DPDP Act — Frequently Asked Questions

Plain-English answers to common DPDP compliance questions, with links to full section guides.

• What is the DPDP Act? — The Digital Personal Data Protection Act, 2023 is India's primary law governing how organizations co…
• Who must comply with the DPDP Act? — Any organization that processes digital personal data about individuals in India—startups, SaaS vend…
• What is the DPDP compliance deadline in India? — The DPDP Act is in force; sectoral rules and Board operationalization are rolling out through 2025–2…
• What are DPDP consent requirements? — Consent must be free, specific, informed, unconditional, and unambiguous, obtained through a clear n…
• How can users withdraw consent under DPDP? — Data principals may withdraw consent at any time; the Data Fiduciary must cease processing for that …
• What is the DPDP breach notification timeline? — The Act requires notifying the Data Protection Board and affected data principals of a personal data…
• How does DPDP protect children's data? — Section 9 requires verifiable parental consent before processing a child's personal data and prohibi…
• What rights do data principals have under DPDP? — Data principals may access information about processing, seek correction and erasure, nominate anoth…
• Can personal data be transferred outside India under DPDP? — Transfers are permitted except to countries or territories restricted by the Central Government noti…
• What is the maximum DPDP penalty? — Schedule penalties can reach up to ₹250 crore depending on the violation category, including failure…
• What is a Significant Data Fiduciary (SDF)? — The government may designate certain Data Fiduciaries as SDFs based on volume, sensitivity, risk, or…
• What is a Consent Manager under DPDP Rules? — Consent Managers are registered intermediaries that help data principals give, manage, review, and w…
• Are startups exempt from DPDP? — The Act allows certain government-notified exemptions for specified startups and purposes under Sect…
• How is DPDP different from GDPR? — DPDP emphasizes consent and legitimate uses over GDPR's six legal bases, sets a child age threshold …
• What are the DPDP Rules 2025? — The 2025 Rules operationalize the Act with 23 provisions covering notices, consent managers, SDF obl…
• What is a Data Fiduciary? — A Data Fiduciary is an entity that determines the purpose and means of processing personal data—typi…
• What is a Data Principal? — A Data Principal is the individual to whom the personal data relates—the customer, employee, or user…
• When can data be processed without consent under DPDP? — Section 7 lists legitimate uses such as specified state functions, compliance with law, medical emer…
• What must a DPDP privacy notice include? — Notices must describe personal data collected, purposes, rights, grievance contact, and how to conta…
• What security safeguards does DPDP require? — Data Fiduciaries must implement reasonable security safeguards to prevent personal data breaches, pr…
• What is grievance redressal under DPDP? — Data principals may file grievances with the Data Fiduciary; unresolved complaints may escalate to t…
• Can users request data deletion under DPDP? — Yes—data principals may request erasure when consent is withdrawn or when data is no longer necessar…
• Can users correct inaccurate data under DPDP? — Data principals may request correction of inaccurate or misleading personal data; fiduciaries must t…
• What counts as a personal data breach under DPDP? — A breach is unauthorized or accidental disclosure, acquisition, use, alteration, destruction, or los…
• What is the Data Protection Board? — The Board is India's regulatory authority for DPDP, with powers to inquire into breaches, impose pen…
• Does DPDP apply to SaaS companies? — Yes—SaaS vendors processing customer, employee, or end-user personal data for Indian clients or user…
• Does DPDP apply to startups? — Yes—startup size does not exempt you from DPDP if you process digital personal data, though limited …
• What is the difference between notice and consent under DPDP? — Notice informs the data principal what will be processed; consent is the affirmative agreement to th…
• Is a DPIA required under the DPDP Act? — The Act does not use the GDPR term DPIA, but Significant Data Fiduciaries and rule-based assessments…
• Does DPDP cover employee HR data? — Yes—employee personal data is in scope; certain employment-related processing may fall under legitim…
• What are DPDP services? — DPDP services are end-to-end compliance activities—gap assessment, data mapping, consent management,…
• How much does a DPDP consultant cost in India? — DPDP consulting fees typically range from ₹2–8 lakhs for assessments, ₹10–30 lakhs for mid-market pr…
• How long does DPDP implementation take? — Most mid-market organisations need about 90 days to reach an audit-ready DPDP baseline—assessment, c…
• Should we use DIY, a consultant, or a DPDP platform? — Startups with low-risk processing often begin DIY with free tools; growth companies usually choose p…
• What should a DPDP platform RFP include? — Require proof of granular consent with audit trails, DSR and grievance automation, breach workflows,…

Complete DPDP Guide (44 sections)