DPDPA 2023 — Complete Guide

India's journey towards a comprehensive data protection framework spans over two decades, culminating in the Digital Personal Data Protection Act, 2023 (DPDPA), which received Presidential assent on 11 August 2023. Understanding this legislative history is essential to appreciate the policy choices embedded in the final enactment.

The Information Technology Act, 2000 was India's first legislative foray into digital governance. Section 43A, inserted by the 2008 amendment, imposed liability on body corporates for failure to implement "reasonable security practices" when handling sensitive personal data. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules") supplemented this provision, introducing concepts of consent, purpose limitation, and data retention. However, the SPDI Rules were limited in scope — they applied only to body corporates (not the State), covered only "sensitive personal data or information" (a narrow category), and lacked an independent enforcement authority.

The turning point came with the Supreme Court's landmark decision in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017) 10 SCC 1, which unanimously declared the right to privacy a fundamental right under Article 21 of the Constitution. The nine-judge bench mandated that any interference with informational privacy must satisfy a three-part test: legality (existence of a law), legitimate aim (a proper State objective), and proportionality (the measure must be proportionate to the aim).

Following the Puttaswamy judgment, the Government constituted the Justice B.N. Srikrishna Committee in August 2017. The Committee submitted its report, "A Free and Fair Digital Economy — Protecting Privacy, Empowering Indians," along with a draft Personal Data Protection Bill, 2018 in July 2018. This draft drew heavily from the GDPR framework but incorporated Indian nuances, including data localisation requirements.

The Government introduced the Personal Data Protection Bill, 2019 in Parliament in December 2019, with significant departures from the Srikrishna Committee draft — most notably, expanded State exemptions. The Bill was referred to a Joint Parliamentary Committee (JPC), which submitted its report in December 2021 with 93 recommendations, suggesting a broader scope covering non-personal data as well.

In August 2022, the Government withdrew the 2019 Bill entirely, citing the need for a "comprehensive legal framework" and the 81 amendments recommended by the JPC. A fresh Digital Personal Data Protection Bill, 2022 was released for public consultation in November 2022, adopting a markedly simpler and shorter approach. After further revisions, the Digital Personal Data Protection Bill, 2023 was introduced in Parliament on 3 August 2023, passed by the Lok Sabha on 7 August and by the Rajya Sabha on 9 August, and received Presidential assent on 11 August 2023.

The DPDP Rules, 2025 were published in draft form in January 2025, providing the subordinate legislation necessary for operationalising the Act. Full enforcement is expected by mid-2027, with the Government taking a phased approach to bring different provisions into force.

The DPDPA has a carefully delineated scope that balances comprehensiveness with practical enforceability. Sections 3 and 4 define the Act's material and territorial reach.

Material scope (Section 3): The Act applies to the processing of digital personal data within the territory of India where the personal data is:

• Collected in digital form; or
• Collected in non-digital form and subsequently digitised.

This means that purely offline, non-digitised records (such as a handwritten register that is never scanned or entered into a computer) fall outside the Act's scope. However, any data that is digitised at any point — including scanned documents, photographed records, or manually entered data — is brought within the Act's ambit.

Territorial scope (Section 4): The Act applies to processing of digital personal data:

• Within India: All processing activities conducted within Indian territory, regardless of the nationality of the data principal or the data fiduciary.
• Outside India (extraterritorial): Processing of personal data outside India, if such processing is in connection with any activity related to offering goods or services to data principals within the territory of India.

The extraterritorial provision is significant for multinational companies. Any foreign entity that targets Indian consumers — through e-commerce platforms, SaaS products, mobile applications, or digital services — must comply with the DPDPA if it processes personal data of individuals in India. The test is whether the offering of goods or services is directed at persons in India, not merely whether an Indian user happens to access a global service.

Exclusions (Section 3(c)): The Act does not apply to personal data processed by an individual for any personal or domestic purpose, or personal data that is made publicly available by the data principal themselves or by any other person who is under a legal obligation to make such data publicly available.

