What is the maximum penalty under the DPDP Act?

Penalties reach up to ₹250 Crore per violation for inadequate security safeguards, with other tiers up to ₹200 Crore and ₹150 Crore. Penalties are per-incident and can accumulate.

Does the DPDP Act apply to my business?

If you process the digital personal data of individuals in India, you are almost certainly a Data Fiduciary and the DPDP Act applies. A gap assessment confirms your obligations.

📜

India's DPDP Act 2023

A plain-English guide to the Digital Personal Data Protection Act, 2023

Quick answer

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive data-protection law. It governs how organisations (Data Fiduciaries) process the digital personal data of individuals (Data Principals), requires valid consent, protects children's data, regulates cross-border transfers, and is enforced by the Data Protection Board of India with penalties up to ₹250 Crore per violation. The DPDP Rules were notified in November 2025, starting the compliance clock for 2026.

What is the DPDP Act 2023?

The Digital Personal Data Protection Act, 2023 is India's landmark legislation for protecting digital personal data. Enacted on 11 August 2023 and operationalised through Rules notified in November 2025, it sets out the rights of individuals and the obligations of organisations that process their data, balancing personal privacy with legitimate processing needs.

Who are Data Fiduciaries, Data Principals and Data Processors?

A Data Principal is the individual whose personal data is processed. A Data Fiduciary decides the purpose and means of processing and carries the bulk of the obligations. A Data Processor processes data on a Fiduciary's behalf. Larger, higher-risk organisations may be designated Significant Data Fiduciaries with extra duties such as appointing a Data Protection Officer and conducting impact assessments.

Consent and notice

Before processing personal data, a Data Fiduciary must obtain consent that is free, specific, informed and unambiguous, supported by a clear notice describing what data is collected and why. Data Principals can withdraw consent as easily as they gave it, which is why a consent management platform is effectively mandatory in practice.

Children's data

The Act gives special protection to the personal data of children, generally requiring verifiable parental consent and prohibiting tracking, behavioural monitoring and targeted advertising directed at children — obligations that weigh heavily on EdTech, schools and consumer apps.

Cross-border transfers and security

The Act permits cross-border transfers of personal data subject to government restrictions, and requires Data Fiduciaries to implement reasonable security safeguards to prevent breaches. Inadequate safeguards carry the highest penalty tier.

Penalties and the Data Protection Board

The Data Protection Board of India administers graduated civil penalties — up to ₹250 Crore for inadequate security safeguards, ₹200 Crore for children's-data and breach-notification failures, and ₹150 Crore for failing to meet Data Principal rights. Penalties are per-incident and can be cumulative.

Put this into practice

Get expert help with DPDP Gap Assessment.

View DPDP Gap Assessment →

FAQ

Frequently asked questions

The Act was enacted on 11 August 2023, and the DPDP Rules were notified in November 2025, starting a compliance window that makes 2026 the critical year for organisations to comply.

Ready to act on the DPDP Act?

KavachOne takes you from understanding to certified compliance in 2026.

Talk to an expert Browse services