DPDPA: An Introduction
India’s Digital Personal Data Protection Act, 2023
From Principles to Practice — Introduction to DPDPA Across Industries
Data, Data Protection, and Why You Should Care
Let us begin with a truth so obvious that it hides in plain sight: you generate data every single day. When you order biryani through Swiggy at 11 PM (no judgment), when you book a cab to the airport, when you tag your college friend in a photo from 2009 that should probably have stayed buried — all of that is data. More specifically, it is personal data, because it can be linked back to you.
Data, in its simplest form, is information. Your name is data. Your phone number is data. Your Aadhaar number, your purchase history on Amazon, the route Google Maps recorded when you drove to your in-laws’ house last Diwali — all data. And when this information can identify you as a specific, living, breathing human being, it becomes personal data.
💡 Think of personal data as your digital fingerprint. It is not just one piece of information — it is the constellation of details that, put together, paint a portrait of who you are, what you do, and sometimes what you secretly wish you hadn’t done.
Why Does Data Protection Matter?
Here is where things get interesting — and a little alarming. Every time you hand over your personal data to an organization, you are placing trust in them. You trust that the e-commerce site will not sell your address to a random marketing firm. You trust that your fitness app will not share your health metrics with your insurance company. You trust that your child’s school will not let their records float around unsecured servers.
But trust, as the saying goes, is earned. And for decades, organizations in India operated in a regulatory environment where the consequences of betraying that trust were, to put it politely, underwhelming. The old IT Act provisions were like putting a padlock on a door that had no walls around it.
Data protection matters because the consequences of getting it wrong are real and painful. Identity theft, financial fraud, reputational damage, targeted manipulation, discrimination based on health records — these are not hypothetical scenarios. They happen every day, to real people, in real industries.
🔶 Real-World Wake-Up Call: In 2023, personal data of millions of Indian citizens — including Aadhaar details, phone numbers, and addresses — was found being sold on Telegram channels. The data reportedly came from multiple sources including telecom operators, delivery platforms, and government databases. This was not a Hollywood movie plot. This was Tuesday.
The Global Wave of Data Protection Laws
India did not wake up to data protection in a vacuum. The European Union led the charge with the General Data Protection Regulation (GDPR) in 2018, which became the gold standard for data privacy legislation worldwide. Countries from Brazil (LGPD) to Thailand (PDPA) to South Africa (POPIA) followed suit, each crafting their own frameworks to protect citizens’ digital lives.
The message was clear: in the 21st century, personal data is not just an asset — it is a right. And like all rights, it needs legal protection. India, home to over 850 million internet users and one of the world’s most rapidly digitizing economies, could not afford to sit on the sidelines.
Enter the DPDPA: India’s Data Protection Law
The Digital Personal Data Protection Act, 2023 — or DPDPA, because Indian legislation loves a good acronym — is India’s first comprehensive data protection law. It received Presidential assent on 11 August 2023 and represents the culmination of a journey that began in 2017, when the Supreme Court of India declared privacy a fundamental right in the landmark Justice K.S. Puttaswamy judgment.
The DPDPA did not appear overnight. It went through multiple avatars — the Srikrishna Committee draft in 2018, the Personal Data Protection Bill of 2019 (which was referred to a Joint Parliamentary Committee), its withdrawal in 2022, the revised draft released for public consultation in November 2022, and finally the 2023 Act. If data protection legislation were a Bollywood franchise, this would be its fifth sequel, and arguably the only one worth watching.
Why Did India Need a New Law?
The existing framework under the Information Technology Act, 2000 and its 2011 Rules was woefully inadequate for the digital age. Those rules were designed for an era when “going online” meant checking email on a desktop computer. They did not anticipate a world where a single ride-hailing app would know your home address, office location, favorite restaurant, and the fact that you visit your therapist every Thursday at 4 PM.
India needed a law that was purpose-built for the digital economy. One that recognized the rights of individuals over their personal data, imposed meaningful obligations on organizations that collect and process that data, and backed it all up with penalties severe enough to make a CFO lose sleep.
