DPDP Glossary

The DPDP Act, Translated.

Legal definitions can be confusing. We have translated the official Digital Personal Data Protection Act into plain English so you can understand your roles, rights, and responsibilities without a law degree.

People & Roles

The person whose personal data it is (the individual the data is about). For children, parents/guardians are included for consent-related actions.

The organisation/person that decides why and how personal data will be used (e.g., an app/company deciding purposes of processing).

A vendor/service provider that processes personal data on behalf of a Data Fiduciary (e.g., email/SMS gateway, cloud CRM)

An entity registered with the Board that acts as a single window for a person to give/manage/withdraw consent via an interoperable platform.

A senior responsible person mandated for Significant Data Fiduciaries (acts as a key contact and accountability point).

The authority established to exercise powers and perform functions under the Act.

Data & Processing Basics

Any data about an identifiable person (directly or indirectly).

Personal data in digital form (including data collected offline but later digitised).

Any operation on data—collecting, storing, using, sharing, erasing, etc. (fully or partly automated).

The purpose you told the person in the notice for which their data is being processed.

The online account/presence a person uses to access a DF’s services (profile/handle/email/mobile etc.).

A token mapped to identity/age or personal data (commonly used for secure verification or masking contexts under Rules). (Used across Rules in verification/security contexts.)

Consent & Notice

A clear explanation given to the person that enables specific and informed consent—what data, what purpose, how to withdraw, rights, and how to complain.

Personal data in digital form (including data collected offline but later digitised).

The person can withdraw consent, and it should be as easy to withdraw as it was to give.

A “verified” form of consent required in special cases (notably for children/persons with disability via guardian), as defined in Rules.

DF must apply due diligence to ensure the “parent” is an identifiable adult before processing a child’s data (Rule-driven method).

Consent Managers must keep records of consents/notices/sharing and provide access to the Data Principal; also must ensure it can’t read the content it helps transfer.

Rights & Grievance

Ability to exercise rights via DF/Consent Manager, with clear published means for making requests.

DFs/Consent Managers must prominently publish the period for grievance response, not exceeding 90 days, and implement measures to meet it.

A person nominated to exercise DP rights in case of death/incapacity (right exists in Act).

Security, Breach & Retention

Minimum security controls like encryption/masking, access controls, logs/monitoring, backups, and contractual controls with processors, etc.

Unauthorised processing or accidental disclosure/loss that compromises confidentiality/integrity/availability.

Inform affected people without delay, in clear language, including what happened, consequences, mitigation, and safety steps.

Inform the Board without delay, and provide detailed updates within 72 hours (or longer if allowed by the Board).

Certain classes must erase data if the person hasn’t interacted for the specified period; also must inform at least 48 hours before erasure in the Rule flow.

Consent Managers must keep records of consents/notices/sharing and provide access to the Data Principal; also must ensure it can’t read the content it helps transfer.

Higher-Risk Governance

A DF notified by government based on factors like volume/sensitivity, risk to rights, public order, etc., and must take extra steps (DPO, audits, DPIA).

A structured risk assessment process required for SDFs periodically.

Periodic compliance evaluation for SDFs, with reporting to the Board.

Cross-border & Exemptions

Permitted subject to restrictions/requirements the Central Government may specify (esp. when making data available to foreign states/entities).

Processing for these purposes can be exempt if it meets prescribed standards (Rules refer to a schedule/standards).

Enforcement & Proceedings

The Board can function digitally and adopt techno-legal measures so proceedings don’t require physical presence.

Defined in Rules as measures used for digital proceedings (Board/Tribunal context).

The forum for appeals against Board orders (as referenced in Act definitions).

You know the terms. Now check your score.

Understanding the vocabulary is just the first step. Find out if your business is actually compliant with a free, instant readiness check.

Start Free Assessment