What is DPDPA? A Complete Guide for Every Indian Business (2026)

On August 11, 2023, India passed the Digital Personal Data Protection Act — commonly known as the DPDPA or DPDP Act. This is India's first comprehensive law specifically designed to protect the personal data of its citizens in the digital world.

For years, India had no dedicated data protection law. Businesses collected, stored, and shared personal data with minimal oversight. The DPDPA changes that completely. It gives citizens clear rights over their data and puts real responsibilities on the organisations that collect it.

If your business collects any personal data — names, phone numbers, email addresses, payment details, health records — from people in India, this law applies to you. There is no minimum size threshold. Startups, SMEs, and large enterprises are all covered.

The DPDPA applies to any organisation that processes digital personal data in India, or processes data of Indian citizens from outside India. This includes Indian companies, foreign companies with Indian users, apps and websites, hospitals, banks, e-commerce platforms, SaaS companies, and HR departments.

The law only covers digital personal data — data that is collected online or data that was collected offline but later digitised. Physical paper files that are never digitised fall outside the scope of the Act.

• You run a website or app that collects user information
• You store customer data in a database or CRM
• You process employee personal data digitally
• You share user data with third-party vendors or partners
• You run digital marketing campaigns using personal data

If any of the above describes your organisation, the DPDPA applies to you — and you need to act now.

The DPDPA introduces specific terms. Understanding them is the first step to compliance.

• Data Fiduciary: Any organisation that decides WHY and HOW personal data is processed. If you run a business that collects customer data, you are a Data Fiduciary. You hold the primary accountability under the law.
• Data Principal: The individual whose personal data is being processed. Your customers, users, employees — anyone whose data you hold. They are now called Data Principals and they have legal rights.
• Data Processor: A third party that processes data on behalf of a Data Fiduciary. Your cloud provider, your marketing agency, your payroll software — these are Data Processors. You are responsible for ensuring they also comply.

At the heart of the DPDPA is consent. Before you process anyone's personal data, you need their clear, informed, and voluntary consent. The law is very specific about what valid consent looks like.

Consent must be: free (not forced or bundled with a service), specific (one consent for one purpose — you cannot get blanket consent for everything), informed (the person must know exactly what they are agreeing to), unconditional (no 'take it or leave it' terms), and unambiguous (a clear, positive action — not a pre-ticked box).

• Pre-ticked checkboxes are NOT valid consent
• Bundling consent with terms and conditions is NOT valid
• Silence or inaction is NOT valid consent
• Generic 'I agree to everything' consent is NOT valid
• People must be able to withdraw consent as easily as they gave it

The DPDPA grants Data Principals — your users and customers — six legal rights that your organisation must respect and support.

• Right to Access: Users can ask what personal data you hold about them
• Right to Correction: Users can ask you to fix inaccurate data
• Right to Erasure: Users can ask you to delete their data when it is no longer needed
• Right to Grievance Redressal: Users can raise complaints directly with you
• Right to Nominate: Users can nominate someone to exercise rights on their behalf
• Right to Withdraw Consent: Users can withdraw consent at any time

You must have systems in place to respond to these requests. Ignoring them or making them unnecessarily difficult is a violation of the Act.

The DPDP Rules 2025 were officially notified on November 13, 2025, starting the compliance clock for all businesses.

• November 13, 2025: DPDP Rules 2025 notified — Data Protection Board of India formally established
• November 13, 2026: Consent Manager registration framework becomes operational
• May 13, 2027: Full compliance deadline — all businesses must meet every requirement

May 2027 may seem far away, but building a compliant consent infrastructure, training teams, auditing vendors, and updating privacy policies takes 6 to 12 months minimum. The time to start is now.

Getting DPDPA-compliant does not have to be overwhelming. Start with these three steps this week.

• Audit your data: List every type of personal data you collect, where you store it, and who you share it with
• Review your consent: Check if your current consent mechanisms are specific, informed, and easy to withdraw
• Talk to your vendors: Ensure every third party that handles your user data has a proper data processing agreement in place

DataDefend automates all of this — from consent collection and storage to vendor risk management and data discovery. Thousands of Indian enterprises are already using our platform to get DPDPA-ready in weeks, not months.