Five questions. If you answer yes to any one of them, DPDPA applies to your organisation.
If you answered yes to even one question — and almost every Indian business does — your organisation is in scope for DPDPA. The guide below explains what that means and what you need to do.
DPDP Guide
India’s Digital Personal Data Protection Act, 2023 sets rules for how organisations handle digital personal data. This page is a short map of the ideas your product, ops, and legal teams use in the same conversation — not a substitute for professional advice.
If your organisation decides why and how personal data is processed — and that processing happens digitally — you are usually in scope. There are statutory exceptions and nuances; your counsel confirms fit for your case.
Almost every workflow boils down to the relationship between the person and the organisation that controls their data.
You owe that person clarity, lawful handling, and a way to exercise their rights.
Teams move faster when they group work into four buckets (same framing as elsewhere on this site):
Before or at collection, people should understand what you collect, why, how long you keep it, and how they can exercise rights. Notices should be easy to find — not buried in links nobody opens.
When consent is your lawful basis, it must be free, specific, informed, unconditional, and given with a clear affirmative action — pre-ticked boxes do not count. People must be able to withdraw as easily as they gave consent, where the law expects it.
Some processing rests on other grounds (for example certain legitimate uses defined in law). Your counsel maps which basis applies to which activity.
The Act recognises several rights in principle — such as access, correction, erasure, grievance redressal, and nomination — with details and limits in the statute and rules. Operationally: define who handles requests, how fast you respond, and how you prove what you did.
A minimal discipline loop for any rights channel.
You are expected to take reasonable security safeguards. If a breach hurts individuals, the law contemplates notification to the Data Protection Board of India and, in some situations, to affected people — timelines and content follow regulatory rules. Have a playbook before you need it.
The Act allows for significant penalties for serious failures (including up to ₹250 crore per incident in the statute’s upper range for certain violations). Boards and regulators care whether you can show process and records, not only policy PDFs.
Industry talk often cites May 2027 as a milestone for fuller compliance readiness — verify what applies to your sector; this page does not set your legal deadline.
Disclaimer: Privigo is not a law firm. This guide summarises common talking points only. For obligations, contracts, and regulator engagement, work with qualified Indian legal counsel.
DPDPA compliance has two layers. The public-facing layer — what your website and app collect — can be fixed in 7 days. The full-organisation layer — employees, third-party processors, internal systems — follows on your timeline.
Your Gap Analysis report maps your gaps. A consultant call scopes the right tier and price for your organisation.