The DPDPA introduces a distinct definitional framework in Section 2 that departs from GDPR terminology while serving analogous functions. Precision in understanding these definitions is critical for compliance.

DPDPA Term	Definition	GDPR Equivalent
Personal Data (Section 2(t))	Any data about an individual who is identifiable by or in relation to such data	Personal Data
Data Principal (Section 2(j))	The individual to whom the personal data relates; in the case of a child, the parent or lawful guardian	Data Subject
Data Fiduciary (Section 2(i))	Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data	Data Controller
Data Processor (Section 2(k))	Any person who processes personal data on behalf of a Data Fiduciary	Data Processor
Significant Data Fiduciary (Section 2(z))	A Data Fiduciary or class of Data Fiduciaries notified by the Central Government based on volume/sensitivity of data, risk to rights, and national security impact	No direct equivalent (closest: high-risk processing)
Processing (Section 2(x))	Wholly or partly automated operation or set of operations performed on digital personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction	Processing
Consent Manager (Section 2(g))	A person registered with the Board who acts as a single point of contact to enable a data principal to give, manage, review, and withdraw consent	No direct equivalent

A noteworthy feature of the DPDPA is the adoption of the term "Data Fiduciary" rather than "controller." The fiduciary framing is deliberate — it imports the common-law concept of a fiduciary relationship, implying a duty of care, trust, and good faith that the entity processing data owes to the individual whose data it processes. This is more than a semantic choice; it signals the legislative intent that data processors hold data in a position of trust.

The Act does not create a category of "sensitive personal data" — a significant departure from the 2019 Bill, the SPDI Rules, and the GDPR. All personal data is treated uniformly under the Act. However, the Significant Data Fiduciary classification (discussed in Section 8 below) introduces a risk-based overlay that can impose heightened obligations based on the nature and volume of data processed.

Consent is the primary legal basis for processing personal data under the DPDPA. Section 6 establishes the requirements for valid consent, while Section 5 mandates the notice that must precede or accompany the request for consent.

Notice requirements (Section 5): Before requesting consent, or as soon as reasonably practicable thereafter, every Data Fiduciary must provide the data principal with a notice containing:

• A description of the personal data sought and the purpose of processing;
• The manner in which the data principal may exercise rights under the Act; and
• The manner in which the data principal may make a complaint to the Data Protection Board.

The notice must be in clear and plain language, and must be available in English and all 22 languages listed in the Eighth Schedule to the Constitution. This multilingual requirement is unprecedented in global data protection law and reflects India's linguistic diversity.

Consent standards (Section 6): Consent must be:

• Free — not obtained through coercion, undue influence, or bundling with unrelated services;
• Specific — given in relation to a specified purpose;
• Informed — preceded by a notice containing the information prescribed under Section 5;
• Unconditional — not made contingent on acceptance of additional, non-essential processing; and
• Unambiguous — indicated through a clear affirmative action.

Withdrawal of consent (Section 6(4)): A data principal has the right to withdraw consent at any time, with the ease of withdrawal being comparable to the ease of giving consent. Upon withdrawal, the Data Fiduciary must cease processing (and cause its Data Processors to cease processing) the relevant personal data within a reasonable period, unless retention is required by law.

Consent Managers (Section 6(7)-(9)): The DPDPA introduces the concept of a Consent Manager — a registered entity that serves as a single point of contact for data principals to give, manage, review, and withdraw consent across multiple Data Fiduciaries. Consent Managers must be registered with the Data Protection Board and meet the technical, operational, and financial criteria prescribed in the DPDP Rules, 2025. This concept draws from India's Account Aggregator framework in the financial sector and represents an innovation in the global data protection landscape.

