What Is the Digital Personal Data Protection Act (DPDP Act)?

India’s Framework for Responsible Personal Data Protection.

The Digital Personal Data Protection Act, 2023 is India’s primary law governing the lawful and responsible processing of personal data, and Dataclyr helps organizations understand and implement its requirements.

Why Was It Introduced?

India’s digital ecosystem has grown rapidly—from digital payments to health systems. With this growth came risks like data misuse and breaches. The Act was introduced to build trust and define clear accountability.

What Is “Personal Data”?

Personal data means any data about an individual who is identifiable by or in relation to such data.

CategoryIs It Personal Data?Examples
Direct Identifiers✅ YESName, Phone Number, Email, Aadhaar, PAN.
Indirect Identifiers✅ YESUser IDs, IP Addresses, Device IDs, Location Data.
Aggregated Data❌ NO“50% of users are from Mumbai” (No individual is identified).
Business Data❌ NOCompany revenue, generic info@company.com emails.

Who Does It Apply To?

Applicability depends on processing, not company size.

It Applies If:
1. You collect personal data digitally.
2. You collect data offline but digitize it later.

Who is Covered

✔ Private companies, startups, and even government bodies.

Not sure if the law applies to you?

Check Applicability in 2 Mins

Key Roles You Must Know

Data Principal

The individual (user/customer) to whom the data relates.

Data Fiduciary

The organization that decides why and how to process data (You).

Data Processor

Vendors (like AWS or Salesforce) who process data on your behalf.

The Core Principles

  • Lawful & Transparent: No hidden processing.
  • Purpose Limitation: Use data only for what you said you would.
  • Data Minimisation: Don’t collect extra data “just in case.”
  • Security: Implement reasonable safeguards.
  • Accountability: You are responsible for compliance.

Consent

  • Must be Free, Informed, Specific, Unconditional, and Withdrawable.

Rights

  • Right to Access (Know what you hold).
  • Right to Correction (Update errors).
  • Right to Grievance Redressal (Complain to you).

Official Government Notifications

Digital Personal Data Protection Rules, 2025.

The core operational framework for the DPDP Act. This document details the exact procedures for obtaining consent, handling data breaches, and managing grievances.

Enforcement Timeline for the DPDP Act

The official government schedule notifying which sections of the Act are active now and which are deferred. Essential for planning your compliance roadmap phases.

Establishment of the Data Protection Board of India

The gazette notification formally constituting the Data Protection Board (DPB). It marks the commencement of the regulatory body responsible for enforcement and penalties.

Corrigendum to Digital Personal Data Protection Rules 2025

An official update issuing minor corrections to the original 2025 Rules. Download this to ensure you are referencing the legally accurate text without typos.

How to Start

Understanding the Act is the first step. Compliance is a trust and governance responsibility.

Start Free DPDP Assessment