🔶 The Gap in the Old Regime: Under the old IT Act rules, a matrimonial website that leaked its users’ religious preferences, caste details, and salary information faced penalties that were, frankly, laughable. A dating app that shared intimate preferences with advertisers had little to fear. The DPDPA changed this calculus entirely, with penalties going up to ₹250 crore per violation.
Key Features That Set DPDPA Apart
The DPDPA is refreshingly readable as far as Indian legislation goes. At just 44 sections across 9 chapters, it is lean, principle-based, and avoids the trap of over-specification that plagued earlier drafts. It introduces consent as the default basis for processing personal data, creates the concept of “Significant Data Fiduciaries” for large-scale data processors, mandates a Data Protection Board as the enforcement authority, and importantly, applies extraterritorially to any organization targeting Indian users, regardless of where they are headquartered.
Unlike the GDPR, the DPDPA does not distinguish between “regular” and “sensitive” personal data. All personal data receives the same level of protection. This simplification is deliberate — it avoids the classification headaches that organizations in Europe still struggle with, while ensuring that no category of data falls through the cracks.
The Architecture of DPDPA: Chapters at a Glance
The DPDPA is structured into nine chapters, each addressing a distinct pillar of the data protection framework. Think of these chapters as the rooms of a well-designed house — each serves a specific purpose, and together they create a structure that is both functional and comprehensive.
| Title | What It Covers | |
|---|---|---|
| 1 | Preliminary | Definitions, scope, applicability, and extraterritorial reach |
| 2 | Obligations of Data Fiduciary | Consent, notice, purpose limitation, data security, breach notification, and erasure |
| 3 | Rights & Duties of Data Principal | Right to access, correction, erasure, grievance redressal, and duties of individuals |
| 4 | Special Provisions | Children’s data, Significant Data Fiduciaries, cross-border transfers, and exemptions |
| 5 | Data Protection Board | Establishment, composition, and independence of the Board |
| 6 | Powers & Procedures of the Board | Inquiry, investigation, direction-issuing powers |
| 7 | Appeal & Dispute Resolution | Appellate mechanisms and alternate dispute resolution |
| 8 | Penalties & Adjudication | Penalty framework, factors for determination, up to ₹250 crore |
| 9 | Miscellaneous | Government powers, rule-making, consistency with other laws |
For the purposes of this blog, we will group these into five thematic clusters and dive deep into each.
DPDPA Deep Dive: Every Rule, Unpacked
Consent and Notice (Sections 4–6)
Consent is the backbone of the DPDPA. Before any organization processes your personal data, they must obtain your free, specific, informed, unconditional, and unambiguous consent. That is not a wishlist — those are legal requirements. Gone are the days when a 47-page terms-and-conditions document in 6-point font could pass as “informed consent.”
The Act requires Data Fiduciaries to issue a clear notice at the time of collecting personal data. This notice must describe what data is being collected, why it is being collected, and how the individual can exercise their rights. The notice must be in plain language — and where the Data Principal does not understand English, in any of the 22 languages specified in the Eighth Schedule of the Constitution. Yes, your privacy notice might need to work in Bodo and Dogri too.
Consent can also be managed through registered Consent Managers — a concept unique to India, somewhat inspired by the Account Aggregator framework in financial services. These are intermediaries registered with the Data Protection Board that help individuals manage their consent across multiple Data Fiduciaries from a single platform.
🔶 Example: Online Grocery Delivery Imagine you sign up for a grocery delivery app like BigBasket or Blinkit. Under the DPDPA, the app must tell you clearly: “We are collecting your name, address, phone number, and payment details to deliver groceries to your door.” They cannot then quietly use your purchase history to build a health profile and sell it to a wellness brand. If they want to do that, they need separate, explicit consent. No more sneaky bundled consent clauses hidden in paragraph 83 of the terms of service.
🔶 Example: Fitness Wearable Companies A company manufacturing smart watches or fitness bands collects your heart rate, sleep patterns, step counts, and GPS data. Under DPDPA, they must obtain specific consent for each use case. Collecting heart rate data to show you your fitness dashboard? Fine, with consent. Sharing that same data with an insurance company to adjust your premium? That requires separate consent, clearly explained. And no, a pre-ticked checkbox does not count.