For pre-existing data (Section 5(2)): Where a Data Fiduciary has processed personal data before the commencement of the Act, it must issue a notice to the data principal "as soon as it is reasonably practicable," describing the data held and the purpose of processing. This provision creates a significant compliance obligation for organisations with legacy data.

Section 7 of the DPDPA provides for "deemed consent" — situations where personal data may be processed without explicit consent from the data principal. These are analogous to the legitimate interest and legal obligation bases under the GDPR, but are structured differently.

A Data Fiduciary may process personal data without consent in the following circumstances:

• Voluntary provision of data (Section 7(a)): Where the data principal voluntarily provides their personal data to the Data Fiduciary and it is reasonably expected that the data principal would provide such data. This covers scenarios such as filling in a form for a service, providing data at a reception desk, or sharing a business card.
• State functions (Section 7(b)): Processing necessary for the State to provide any benefit, service, certificate, licence, or permit. This is a broad exemption that covers welfare schemes (Aadhaar-linked subsidies, PM-KISAN, Ayushman Bharat), regulatory licensing, and public service delivery.
• Legal obligations (Section 7(c)): Processing necessary for compliance with any law in force in India, or for compliance with any order or judgment of any court or tribunal in India. This covers tax compliance, anti-money laundering obligations, RBI/SEBI/IRDAI regulatory filings, and court-ordered disclosures.
• Medical emergencies (Section 7(d)): Processing necessary to respond to a medical emergency involving a threat to the life or immediate threat to the health of the data principal or any other individual. This extends beyond the data principal themselves to cover emergency situations involving others.
• Employment (Section 7(e)): Processing necessary for purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination, attendance, assessment, and similar purposes.
• Public interest (Section 7(f)): Processing for purposes such as mergers, acquisitions, or other transactions involving entities, or for network and information security, credit scoring, fraud prevention, debt recovery, and processing of publicly available personal data.
• Fair and reasonable purposes (Section 7(g)): Processing for any fair and reasonable purpose as may be prescribed by the Central Government. The DPDP Rules, 2025 elaborate on additional deemed consent purposes.

These exemptions are notably broader than those available under the GDPR. In particular, the State functions exemption (Section 7(b)) provides the Government with considerable latitude to process personal data for welfare delivery without obtaining individual consent — a provision that has attracted criticism from privacy advocates who argue it could be used to justify mass surveillance programmes.

Sections 11 through 14 of the DPDPA confer a set of rights on data principals, while Section 15 — uniquely — also imposes duties on them. This rights-and-duties framework is a distinctive feature of the Indian law.

Right to access information (Section 11): A data principal has the right to obtain from the Data Fiduciary:

• A summary of personal data being processed and the processing activities undertaken;
• The identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared, along with a description of the personal data shared; and
• Any other information related to the personal data and its processing as may be prescribed.

Right to correction, completion, and erasure (Section 12): A data principal may request the Data Fiduciary to correct inaccurate or misleading personal data, complete incomplete personal data, update personal data, or erase personal data that is no longer necessary for the purpose for which it was processed. However, this right is subject to compliance with any other law that requires the retention of personal data.

Right of grievance redressal (Section 13): Every Data Fiduciary must establish an accessible mechanism for data principals to register grievances. If the data principal is not satisfied with the response — or does not receive a response within the prescribed period — they may file a complaint with the Data Protection Board. This two-tier grievance mechanism (fiduciary first, then Board) is designed to reduce the Board's caseload.

Right of nomination (Section 14): A data principal may nominate any other individual who shall exercise the data principal's rights in the event of the principal's death or incapacity. This provision is unique to the DPDPA — it has no parallel in the GDPR or other major data protection laws. It addresses the practical concern of digital estate management and is particularly relevant for financial data, healthcare records, and digital assets.

Duties of data principals (Section 15): The DPDPA is one of the few data protection laws globally that imposes affirmative duties on data principals:

• Comply with applicable laws when exercising rights under the Act;
• Not register a false or frivolous complaint or grievance;
• Not furnish false particulars or impersonate another person; and
• In the case of a child, not suppress material information while providing personal data.

