DPDP Act 2023 — Compliance Guide for Indian IT Companies
India's Digital Personal Data Protection Act 2023 is fully enforced from 2026. Penalties reach Rs. 250 crore. Every business collecting Indian users' data must comply. Complete guide here.
DPDP Act 2023 — India's Data Privacy Law Explained
The Digital Personal Data Protection (DPDP) Act 2023 is India's landmark data privacy legislation, comparable to Europe's GDPR. From 2026, its provisions are fully enforced, and the Data Protection Board is actively processing complaints.
Who Must Comply
Every business or organisation that:
- Collects personal data from Indian residents
- Operates a website or app with Indian users
- Processes Indian customer data anywhere in the world
This includes NBFCs, hospitals, schools, e-commerce platforms, SaaS companies, and IT service firms.
Core Provisions
1. Consent Before Collection
Explicit, specific, informed consent must be obtained before collecting any personal data. Generic "I agree to Terms and Conditions" checkboxes do not qualify. Consent must state the exact purpose.
2. Data Fiduciary Obligations
The organisation collecting data is the "Data Fiduciary" and must:
- Use data only for the stated purpose
- Keep data accurate and up to date
- Notify the Data Protection Board within 72 hours of any breach
- Appoint a Grievance Officer (mandatory)
3. Rights of Data Principals (Indian Citizens)
- Right to access their personal data
- Right to correction of inaccurate data
- Right to erasure ("Right to be Forgotten")
- Right to grievance redressal within 30 days
4. Children's Data
Processing data of children under 18 requires verifiable parental consent. Significant restrictions apply to profiling minors.
5. Cross-Border Transfer
Transferring Indian personal data abroad requires government-approved transfer mechanisms or data localisation.
Penalty Structure
| Violation | Maximum Penalty |
|---|---|
| Failure to notify data breach | Rs. 200 crore |
| Non-compliance with obligations | Rs. 250 crore |
| Processing children's data unlawfully | Rs. 200 crore |
Compliance Checklist
Website and App
- [ ] DPDP-compliant cookie consent banner
- [ ] Updated privacy policy stating data purposes
- [ ] Granular consent for each data category
- [ ] Easy opt-out mechanism
Business Process
- [ ] Data inventory (what, where, how long retained)
- [ ] Consent management system
- [ ] Data breach response plan (72-hour clock)
- [ ] Grievance Officer appointed and published
Technical Controls
- [ ] Encryption at rest and in transit
- [ ] Role-based access control
- [ ] Audit logs for data access
- [ ] Data deletion mechanism for erasure requests
MICS DPDP Compliance Services
1. Data Audit — Map all personal data flows in your organisation
2. Privacy Policy Rewrite — Legally compliant DPDP policy
3. Consent Management — Technical implementation on your platform
4. Staff Training — 4-hour compliance workshop
5. Quarterly Monitoring — Ongoing compliance reviews
Package pricing from Rs. 25,000
Book a free DPDP assessment: +91 9355273535 | admin@mics.asia
Need Help Implementing This?
Talk to MICS experts — free 30-min consultation, no commitment.