🔶 Example: Event Ticketing Platforms When you buy tickets on BookMyShow or Insider, the platform collects your name, email, phone number, and payment details. Under DPDPA, they can use this data to process your booking and send you your tickets. But using your event history to create a detailed psychographic profile and selling it to a political campaign — that is a separate processing purpose requiring fresh consent. The days of “by purchasing this ticket, you agree to everything we will ever do with your data” are over.
Legitimate Uses Without Consent
Not all data processing requires explicit consent. Section 7 of the DPDPA carves out “legitimate uses” where processing is permissible without consent. These include situations where the Data Principal voluntarily provides data for a specified purpose (like giving your phone number to a restaurant for a reservation), processing by the State for subsidies, benefits, and services, compliance with court orders and legal obligations, and medical emergencies. The key word is “legitimate” — this is not a loophole to drive a truck through; it is a narrow, well-defined set of exceptions.
🔶 Example: Agricultural Cooperatives When a farmer registers with a government portal to receive fertilizer subsidies under a PM Kisan-type scheme, the government can process their Aadhaar, bank account, and land records without explicit consent — because this falls under State processing for subsidies and benefits. However, the cooperative society that manages the portal cannot share the farmer’s data with a private pesticide company for targeted marketing without the farmer’s consent.
Purpose Limitation and Data Minimization (Section 8)
Under Section 8 of the DPDPA, Data Fiduciaries must process personal data only for the specific purpose for which consent was obtained. This is the “you said you needed my phone number for delivery updates, so do not use it to send me promotional texts at 7 AM on a Sunday” rule.
Data minimization is the natural companion to purpose limitation. It means collecting only the data you actually need. If you are running a library membership system, you need the member’s name, contact details, and perhaps their reading preferences. You do not need their blood type, their mother’s maiden name, or their opinion on pineapple on pizza (though that last one is admittedly tempting).
🔶 Example: Interior Design Firms An interior design firm collects client data to plan and execute home renovations — room dimensions, style preferences, budget range, and contact details. Under DPDPA, they cannot use this data to sell “premium lifestyle” leads to luxury car dealerships. The data was collected for designing your living room, not for helping someone sell you a Mercedes. Purpose limitation means the data stays in its lane.
🔶 Example: EdTech Platforms An online learning platform like Byju’s or Unacademy collects student data including age, learning progress, quiz scores, and parent contact information. Purpose limitation means this data must be used for educational delivery and progress tracking — not for building predictive models that assess a child’s “future earning potential” and selling that insight to recruitment companies. Sounds dystopian? It has happened elsewhere, and DPDPA ensures it does not happen here.
🔶 Example: Pet Care Services A veterinary clinic or pet-care app that collects your personal details along with your pet’s health records is bound by purpose limitation too. They can use your contact information to send vaccination reminders for your Labrador. They cannot share your data with a pet insurance aggregator or a pet food brand without separate consent. Even Buddy’s data has boundaries.
Data Accuracy and Quality (Section 8(3))
When a Data Fiduciary processes personal data to make a decision that affects the Data Principal, or when the data is likely to be disclosed to another Data Fiduciary, the Act requires that the data be accurate, complete, and consistent. This is not about perfectionism — it is about fairness. Decisions made on the basis of incorrect data can have life-altering consequences.
🔶 Example: Credit Rating Agencies If a credit bureau like CIBIL holds inaccurate records about your repayment history — say, marking a loan as defaulted when you paid it off three years ago — and that record is used by a housing finance company to reject your home loan application, the consequences are severe and deeply personal. Under DPDPA, the credit bureau is obligated to ensure accuracy before disclosing your data to other fiduciaries.
🔶 Example: HR and Background Verification Companies routinely use third-party background verification services to vet new hires. If the verification firm holds outdated or incorrect criminal records, educational qualifications, or employment history, an innocent candidate could lose a job offer. Under DPDPA, both the hiring company and the verification firm must ensure the data is accurate before making decisions. Getting blacklisted because a database confused you with someone who shares your name is not just inconvenient — it is a DPDPA violation.