A data principal who breaches these duties may face a penalty of up to INR 10,000 under the Schedule to the Act. While the amount is nominal, the principle of reciprocal obligation is notable.

Sections 8 through 10 establish the core obligations of Data Fiduciaries, forming the backbone of the DPDPA's regulatory framework. These obligations apply to all entities that determine the purpose and means of processing personal data.

Purpose limitation and data minimisation (Section 8(1)-(3)): A Data Fiduciary may process personal data only for the purpose specified in the notice and consented to by the data principal (or deemed to be consented under Section 7). The data collected must be limited to what is necessary for the specified purpose — a principle of data minimisation that is familiar from the GDPR but is now given statutory force in Indian law.

Accuracy (Section 8(3)): The Data Fiduciary must make reasonable efforts to ensure the completeness, accuracy, and consistency of personal data, particularly where such data is likely to be used to make a decision affecting the data principal, or is likely to be disclosed to another Data Fiduciary.

Storage limitation (Section 8(7)): Personal data must not be retained beyond the period necessary for the purpose for which it was processed. Once the purpose is fulfilled and retention is no longer necessary for the stated purpose or for legal compliance, the Data Fiduciary must erase the personal data. Where a data principal has not approached the Data Fiduciary for a specified period (to be prescribed), the fiduciary must erase data unless required by law to retain it.

Reasonable security safeguards (Section 8(4)): Data Fiduciaries must implement "reasonable security safeguards" to prevent personal data breaches. The Act does not prescribe specific technical measures, leaving flexibility for organisations to adopt safeguards appropriate to the nature and volume of data processed. The DPDP Rules, 2025 provide further guidance on encryption, access controls, and security standards.

Breach notification (Section 8(6)): In the event of a personal data breach, the Data Fiduciary must notify:

• The Data Protection Board of India — within 72 hours of becoming aware of the breach (as prescribed in the DPDP Rules, 2025); and
• Each affected data principal — with details of the breach and its potential impact.

The notification must include the nature of the breach, the approximate number of data principals affected, possible consequences, and measures taken or proposed to be taken to remedy the breach.

Contractual obligations with Data Processors (Section 8(2)): A Data Fiduciary must engage Data Processors only under a valid contract. The Data Fiduciary remains responsible for ensuring that the Data Processor implements the same security safeguards and processes data only for the specified purposes. This vicarious responsibility model means that Data Fiduciaries cannot outsource compliance.

Retention review and erasure (Section 8(7)): Data Fiduciaries must establish a data retention schedule and conduct periodic reviews. The DPDP Rules, 2025 prescribe specific retention periods for certain categories of data and require Data Fiduciaries to publish their retention policies.

Section 10 of the DPDPA introduces the concept of Significant Data Fiduciaries (SDFs) — a risk-based classification that imposes additional obligations on entities whose processing activities pose elevated risks to data principals.

Criteria for designation: The Central Government may notify a Data Fiduciary or class of Data Fiduciaries as "Significant" based on:

• The volume and sensitivity of personal data processed;
• Risk to the rights of the data principal;
• Potential impact on the sovereignty and integrity of India;
• Risk to electoral democracy;
• Security of the State; and
• Public order.

While no formal list of SDFs has been published as of early 2026, it is widely expected that the following categories will be designated: large technology platforms, social media intermediaries with significant Indian user bases, major telecom operators, large banking and financial institutions, and e-commerce marketplaces.

