacity.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Grievance_Redressal_Mechanism\"><\/span><span style=\"color: #000080;\"><strong> Grievance Redressal Mechanism<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Every data fiduciary must publish grievance contact details, create a complaint-handling process, provide online channels, and resolve grievances within 90 days.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Childrens_Data_Requirements\"><\/span><span style=\"color: #000080;\"><strong> Children&#8217;s Data Requirements<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>A child means a person below 18 years old. Before processing a child&#8217;s data:<\/p>\n<ul>\n<li>Mandatory: Obtain verifiable parental consent, verify age of child, and verify identity of parent\/guardian.<\/li>\n<li>Prohibited: Behavioural monitoring, Tracking, profiling, and Targeted advertising directed at children<\/li>\n<\/ul>\n<p>Penalties may reach INR 200 crore.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Persons_with_Disabilities\"><\/span><span style=\"color: #000080;\"><strong> Persons with Disabilities<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>Where a lawful guardian exists: The organization must verify guardian identity, verify guardianship appointment, and obtain verifiable consent from the guardian.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Data_Retention_Deletion\"><\/span><span style=\"color: #000080;\"><strong> Data Retention &amp; Deletion<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>Organizations should not keep personal data forever. The following are requirements like defining a retention period, erasing data once the purpose is fulfilled, and retaining transaction logs for at least one year. And inform individuals 48 hours before deletion where applicable.<\/li>\n<li>Certain large e-commerce entities, social media platforms, and online gaming platforms must delete data after specified retention periods.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Cross-Border_Data_Transfer\"><\/span><span style=\"color: #000080;\"><strong> Cross-Border Data Transfer<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The Digital Personal Data Protection (DPDP) Act, 2023, permits the transfer of personal data outside India. However, one must comply with restrictions notified by the central government and destination countries, and conditions may be prescribed in the future.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Significant_Data_Fiduciaries\"><\/span><span style=\"color: #000080;\"><strong> Significant Data Fiduciaries <\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The government may classify certain organizations as SDFs based on volume of data, sensitivity of data, risk to individuals, and impact on sovereignty and public interest. Additional obligations include:<\/p>\n<ul>\n<li>Annual DPIA: Data Protection Impact Assessment<\/li>\n<li>Required Annual Audit: Independent compliance audit<\/li>\n<li>Risk Assessments: Review algorithmic and automated processing systems<\/li>\n<li>Reporting to the Board: Submit important observations and findings.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-32401\" src=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0003.jpg\" alt=\"Digital Personal Data Protection (DPDP) Act 3\" width=\"1300\" height=\"1813\" srcset=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0003.jpg 1300w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0003-215x300.jpg 215w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0003-734x1024.jpg 734w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0003-768x1071.jpg 768w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0003-1101x1536.jpg 1101w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0003-800x1116.jpg 800w\" sizes=\"(max-width: 1300px) 100vw, 1300px\" \/><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-32402\" src=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0004.jpg\" alt=\"Digital Personal Data Protection (DPDP) Act 4\" width=\"1300\" height=\"1813\" srcset=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0004.jpg 1300w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0004-215x300.jpg 215w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0004-734x1024.jpg 734w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0004-768x1071.jpg 768w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0004-1101x1536.jpg 1101w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0004-800x1116.jpg 800w\" sizes=\"(max-width: 1300px) 100vw, 1300px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Major_Penalties%E2%80%94Penalties_Highlighted\"><\/span><span style=\"color: #000080;\"><strong>Major Penalties\u2014Penalties Highlighted<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<table style=\"height: 542px;\" width=\"835\">\n<tbody>\n<tr>\n<td><strong>Violation<\/strong><\/td>\n<td><strong>Maximum Penalty<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Security safeguards failure\u2014Failure to implement security safeguards<\/td>\n<td>INR 250 Crore<\/td>\n<\/tr>\n<tr>\n<td>Data breach notification failure- Failure to report breaches or violations involving children<\/td>\n<td>INR 200 Crore<\/td>\n<\/tr>\n<tr>\n<td>Children&#8217;s data violation<\/td>\n<td>INR 200 Crore<\/td>\n<\/tr>\n<tr>\n<td>SDF obligations violation<\/td>\n<td>INR 150 Crore<\/td>\n<\/tr>\n<tr>\n<td>Other Act violations<\/td>\n<td>Up to INR 50 Crore<\/td>\n<\/tr>\n<tr>\n<td>Data Principal duty violation<\/td>\n<td>INR 10,000<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>\u00a0<\/strong>The proposal also stresses reputational damage and business disruption risks beyond monetary penalties.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Digital_Personal_Data_Protection_Act_2023_Practical_Compliance_Checklist_for_Businesses\"><\/span><span style=\"color: #000080;\"><strong>Digital Personal Data Protection Act \u00a02023: Practical Compliance Checklist for Businesses<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>A business should immediately do the following:<\/p>\n<ul>\n<li>Conduct Data Mapping.<\/li>\n<li>Prepare Record of Processing Activities (RoPA).<\/li>\n<li>Update Privacy Policy.<\/li>\n<li>Implement Consent Management.<\/li>\n<li>Update Website\/App Notices.<\/li>\n<li>Appoint Grievance Officer.<\/li>\n<li>Create Breach Response Plan.<\/li>\n<li>Review Vendor Agreements.<\/li>\n<li>Implement Encryption &amp; Access Controls.<\/li>\n<li>Define Retention and Deletion Policy.<\/li>\n<li>Train Employees.