🔶 Example: Real Estate Platforms Property listing platforms like MagicBricks or 99acres hold data about property owners, including contact details, property valuations, and transaction histories. If a platform displays inaccurate ownership records or wrong contact details, it could lead to fraud or disputed transactions. Accuracy obligations under DPDPA mean these platforms must implement verification mechanisms and correct errors promptly.
Reasonable Security Safeguards (Section 8(5))
This is the big one. Section 8(5) requires every Data Fiduciary to protect personal data in its possession by taking “reasonable security safeguards” to prevent data breaches. The DPDPA deliberately does not prescribe specific technical standards — instead, it uses a “reasonableness” standard that will likely be interpreted based on the nature, scope, and sensitivity of the data being processed.
What makes this section particularly significant is that the highest penalty under the DPDPA — up to ₹250 crore — is reserved for failure to implement reasonable security safeguards. And here is the kicker: this penalty can be triggered even if no actual breach occurs. The mere failure to have adequate security measures is enough. Think of it as getting a traffic fine not for crashing, but for driving without brakes.
🔶 Example: Hotel Chains and Hospitality A luxury hotel chain stores guest data including passport copies, credit card details, room preferences, dietary restrictions (which may reveal religious or health information), and travel itineraries. A data breach at such a hotel could expose high-net-worth individuals to targeted scams or physical security threats. Under DPDPA, the hotel must implement encryption, access controls, regular security audits, and employee training. The “our IT guy will handle it” approach is no longer an acceptable security strategy.
🔶 Example: Logistics and Supply Chain Companies Companies like Delhivery or Blue Dart collect personal data at every touchpoint — sender details, receiver details, addresses, phone numbers, and sometimes even ID proofs for high-value shipments. A breach in a logistics company’s system could expose millions of addresses and phone numbers. Under DPDPA, these companies must maintain security logs for at least one year and implement safeguards proportionate to the volume and sensitivity of data they process.
🔶 Example: Coworking Spaces Modern coworking spaces like WeWork or Smartworks collect member data including ID proofs, company information, access logs, meeting room booking patterns, and even facial recognition data for entry. This data, if breached, reveals not just personal information but also business intelligence — who meets whom, how often, and where. Security safeguards here must address both physical and digital data protection.
Data Breach Notification (Section 8(6))
When a personal data breach occurs, the Data Fiduciary must notify the Data Protection Board and every affected Data Principal. The DPDP Rules 2025 specify that this notification must happen without unreasonable delay, and while the Act does not prescribe an exact hour-limit like GDPR’s 72-hour rule, the expectation is clear: speed matters. Delayed notification can itself attract penalties of up to ₹200 crore.
The breach notification must include details about the nature of the breach, the type of personal data affected, and the measures taken or proposed to address the breach. Transparency is the operative word — organizations cannot sweep breaches under the carpet and hope nobody notices.
🔶 Example: Online Gaming Platforms India’s online gaming industry — think Dream11, MPL, or Zupee — processes payment data, identity documents (for KYC in real-money gaming), and behavioral data. A breach at a gaming platform could expose both financial details and gaming behavior patterns, which in some social contexts carry stigma. Under DPDPA, the platform must notify both the Board and affected users promptly, detailing what was compromised and what remedial steps are being taken. “We are investigating the matter” is not a notification — it is a press release.
🔶 Example: Diagnostic Labs and Pathology Chains Diagnostic chains like Dr. Lal PathLabs, Metropolis, or SRL Diagnostics hold some of the most sensitive personal data imaginable — blood test results, genetic markers, HIV status, pregnancy tests. A breach here is not just a privacy violation; it can lead to social ostracism, discrimination, and emotional trauma. The breach notification obligations under DPDPA require these organizations to inform affected patients specifically about what health data was compromised, enabling them to take protective action.