Additional obligations of SDFs (Section 10(2)):

• Data Protection Officer (DPO): Appoint a DPO based in India who shall be the point of contact for the data principal and the Board. The DPO must represent the SDF and be responsible for compliance oversight.
• Independent data auditor: Appoint an independent data auditor to evaluate compliance with the Act. The audit must be conducted at prescribed intervals and the report submitted to the Board.
• Data Protection Impact Assessment (DPIA): Conduct periodic DPIAs before undertaking any processing that is likely to pose a significant risk to data principals. The DPIA must assess the purpose, necessity, and proportionality of processing and identify measures to mitigate risks.
• Periodic compliance reporting: Provide compliance reports to the Board in the prescribed form and frequency.
• Additional safeguards: Implement any other measures as may be prescribed by the Central Government.

The SDF framework represents a tiered compliance model — basic obligations apply to all Data Fiduciaries, while enhanced obligations apply to those whose processing activities create systemic risks. This approach is pragmatic, as it avoids imposing DPO and DPIA requirements on small businesses and startups that process limited personal data.

Section 9 of the DPDPA establishes specific protections for the processing of children's personal data, reflecting a heightened duty of care towards minors in the digital environment.

Definition of a child: A "child" is defined as an individual who has not completed the age of 18 years. The DPDP Rules, 2025 may prescribe a lower threshold (likely 14 years) for certain categories of Data Fiduciaries, recognising that teenagers above a certain age have the maturity to consent independently for certain services.

Verifiable parental consent (Section 9(1)): Before processing any personal data of a child, the Data Fiduciary must obtain verifiable consent from the parent or lawful guardian of the child. The term "verifiable" is significant — it implies that a mere age-gate (clicking "I am 18+") is insufficient. The DPDP Rules, 2025 prescribe acceptable methods of age verification and parental consent, potentially including Aadhaar-based verification, video verification, or consent through registered parental accounts.

Prohibition on harmful processing (Section 9(2)): No Data Fiduciary shall undertake:

• Tracking or behavioural monitoring of children's online activities;
• Targeted advertising directed at children; or
• Any processing that is likely to cause detrimental effect on the well-being of a child.

These prohibitions are absolute and cannot be circumvented through parental consent. They align with growing global concern about the impact of algorithmic targeting on children's mental health and development.

Exemptions for certain fiduciaries (Section 9(3)): The Central Government may exempt certain Data Fiduciaries or classes of Data Fiduciaries from the requirements of Section 9, where it is satisfied that the processing is verifiably safe. This exemption is expected to benefit healthcare platforms, educational technology providers, and child-safety applications that need to process children's data for protective purposes.

Practical implications: The children's data provisions will have a profound impact on edtech platforms, gaming companies, social media services, and any digital service accessible to minors. The advertising prohibition alone will require restructuring of monetisation models that rely on targeted advertising to younger demographics. Companies should begin designing age-appropriate data practices and privacy-by-design architectures for products used by children.

Section 16 of the DPDPA adopts a distinctive approach to cross-border data transfers — one that is markedly different from the GDPR's adequacy-plus-safeguards model.

The whitelist (negative list) approach: Under Section 16(1), personal data may be transferred to any country or territory outside India, except those specifically restricted by the Central Government through notification. This is a blacklist model — all transfers are permitted unless a country is explicitly prohibited. The GDPR, by contrast, operates on a whitelist model where transfers are restricted unless the destination country has been granted an adequacy decision or specific safeguards are in place.

Factors for restriction: The Central Government may restrict transfers to a country based on:

• Whether the country has a sufficient data protection framework;
• The strategic and security interests of India;
• The nature of data being transferred; and
• Any other relevant factors.

As of early 2026, no countries have been placed on the restricted list. This means that, in practice, personal data can currently flow from India to any jurisdiction worldwide without DPDPA-specific transfer restrictions. However, this position is expected to evolve as the Act is operationalised.

Sector-specific localisation requirements: The DPDPA does not repeal or override sector-specific data localisation mandates. Key requirements that continue to operate independently include:

• RBI: Payment system data must be stored exclusively in India (RBI Circular DPSS.CO.OD.No.2785, 2018);
• SEBI: Stock brokers and depository participants must maintain certain records in India;
• IRDAI: Insurance data localisation requirements under applicable regulations;
• Telecom: TRAI and DoT requirements for subscriber data localisation.

