LawChanakyas
Back to Blog
Data Protection Act Explained

Data Protection Act Explained

May 9, 2026By Ritika Sharma (Law student)

India's Comprehensive Privacy Law — Finally Operative

The Digital Personal Data Protection Act, 2023 (DPDP Act) represents India's comprehensive response to the pressing need for digital privacy protection in an increasingly data-driven economy. Enacted on 11 August 2023 following Parliamentary approval, the DPDP Act establishes a citizen-centric legal framework that balances individual privacy rights with the legitimate need for lawful data processing. The subsequent notification of the Digital Personal Data Protection Rules, 2025 on 14 November 2025 marks the transition from legislative intent to operational reality. The Legal 500

What the DPDP Act Covers

The DPDP Act and associated DPDP Rules 2025 apply to the processing of digital personal data within the territory of India, whether collected online or collected offline and later digitised. EY

The Act applies to any organisation — Indian or foreign — that processes the personal data of individuals located in India, whether for a business purpose or otherwise. It covers collection, storage, use, sharing, and deletion of digital personal data.

Key Concepts

Data Fiduciary and Data Principal

A "Data Fiduciary" is any entity (person, company, government body) that determines the purpose and means of processing personal data. A "Data Principal" is the individual whose data is being processed. This is the fundamental relationship the Act governs.

Consent as the Primary Basis

The DPDP Act adopts a consent-centric, principle-based approach rather than prescriptive rules. Organisations have flexibility in implementation but must demonstrate accountability for personal data protection. Glocertinternational

Consent must be free, specific, informed, unconditional, and unambiguous. It must be obtained through a notice in clear, plain language. Importantly, the individual must be able to withdraw consent as easily as they gave it.

Rights of Data Principals

Every individual whose data is processed has the right to access information about the data being processed, the right to correction and erasure of inaccurate or incomplete data, the right to grievance redressal against the Data Fiduciary, and the right to nominate another person to exercise rights on their behalf in case of death or incapacity.

Children's Data

The DPDP Act classifies anyone under 18 as a child for data protection purposes — broader than GDPR's threshold of 16. Processing children's personal data requires verifiable parental consent. Data Fiduciaries are prohibited from tracking, monitoring, or targeting children with behavioural advertising.

Significant Data Fiduciaries

The central government can designate certain Data Fiduciaries as "Significant Data Fiduciaries" based on volume of data processed, sensitivity of data, risk to rights, or implications for national security. Significant Data Fiduciaries face enhanced obligations including data audits, data protection impact assessments, and appointment of a Data Protection Officer.

The Data Protection Board of India

The Data Protection Board of India was formally established and became operational on 13 November 2025, with its head office in the NCR. A digital complaint portal and mobile application were simultaneously launched. The Legal 500

The DPBI adjudicates complaints by Data Principals against Data Fiduciaries, investigates data breaches, and imposes penalties. It is a digital-first body — proceedings are intended to be conducted online.

Penalties

Penalties can reach INR 250 crore (approximately USD 30 million) for serious violations. Specific penalty heads include: breach of obligations regarding children's data (up to ₹200 crore), failure to implement security safeguards (up to ₹250 crore), and breach of data breach notification requirements (up to ₹200 crore). Glocertinternational

Phased Implementation Timeline

Stage 1 (Immediate, 13 November 2025): The Data Protection Board of India was formally established and operational.

Stage 2 (November 2026): Consent Manager registration commences under Rule 4.

Stage 3 (May 2027): All remaining substantive provisions of the DPDP Act and Rules come into force, including grounds for processing, notice requirements, and full consent obligations. The Legal 500

DPDP vs GDPR: Key Differences

While both establish comprehensive data protection frameworks, key differences include consent as the primary lawful basis in DPDP versus GDPR's six lawful bases, DPDP's broader definition of children (under 18) versus GDPR's (under 16), different penalty structures (DPDP up to ₹250 crore, GDPR up to 4% of global revenue), and DPDP's extraterritorial application based on targeting Indian residents. Atlassystems

Key Statute: Digital Personal Data Protection Act, 2023 · DPDP Rules, 2025 · Data Protection Board of India (operational November 2025)