🔶 Example: Recruitment Portals Job portals like Naukri.com or LinkedIn India hold resumes containing everything from educational history and work experience to salary details and personal references. A breach at a recruitment portal means that millions of professionals’ career data, including their current employer details (which they may not want public), is at risk. DPDPA’s notification requirements ensure that affected individuals are told what was exposed so they can take steps to mitigate damage, like alerting their current employer before a headhunter does.
Data Retention and Erasure (Section 8(7))
The DPDPA introduces a clear principle: do not keep what you do not need. Once the purpose for which personal data was collected has been served, and retention is no longer necessary for that purpose or for legal compliance, the Data Fiduciary must erase the data. If the Data Principal withdraws consent, the fiduciary must delete the data and ensure its data processors do the same.
This is a fundamental shift for many Indian organizations that have historically operated on a “collect everything, delete nothing” philosophy. Data was hoarded like it was a scarce resource, even when it had long outlived its usefulness. DPDPA flips this on its head.
🔶 Example: Wedding Planning Platforms Wedding planning platforms like WedMeGood or ShaadiSaga collect extraordinarily detailed personal data — names and contact details of the couple and their families, budgets, vendor preferences, guest lists, dietary requirements, and sometimes even family dynamics (“keep Aunt Sarla’s table far from Uncle Rajan’s”). Once the wedding is done and the services delivered, there is no legitimate reason to retain this data indefinitely. Under DPDPA, retention beyond the purpose is a violation, and the couple can request complete erasure of their data.
🔶 Example: Car Dealerships and Auto Service Centers When you buy a car or get it serviced, dealerships collect your Aadhaar, PAN, address, driving license, and financial details for loan processing. Once the transaction is complete and the legally mandated retention period expires, this data should be erased. A dealership that holds your financial details five years after you bought a car — just to send you promotional offers for the new model — is in violation of DPDPA’s retention principles.
🔶 Example: Travel Agencies A travel agency that organized your Bali trip in 2022 does not need your passport copy, visa details, and hotel preferences in 2026. Under DPDPA, once the service is complete and any legal retention obligations are met, the data must be deleted. The agency cannot keep it in the hope that you might book another trip someday. If they want to market to you, they need fresh consent — not a dusty database from three vacations ago.
Rights of the Data Principal (Sections 11–14)
The DPDPA empowers individuals — called Data Principals — with a robust set of rights over their personal data. These rights are not aspirational suggestions; they are legally enforceable, and Data Fiduciaries must respond to requests within the timelines specified in the DPDP Rules 2025.
The core rights include the right to access information about what data is being processed and for what purpose, the right to correction of inaccurate or misleading data, the right to erasure of data that is no longer needed, the right to withdraw consent at any time, and the right to a grievance redressal mechanism. If the fiduciary’s internal grievance mechanism fails to resolve the issue, the Data Principal can escalate the complaint to the Data Protection Board.
🔶 Example: Social Media Platforms When an Instagram or Koo user wants to know what personal data the platform holds about them — including metadata, ad targeting profiles, and behavioral predictions — the platform must provide a clear summary. And when a user deletes their account, they have the right to demand complete erasure, not just deactivation. The “we’ll keep your data for 90 days in case you change your mind” grace period must be clearly disclosed and limited.
🔶 Example: Subscription Box Services Companies like Foxy, Sugar, or even niche subscription services for books, snacks, or pet supplies collect detailed preference data to curate personalized boxes. If a customer unsubscribes and withdraws consent, the company must delete their preference data, purchase history, and payment details. The customer should not continue receiving “we miss you” emails for the next three years after withdrawing consent.
Duties of Data Principals
The DPDPA is not entirely one-sided. Data Principals also have duties under Section 15. They must not furnish false information, must not file frivolous complaints, and must not impersonate others when exercising their rights. A Data Principal who submits fraudulent information can face a penalty of up to ₹10,000. This is the Act’s way of saying: rights come with responsibilities.
🔶 Example: Insurance Claims If an individual provides false health information to an insurance company to secure a lower premium, and later invokes their DPDPA rights to demand erasure of the “correct” data that the insurer obtained through verification, that’s a misuse of the Act. The DPDPA’s duties provision ensures that Data Principals cannot weaponize privacy rights to perpetuate fraud.