The practical effect is a dual-track compliance framework: the DPDPA provides the general rule (transfers permitted unless restricted), while sectoral regulators impose specific localisation requirements for regulated data categories. Companies must comply with both tracks simultaneously.

Sections 18 through 28 of the DPDPA establish the Data Protection Board of India (DPBI) as the primary enforcement body under the Act. The Board's design reflects several deliberate choices about the nature of India's data protection enforcement.

Establishment and composition (Section 18-19): The DPBI is established by the Central Government and consists of a Chairperson and such number of members as the Government may appoint. Members are selected based on their ability, integrity, standing, and knowledge in areas including data governance, information technology, data management, data science, cyber and internet laws, public administration, and related fields.

Adjudicatory, not regulatory (Section 27): A critical design choice in the DPDPA is that the Board is not a traditional regulator. Unlike the ICO (UK), CNIL (France), or the proposed DPA under the 2019 Bill, the DPBI does not have rule-making powers, does not issue binding guidance, and does not conduct proactive investigations. Its role is confined to adjudication — it receives complaints and breach notifications, conducts inquiries, and determines whether a violation has occurred. Regulatory guidance and rule-making powers are retained by the Central Government.

Digital-first proceedings (Section 18(3)): The Board is designed as a "digital office" — proceedings before the Board may be conducted through virtual hearings, and the Board may exercise its powers through digital means. This is consistent with the Government's broader digital governance agenda.

Powers (Sections 25-27):

• Direct the Data Fiduciary to take specific measures to comply with the Act;
• Impose penalties in accordance with the Schedule;
• Issue directions for urgent remedial measures during an inquiry;
• Direct the Data Fiduciary to adopt specific remedial measures; and
• Refer matters to the Central Government for blocking access to platforms or intermediaries in case of persistent non-compliance.

Appeals (Section 29): Any person aggrieved by an order of the Board may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). TDSAT will function as the appellate authority under the DPDPA. Further appeals from TDSAT lie to the Supreme Court of India on questions of law.

Practical considerations: The choice of an adjudicatory (rather than regulatory) model has significant implications. Without the power to issue binding guidance, industry will be dependent on the Central Government for interpretive clarity. This may lead to slower development of compliance standards compared to jurisdictions where the data protection authority actively issues guidelines, codes of conduct, and regulatory opinions.

The Schedule to the DPDPA prescribes monetary penalties for non-compliance. The penalty framework is notable for its severity and its structure — penalties are imposed per contravention, with no provision for imprisonment.

Violation	Maximum Penalty
Non-fulfilment of obligations for children (Section 9)	INR 200 Crore (approx. USD 24 million)
Failure to implement security safeguards resulting in a breach (Section 8(5))	INR 250 Crore (approx. USD 30 million)
Failure to notify the Board and data principals of a breach (Section 8(6))	INR 200 Crore (approx. USD 24 million)
Non-fulfilment of additional obligations by Significant Data Fiduciaries (Section 10)	INR 150 Crore (approx. USD 18 million)
Non-compliance with any other provision of the Act	INR 50 Crore (approx. USD 6 million)
Breach of duties by data principals (Section 15)	INR 10,000 (approx. USD 1,200)

Penalty determination factors: While the Schedule prescribes maximum penalties, the Board has discretion in determining the actual penalty amount. Factors likely to be considered include:

• The nature, gravity, and duration of the contravention;
• The type and number of data principals affected;
• Repetitive nature of the contravention;
• Whether the contravention was intentional or negligent;
• Measures taken by the Data Fiduciary to mitigate the damage; and
• Any other relevant factor.

No criminal liability: Unlike the earlier 2019 Bill, the DPDPA does not provide for criminal penalties or imprisonment. This reflects a policy decision to treat data protection violations as civil/administrative matters rather than criminal offences — an approach that is more business-friendly and consistent with the GDPR's administrative fine model.

