India’s Digital Personal Data Protection (DPDP) Act, 2023 is now law. Whether you run a startup, an e-commerce platform, or an enterprise, your organisation processes personal data and that means compliance is no longer optional. Use our free DPDP Compliance Checker to instantly assess where you stand and what steps you need to take next.

What Is the DPDP Act, 2023?

The Digital Personal Data Protection Act, 2023 is India’s landmark data privacy legislation, signed into law on 11 August 2023. It governs how organisations,  called Data Fiduciaries , collect, store, process, and transfer the personal data of Indian citizens.

The Act is modelled on global frameworks like the GDPR but tailored for the Indian context. It introduces enforceable rights for individuals (called Data Principals) and sets out strict obligations for businesses, with penalties reaching up to ₹250 crore per violation.

What Upcoming Compliances Must Businesses Prepare For?

The Indian government is expected to roll out the DPDP Rules and enforcement timelines in a phased manner. Here is what organisations need to anticipate:

Appointment of a Consent Manager. Businesses that rely on consent as their legal basis for processing data must work with registered Consent Managers through whom individuals can grant, manage, and withdraw consent digitally.

Data Fiduciary Registration. Significant Data Fiduciaries,  organisations processing large volumes of sensitive personal data or data of children,  will be required to register with the Data Protection Board of India once it is constituted.

Data Localisation Requirements. While the Act does not impose blanket data localisation, the government retains the power to restrict cross-border data transfers to certain countries. Businesses must build systems to comply with transfer restrictions as and when notified.

Children’s Data Protections. Any organisation processing data of individuals below 18 years must obtain verifiable parental consent. Targeted advertising directed at children is explicitly prohibited.

Grievance Redressal Mechanism. Every Data Fiduciary must establish a clear grievance redressal system and appoint a contact point for Data Principals to raise requests — including the right to access, correct, and erase their data.

Data Breach Notification. In the event of a personal data breach, organisations must notify the Data Protection Board of India within a prescribed timeframe. The exact timelines are expected to be specified in the Rules.

Significant Data Fiduciary Obligations. Entities designated as Significant Data Fiduciaries will face additional requirements including periodic Data Protection Impact Assessments, audits by independent Data Auditors, and appointment of a Data Protection Officer based in India.

Who Does the DPDP Act Apply To?

The Act applies to any entity that processes the personal data of individuals who are in India regardless of where the organisation itself is located. This means:

Indian startups and enterprises handling customer, employee, or partner data fall squarely within its scope. Foreign companies offering goods or services to users in India are also covered. Organisations that process data on behalf of others (Data Processors) share certain compliance responsibilities as well.

If you collect a name, phone number, email address, location, or any identifier that can be linked back to a person, the DPDP Act applies to you.

Why Act Now?

The Rules under the DPDP Act are expected to be finalised soon, and the Data Protection Board of India will be set up shortly after. Once enforcement begins, penalties for non-compliance can be severe  up to ₹250 crore for failure to implement adequate security safeguards and up to ₹200 crore for violating children’s data protection norms.

Early compliance is not just about avoiding penalties. It builds trust with customers, reduces the risk of data breaches, and positions your organisation as a responsible data custodian in an increasingly privacy-conscious market.

How My Legal Pal Can Help You Achieve DPDP Compliance

At My Legal Pal, we specialise in making complex legal compliance accessible to businesses of every size. Our team of privacy lawyers and compliance experts can help you:

Draft and implement a compliant Privacy Policy and Cookie Policy tailored to the DPDP Act. Map your data flows and identify processing activities that require a legal basis. Design and deploy a Consent Management mechanism. Create Data Principal Rights fulfilment workflows  covering access, correction, erasure, and grievance requests. Prepare your organisation for a Data Protection Impact Assessment. Draft Data Processing Agreements with vendors and partners. Train your teams on DPDP obligations and best practices.

Whether you are just beginning your compliance journey or looking to close specific gaps, MyLegalPal offers practical, cost-effective legal support — without the jargon.

Get expert DPDP compliance help today. Visit mylegalpal.com or book a free consultation with our privacy law team.

Frequently Asked Questions About DPDP Compliance

What is the DPDP Act and when does it apply? The Digital Personal Data Protection Act, 2023 is India’s primary data privacy law. It applies to any organisation that processes the personal data of individuals located in India, whether the organisation is based in India or abroad. The enforcement date will be confirmed once the Rules are notified by the government.

What is a Data Fiduciary under the DPDP Act? A Data Fiduciary is any person or organisation that determines the purpose and means of processing personal data. If your business decides why and how personal data is collected and used, you are a Data Fiduciary and must comply with the obligations under the Act.

What rights do individuals have under the DPDP Act? Individuals,  referred to as Data Principals, have the right to access information about their data, correct inaccurate data, erase data that is no longer necessary, nominate a representative in the event of incapacity or death, and seek grievance redressal.

What are the penalties for non-compliance? Penalties under the DPDP Act can reach up to ₹250 crore per instance of non-compliance. The severity depends on the nature of the violation, the type of data involved, and whether the organisation took reasonable steps to prevent the breach.

Is a Privacy Policy enough to be DPDP compliant? No. A Privacy Policy is a necessary starting point, but DPDP compliance requires much more,  including a valid legal basis for processing, a consent mechanism, data Principal rights workflows, vendor agreements, breach notification procedures, and staff training, among other things.

What is a Significant Data Fiduciary? A Significant Data Fiduciary is an entity that the government designates based on factors like the volume and sensitivity of data processed, potential risk to national security or public order, or impact on children’s rights. Significant Data Fiduciaries face stricter obligations including audits, Data Protection Impact Assessments, and a resident Data Protection Officer.

How do I know if the DPDP Act applies to my startup? If your startup collects any personal information from users in India  such as a name, phone number, email, or device identifier, the Act applies to you. Use our DPDP Compliance Checker above to get a quick assessment, or speak to a My Legal Pal expert for a detailed review.

Can My Legal Pal help me become DPDP compliant? Yes. My Legal Pal offers end-to-end DPDP compliance services for startups, SMEs, and enterprises. From policy drafting to consent management and employee training, our legal team will guide you through every step of the compliance process. Visit mylegalpal.com to get started.

Last updated: March 2026. This page is for informational purposes only and does not constitute legal advice. For advice specific to your organisation, please consult a qualified legal professional or contact the MyLegalPal team.