Processing Children’s Data (Section 9)
The DPDPA treats children’s data with the seriousness it deserves. Any individual under 18 years of age is classified as a child, and processing their data requires verifiable parental consent. The Act also prohibits any processing that is detrimental to the well-being of a child and bans behavioral tracking and targeted advertising directed at children.
This is a provision with teeth — violations attract penalties of up to ₹200 crore. And it applies across every industry that interacts with minors, not just the obvious ones.
🔶 Example: EdTech and E-Learning Platforms like Vedantu, Toppr, or WhiteHat Jr. are built around children as their primary users. Under DPDPA, these platforms must obtain verifiable parental consent before collecting any data from students. They cannot use a child’s learning behavior to create targeted advertising profiles. And they certainly cannot use AI to predict a child’s academic potential and share that assessment with third parties. The Act draws a bright line around children’s digital safety.
🔶 Example: Children’s Clothing and Toy Brands An online toy store or children’s clothing brand running a loyalty program that collects children’s names, ages, size preferences, and wish lists must obtain parental consent. A birthday reminder feature that collects a child’s date of birth and sends promotional offers is processing children’s data and triggers Section 9 obligations. The cute cartoon mascot on the sign-up form does not substitute for legal compliance.
🔶 Example: Youth Sports Academies Cricket academies, swimming clubs, and football coaching centers increasingly use apps and platforms to track attendance, performance metrics, health data, and even video recordings of young athletes. All of this constitutes children’s personal data under DPDPA. The academy must obtain verifiable parental consent and cannot share a child’s performance data with talent scouts or sports agencies without explicit, separate parental authorization.
Significant Data Fiduciaries (Section 10)
The DPDPA creates a special category called Significant Data Fiduciaries (SDFs) — organizations that process personal data at such a massive scale or sensitivity that they warrant additional regulatory oversight. The Central Government designates SDFs based on factors like the volume and sensitivity of data processed, the risk to individuals, and potential impact on India’s sovereignty and public order.
SDFs face additional obligations including appointing a Data Protection Officer based in India, appointing an independent data auditor, conducting periodic Data Protection Impact Assessments (DPIAs), and ensuring that their algorithmic systems do not pose risks to Data Principals’ rights. Non-compliance carries penalties of up to ₹150 crore.
🔶 Example: Large E-Commerce Marketplaces A platform like Flipkart or Amazon India, processing hundreds of millions of users’ data including purchase history, payment details, addresses, search behavior, and voice data from Alexa, would almost certainly be designated as an SDF. They would need a resident DPO, regular audits by independent auditors, and documented impact assessments for every new feature that processes personal data. Launching a “buy now, pay later” feature? That needs a DPIA first.
🔶 Example: Telecom Operators Companies like Jio, Airtel, and Vi process data for hundreds of millions of subscribers — call records, location data, browsing history, payment information, and KYC documents. As likely SDFs, they would need to maintain comprehensive audit trails, conduct impact assessments for new services (like launching an AI assistant that processes voice data), and ensure their data infrastructure meets the highest security standards.
🔶 Example: Digital Payment Platforms Platforms like Paytm, PhonePe, and Google Pay handle financial transactions for hundreds of millions of Indians. They know where you shop, how much you spend, what you buy, and how you split bills with friends. As probable SDFs, they must implement the most rigorous data protection measures and submit to regular audits. The convenience of UPI does not come at the cost of unaudited data processing.
Cross-Border Data Transfer (Section 16)
The DPDPA adopts a “blacklist” approach to cross-border data transfers, meaning personal data can be transferred to any country except those specifically restricted by the Central Government. This is a significant departure from the GDPR’s “whitelist” approach, which requires adequacy decisions for each permitted destination. The Indian approach is pragmatic — it enables the free flow of data while retaining the government’s ability to restrict transfers to nations with inadequate data protection standards.