Cumulative penalties: Penalties may be imposed for each contravention independently. An entity that commits multiple violations across different provisions may face cumulative penalties, with no express statutory cap on the aggregate amount. This means that a significant data breach accompanied by failure to notify and pre-existing deficiencies in children's data protection could theoretically attract penalties in excess of INR 600 crore.

Voluntary undertakings (Section 27(2)): The Board may accept voluntary undertakings from Data Fiduciaries regarding compliance. If the Board accepts a voluntary undertaking, it may not pursue proceedings in respect of the matter covered by the undertaking, provided the fiduciary complies with its terms.

Section 17 of the DPDPA provides a sweeping set of exemptions that significantly limit the Act's reach. These exemptions have been the subject of considerable debate among privacy advocates, industry stakeholders, and legal scholars.

State security and public order (Section 17(2)(a)): The Central Government may, by notification, exempt any instrumentality of the State from the application of any or all provisions of the Act in the interest of:

• Sovereignty and integrity of India;
• Security of the State;
• Friendly relations with foreign States;
• Maintenance of public order; or
• Preventing incitement to any cognisable offence relating to the above.

This broad exemption has attracted the most criticism. Unlike the GDPR, which subjects government processing to the same rules as private-sector processing (with narrow exceptions), the DPDPA allows the Government to exempt itself entirely from obligations such as purpose limitation, consent, data minimisation, and breach notification. Critics argue this undermines the Puttaswamy judgment's requirement that State interference with informational privacy must satisfy legality, legitimate aim, and proportionality tests.

Legal proceedings and enforcement (Section 17(2)(b)-(c)): Processing necessary for enforcing any legal right or claim, or by courts and tribunals in the discharge of their judicial functions, is exempt.

Corporate mergers and insolvency (Section 17(2)(d)): Processing for the purposes of merger, demerger, amalgamation, compromise, arrangement, or insolvency proceedings under applicable law is exempt.

Research and statistics (Section 17(2)(e)): Processing for research, archiving, or statistical purposes is exempt, provided such processing does not involve a decision specifically relating to any data principal.

Startups and small entities: The DPDP Rules, 2025 are expected to prescribe relaxed compliance norms for startups and entities below a certain data processing threshold, though the contours of this exemption are still being finalised.

Journalism and free speech: Notably, the DPDPA does not contain an explicit exemption for journalistic purposes. The 2019 Bill contained such an exemption, but it was removed in the final 2023 version. This has raised concerns among media organisations that journalistic data processing — investigative reporting, source protection, and editorial data analysis — may be subject to the full weight of the Act. The absence of a press exemption is a significant departure from the GDPR (which provides for derogations for journalistic purposes) and may face constitutional challenge under Article 19(1)(a) of the Constitution.

With enforcement expected by mid-2027, organisations processing personal data of Indian individuals should begin compliance preparations now. The following roadmap provides a structured approach to DPDPA readiness.

Phase 1: Assessment (Months 1-3)

• Data mapping and inventory: Catalogue all personal data collected, processed, stored, and shared. Identify data sources, processing purposes, legal bases, retention periods, and cross-border flows. Pay particular attention to legacy data collected before the Act's commencement.
• Gap analysis: Compare current data practices against DPDPA requirements across all key areas — consent mechanisms, notice practices, breach response capabilities, data principal rights fulfilment, and vendor contracts.
• SDF assessment: Evaluate whether your organisation is likely to be designated as a Significant Data Fiduciary based on the volume and nature of data processed.

