Direct answer: The Digital Personal Data Protection Act 2023 (DPDP Act) is India's data privacy law. It requires organisations processing digital personal data of people in India to obtain valid consent (or rely on permitted grounds), honour data principal rights, implement security safeguards, notify breaches, and — for Significant Data Fiduciaries — appoint an India-based DPO and conduct periodic audits. Penalties reach ₹250 crore.
What is the DPDP Act 2023?
The DPDP Act establishes a rights-based framework for digital personal data in India. It replaces the patchwork of sectoral rules with a unified statute enforced by the Data Protection Board of India (DPBI).
Key Obligations for Data Fiduciaries
- Notice (Section 5): Inform data principals before collection — in English or an Eighth Schedule language
- Consent (Section 6): Free, specific, informed, unconditional and unambiguous; easy withdrawal
- Security (Section 8(5)): Reasonable safeguards against personal data breach
- Breach notification (Section 8(6)): Notify DPBI and affected individuals
- Rights (Sections 11–15): Access, correction, erasure, grievance redressal, nomination
- Children's data (Section 9): Verifiable parental consent; no behavioural tracking
Complete 44-section DPDP Guide | DPDP Penalties | Free Assessment