🔶 Example: IT Outsourcing and BPO India’s IT and BPO industry processes vast amounts of personal data for clients worldwide. An Indian BPO handling customer support for a European bank processes EU citizens’ data in India. Under DPDPA, as long as the data is not being transferred to a restricted country, the processing can continue — but the BPO must still comply with all DPDPA obligations regarding security, purpose limitation, and breach notification. The Act ensures that India’s position as a global data processing hub is not undermined while still protecting data principals.
🔶 Example: Cloud Storage and SaaS Providers An Indian startup using AWS, Azure, or Google Cloud may have data stored in servers located across Singapore, the US, or Europe. Under DPDPA, this is permissible unless the government specifically restricts transfers to those jurisdictions. However, the startup remains the Data Fiduciary and retains responsibility for ensuring the cloud provider maintains adequate security — you cannot outsource your DPDPA obligations along with your infrastructure.
Exemptions (Section 17)
No data protection law is absolute, and the DPDPA is no exception. Section 17 provides exemptions from certain provisions in specific contexts. These include processing for national security, public order, and sovereignty purposes (to be notified by the Central Government), processing by courts and tribunals in their judicial functions, personal data that has been made publicly available by the Data Principal themselves, processing for research and statistical purposes (provided the results are not used to make decisions about identifiable individuals), and processing of personal data for domestic or household purposes by individuals.
These exemptions are not blanket permissions — they are context-specific and must be exercised within the boundaries defined by the Act. The government exemption, in particular, has attracted scrutiny from privacy advocates who worry about its breadth, but the Act includes procedural safeguards including formal notification requirements.
🔶 Example: Academic Research Institutions A university conducting a demographic study on digital literacy across Indian states can process anonymized or pseudonymized personal data without individual consent under the research exemption. However, the moment the research identifies specific individuals — say, publishing that “Rahul Sharma from Jaipur has the lowest digital literacy score in his cohort” — the exemption evaporates and full DPDPA obligations kick in.
🔶 Example: Journalism and Media A journalist investigating a corporate fraud may process personal data of the individuals involved without their consent, as this serves the public interest. However, DPDPA’s exemptions here must be read alongside other press freedom protections. A gossip magazine using “journalistic purpose” as a shield to publish private health details of a celebrity is unlikely to find the Data Protection Board sympathetic.
The Data Protection Board of India (Chapters 5–7)
The DPDPA establishes the Data Protection Board of India (DPBI) as the primary enforcement body. Unlike a traditional regulator, the Board functions as a quasi-judicial body with powers of a civil court. It can receive and investigate complaints, issue directions, impose penalties, and even initiate inquiries suo motu. The Board’s members serve renewable two-year terms, and the Act includes conflict-of-interest provisions to ensure independence.
The Board’s process is designed to be accessible: proceedings are conducted primarily in digital mode, and affected parties must be given an opportunity to be heard before any penalty is imposed. Appeals against the Board’s decisions go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). The Act also provides for alternate dispute resolution mechanisms, encouraging resolution without protracted litigation.
🔶 Example: How a Complaint Flows Suppose a user of a food delivery app discovers that their dietary preference data (which reveals their religious practices) has been shared with a third-party advertiser without consent. The user must first raise a grievance with the app’s internal grievance mechanism. If unresolved, they escalate to the Data Protection Board. The Board investigates, gives the app an opportunity to respond, and if a violation is established, can impose penalties and direct remedial action. It is a structured, tiered process designed to balance efficiency with fairness.
The Penalty Framework: Where It Really Hurts
The DPDPA’s penalty regime is designed to be a genuine deterrent, not a symbolic slap on the wrist. The Schedule to the Act lays out a tiered penalty structure with maximum amounts for different categories of violations. All penalties are financial — the 2023 Act does not prescribe criminal liability, which is a departure from earlier drafts.