Phase 2: Design (Months 4-6)

• Consent architecture: Design consent flows that meet the "free, specific, informed, unconditional, unambiguous" standard. Implement granular consent mechanisms that separate essential and non-essential processing. Build withdrawal mechanisms with ease-of-use parity.
• Notice framework: Draft compliant notices in English and relevant scheduled languages. Ensure notices are clear, plain-language, and accessible.
• Children's data controls: If your service is accessible to minors, design age-verification mechanisms and parental consent flows. Review advertising practices for compliance with Section 9(2) prohibitions.
• Breach response plan: Develop a comprehensive incident response plan with clear escalation procedures, pre-drafted notification templates, and a 72-hour response capability.

Phase 3: Implementation (Months 7-12)

• Policy documentation: Update privacy policies, cookie policies, data retention schedules, and internal data handling procedures. Develop a data principal rights request process.
• Vendor contracts: Review and amend all Data Processor agreements to include DPDPA-compliant terms — purpose limitation, security obligations, breach notification requirements, and audit rights.
• Technical controls: Implement or upgrade encryption, access controls, pseudonymisation, and logging mechanisms. Deploy consent management platforms.
• Training: Conduct organisation-wide awareness training and role-specific training for data handling teams, customer service, IT security, and legal/compliance functions.

Phase 4: Operationalisation (Ongoing)

• DPO appointment (if SDF): Appoint a qualified Data Protection Officer based in India.
• DPIA programme (if SDF): Establish a process for conducting Data Protection Impact Assessments for high-risk processing activities.
• Audit readiness: Prepare for independent data audits as required for SDFs or as best practice for all fiduciaries.
• Monitoring and adaptation: Track evolving DPDP Rules, Board decisions, Government notifications, and sector-specific guidance. Adapt compliance frameworks accordingly.

The DPDPA and the GDPR share common ancestry in data protection principles, but differ in several critical respects. The following comparison highlights the key divergences that multinational companies must navigate.

Feature	DPDPA (India)	GDPR (EU)
Scope	Digital personal data only	All personal data (digital and non-digital)
Sensitive data category	No separate category	Special categories (Art. 9) with stricter rules
Legal bases for processing	Consent + deemed consent (Section 7)	Six legal bases (Art. 6) including legitimate interest
Legitimate interest	Not available as a standalone basis	Available with balancing test (Art. 6(1)(f))
Cross-border transfers	Blacklist model (all permitted unless restricted)	Whitelist model (restricted unless adequacy decision or safeguards)
DPO requirement	Significant Data Fiduciaries only	Mandatory for public authorities and high-risk processors (Art. 37)
Right to data portability	Not provided	Available (Art. 20)
Right to object / restrict	Not provided	Available (Art. 18, 21)
Right of nomination	Available (Section 14) — unique to DPDPA	Not available
Data principal duties	Yes (Section 15) — penalty for false complaints	No duties on data subjects
Notice language	English + 22 scheduled languages	Language of the member state
Maximum penalty	INR 250 Crore (~USD 30 million) per contravention	EUR 20 million or 4% of global turnover, whichever is higher
Criminal liability	None	Member States may impose criminal sanctions
Enforcement body	Adjudicatory Board (no rule-making power)	Independent supervisory authorities with regulatory powers
State exemptions	Broad exemption for State instrumentalities	Limited exemptions; public bodies largely covered
Journalism exemption	No explicit exemption	Derogations permitted (Art. 85)
Consent Manager	Registered intermediary for consent management	No equivalent concept
Child's age threshold	18 years (with possible lower threshold per Rules)	16 years (member states may lower to 13)

The most consequential differences for multinational companies are: (i) the absence of legitimate interest as a standalone processing basis, which forces greater reliance on consent; (ii) the blacklist model for cross-border transfers, which is currently more permissive than the GDPR's adequacy framework but may tighten; and (iii) the broad State exemptions, which create a regulatory asymmetry between private and public sector data processing. Companies with dual GDPR-DPDPA exposure should adopt a "highest common denominator" approach, complying with the stricter standard on each point, while maintaining India-specific mechanisms (multilingual notices, nomination rights, Consent Manager integration) for their Indian operations.