<\/li>\n<li>Conduct DPDP Gap Assessment.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Digital_Personal_Data_Protection_DPDP_Act_2023_Services\"><\/span><span style=\"color: #000080;\"><strong>Digital Personal Data Protection (DPDP) Act, 2023 Services<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-32403\" src=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0005.jpg\" alt=\"Digital Personal Data Protection (DPDP) Act 5\" width=\"1300\" height=\"1813\" srcset=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0005.jpg 1300w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0005-215x300.jpg 215w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0005-734x1024.jpg 734w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0005-768x1071.jpg 768w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0005-1101x1536.jpg 1101w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0005-800x1116.jpg 800w\" sizes=\"(max-width: 1300px) 100vw, 1300px\" \/><\/p>\n<ul>\n<li>Phase 1 \u2013 Gap Assessment &amp; Data Mapping includes Review current data practices, identify compliance gaps and Prepare data inventories and flow maps<\/li>\n<li>Phase 2 \u2013 Policy &amp; Documentation includes Privacy Policies, consent notices, and Internal Compliance Frameworks<\/li>\n<li>Phase 3 \u2013 Implementation includes Consent management systems, Rights handling processes and Vendor agreement updates<\/li>\n<li>Phase 4 \u2013 Ongoing Compliance includes DPO-as-a-Service, Advisory support, employee training, and Breach-response readiness programs<\/li>\n<\/ul>\n<p>Digital Personal Data Protection (DPDP) Act, 2023 Compliance Methodology: The compliance methodology\/approach consists of four stages:<\/p>\n<ul>\n<li>Assess: Review current systems, policies, and data practices.<\/li>\n<li>Design: Create required policies, consent workflows, and procedures.<\/li>\n<li>Implement: Deploy controls across departments and vendors.<\/li>\n<li>Sustain: Provide ongoing compliance monitoring and training.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Value_Proposition\"><\/span><span style=\"color: #000080;\"><strong> Value Proposition: <\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Digital Personal Data Protection (DPDP) Act, 2023 consultants claim to provide Practical implementation support rather than just legal advice, End-to-end compliance assistance, Customized solutions based on industry and organizational size, Ongoing advisory support after implementation.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-32404\" src=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0006.jpg\" alt=\"Digital Personal Data Protection (DPDP) Act 6\" width=\"1300\" height=\"1813\" srcset=\"https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0006.jpg 1300w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0006-215x300.jpg 215w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0006-734x1024.jpg 734w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0006-768x1071.jpg 768w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0006-1101x1536.jpg 1101w, https:\/\/carajput.com\/blog\/wp-content\/uploads\/2026\/07\/ey-india-dpdp-act-2023-and-rules-2025-pov_page-0006-800x1116.jpg 800w\" sizes=\"(max-width: 1300px) 100vw, 1300px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"What_Rajput_Jain_and_Associates_offer\"><\/span><span style=\"color: #000080;\"><strong>What Rajput Jain and Associates offer\u00a0<\/strong><\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The Digital Personal Data Protection (DPDP) Act 2023 positions itself as an end-to-end consulting partner for data privacy compliance.<\/p>\n<p>It provides financial, legal, and compliance consulting services; focuses on practical and actionable business solutions; works with professional experts across India; and helps organizations implement compliance without disrupting operations.<\/p>\n<p>DPDP Act compliance and advisory services to help organizations prepare for India&#8217;s Digital Personal Data Protection (DPDP) Act, 2023. DPDP Act compliance and advisory services to help organizations prepare for India&#8217;s Digital Personal Data Protection (DPDP) Act, 2023.<\/p>\n<p>As a proposal, it is well-structured and useful as a marketing\/introduction document, but it currently lacks:<\/p>\n<ul>\n<li>Detailed scope of work<\/li>\n<li>Deliverables for each phase<\/li>\n<li>Project timelines<\/li>\n<li>Resource allocation<\/li>\n<li>Commercials\/fees<\/li>\n<li>Service Level Agreements (SLAs)<\/li>\n<li>Responsibilities of client vs consultant<\/li>\n<\/ul>\n<p>For conversion into a formal engagement proposal, It is recommended to add a detailed compliance roadmap, department-wise action plan (HR, IT, Marketing, Legal, Operations), deliverable matrix, implementation timeline, professional fee structure, risk assessment methodology, and sample DPDP compliance checklist.<\/p>\n<p>Overall, it serves as a good business development and client acquisition proposal, but would need a more detailed technical and commercial section before execution<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Digital Personal Data Protection (DPDP) Act, 2023: Complete Compliance Guide, Requirements, Penalties &amp; Implementation Framework The Digital Personal Data Protection (DPDP) Act, 2023, regulates how organizations collect, use, share, store, and delete digital personal data of individuals (Data Principals). It applies to almost every business, startup, NGO, professional firm, e-commerce platform, employer, and service provider &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[258],"tags":[10501],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/carajput.com\/blog\/wp-json\/wp\/v2\/posts\/32398"}],"collection":[{"href":"https:\/\/carajput.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/carajput.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/carajput.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/carajput.com\/blog\/wp-json\/wp\/v2\/comments?post=32398"}],"version-history":[{"count":5,"href":"https:\/\/carajput.com\/blog\/wp-json\/wp\/v2\/posts\/32398\/revisions"}],"predecessor-version":[{"id":32411,"href":"https:\/\/carajput.com\/blog\/wp-json\/wp\/v2\/posts\/32398\/revisions\/32411"}],"wp:attachment":[{"href":"https:\/\/carajput.com\/blog\/wp-json\/wp\/v2\/media?parent=32398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/carajput.com\/blog\/wp-json\/wp\/v2\/categories?post=32398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/carajput.com\/blog\/wp-json\/wp\/v2\/tags?post=32398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}