| Violation | Section | Max Penalty |
|---|---|---|
| Failure to implement reasonable security safeguards | Section 8(5) | Up to ₹250 Crore |
| Failure to notify Board & data principals of breach | Section 8(6) | Up to ₹200 Crore |
| Non-compliance with children’s data obligations | Section 9 | Up to ₹200 Crore |
| Breach of Significant Data Fiduciary obligations | Section 10 | Up to ₹150 Crore |
| Breach of any other DPDPA provision | Various | Up to ₹50 Crore |
| Data Principal furnishing false information | — | Up to ₹10,000 |
Several critical aspects of the penalty framework deserve attention. First, penalties are per violation, meaning that multiple breaches in the same incident can result in cumulative fines that exceed the cap for any single violation. Second, the Board considers mitigating and aggravating factors including the nature and gravity of the breach, the type of data affected, whether the breach was repetitive, whether the organization gained commercially from the breach, the timeliness of remedial action, and the proportionality of the penalty. Third, Data Processors cannot be directly penalized — the Data Fiduciary bears responsibility for its processor’s violations. This is a deliberate design choice that puts the accountability squarely on the entity that decided to process the data in the first place.
🔶 Example: The Cascading Penalty Scenario Consider a large online retailer that suffers a breach exposing 5 million customers’ personal and payment data. Investigation reveals inadequate encryption (security safeguard failure: up to ₹250 crore), delayed notification to the Board and affected users (breach notification failure: up to ₹200 crore), and the discovery that children’s data was collected without parental consent (children’s data violation: up to ₹200 crore). Theoretically, the cumulative penalty exposure could exceed ₹650 crore. Even with mitigating factors, this is the kind of number that gets board-level attention.
Conclusion: The Cost of Ignoring DPDPA
Let us be unambiguous about this: the DPDPA is not optional. It is not a guideline, a best practice, or a suggestion. It is the law of the land, and every organization that processes digital personal data of individuals in India must comply. The compliance deadline of May 2027 may feel far away, but organizations that wait until the last minute will find themselves scrambling to overhaul years of data practices in a matter of months.
The cost of non-compliance is not just financial, though penalties of up to ₹250 crore per violation are certainly attention-grabbing. The real cost is reputational. In a market where consumers are increasingly aware of their data rights, a high-profile DPDPA violation can erode trust faster than any marketing campaign can rebuild it. Ask any global company that has faced a GDPR enforcement action — the fine was painful, but the headline was devastating.
🚨 DPDPA is not just a compliance checkbox. It is a fundamental shift in how India treats personal data. Organizations that embrace it as an opportunity — to build trust, differentiate themselves, and demonstrate respect for their users — will thrive. Those that treat it as a nuisance to be minimized will find themselves on the wrong side of history, and on the wrong side of a ₹250 crore penalty notice.
Here are the non-negotiable truths every organization must internalize:
Privacy is not a department — it is a culture. Data protection cannot be siloed in the legal or IT team. It must permeate every function, from marketing and sales to HR and product development. The DPDPA demands organizational accountability, and that starts at the board level.
Consent is not a formality — it is a contract. Every consent you collect is a promise you make to the Data Principal. Break that promise, and you are not just violating a law — you are betraying trust. In the age of social media, betrayed trust goes viral.
Security is not an expense — it is an investment. The ₹250 crore penalty for inadequate security safeguards should reframe every security budget discussion. The question is no longer “Can we afford to implement encryption and access controls?” It is “Can we afford not to?”
Children’s data is sacred ground. Any organization interacting with minors — whether it is an EdTech platform, a gaming app, a toy store, or a sports academy — must treat children’s data with the highest possible standard of care. The penalties for getting this wrong are among the steepest in the Act, and they should be.
Data protection is industry-agnostic. If this blog has demonstrated one thing, it is that DPDPA does not just apply to banks and hospitals. It applies to wedding planners, pet clinics, coworking spaces, logistics companies, gaming platforms, fitness apps, interior designers, travel agencies, and every other organization that touches personal data. If you collect it, you are accountable for it. Period.
The DPDPA represents India’s moment of digital maturity. It signals to the world that India takes data protection seriously, that its citizens have enforceable rights over their digital lives, and that organizations operating in this market will be held to a global standard of accountability. The smart move is not to fear the DPDPA — it is to embrace it, prepare for it, and let it make you a better, more trustworthy organization.
Because in the end, the organizations that respect people’s data are the ones that earn people’s loyalty. And loyalty, unlike a ₹250 crore penalty notice, is something no organization can afford to lose.