Skip to main content
Compliance

DPDP Act 2023 — Compliance Guide for Indian IT Companies

India's Digital Personal Data Protection Act 2023 is fully enforced from 2026. Penalties reach Rs. 250 crore. Every business collecting Indian users' data must comply. Complete guide here.

MICS Team15 May 20267 min read

DPDP Act 2023 — India's Data Privacy Law Explained

The Digital Personal Data Protection (DPDP) Act 2023 is India's landmark data privacy legislation, comparable to Europe's GDPR. From 2026, its provisions are fully enforced, and the Data Protection Board is actively processing complaints.

Who Must Comply

Every business or organisation that:

  • Collects personal data from Indian residents
  • Operates a website or app with Indian users
  • Processes Indian customer data anywhere in the world

This includes NBFCs, hospitals, schools, e-commerce platforms, SaaS companies, and IT service firms.

Core Provisions

1. Consent Before Collection

Explicit, specific, informed consent must be obtained before collecting any personal data. Generic "I agree to Terms and Conditions" checkboxes do not qualify. Consent must state the exact purpose.

2. Data Fiduciary Obligations

The organisation collecting data is the "Data Fiduciary" and must:

  • Use data only for the stated purpose
  • Keep data accurate and up to date
  • Notify the Data Protection Board within 72 hours of any breach
  • Appoint a Grievance Officer (mandatory)

3. Rights of Data Principals (Indian Citizens)

  • Right to access their personal data
  • Right to correction of inaccurate data
  • Right to erasure ("Right to be Forgotten")
  • Right to grievance redressal within 30 days

4. Children's Data

Processing data of children under 18 requires verifiable parental consent. Significant restrictions apply to profiling minors.

5. Cross-Border Transfer

Transferring Indian personal data abroad requires government-approved transfer mechanisms or data localisation.

Penalty Structure

| Violation | Maximum Penalty |

|---|---|

| Failure to notify data breach | Rs. 200 crore |

| Non-compliance with obligations | Rs. 250 crore |

| Processing children's data unlawfully | Rs. 200 crore |

Compliance Checklist

Website and App

  • [ ] DPDP-compliant cookie consent banner
  • [ ] Updated privacy policy stating data purposes
  • [ ] Granular consent for each data category
  • [ ] Easy opt-out mechanism

Business Process

  • [ ] Data inventory (what, where, how long retained)
  • [ ] Consent management system
  • [ ] Data breach response plan (72-hour clock)
  • [ ] Grievance Officer appointed and published

Technical Controls

  • [ ] Encryption at rest and in transit
  • [ ] Role-based access control
  • [ ] Audit logs for data access
  • [ ] Data deletion mechanism for erasure requests

MICS DPDP Compliance Services

1. Data Audit — Map all personal data flows in your organisation

2. Privacy Policy Rewrite — Legally compliant DPDP policy

3. Consent Management — Technical implementation on your platform

4. Staff Training — 4-hour compliance workshop

5. Quarterly Monitoring — Ongoing compliance reviews

Package pricing from Rs. 25,000

Book a free DPDP assessment: +91 9355273535 | admin@mics.asia

DPDPComplianceData PrivacyIndia
Share this article:

Need Help Implementing This?

Talk to MICS experts — free 30-min consultation, no commitment.

Free RBI Compliance Checklist — 20-point audit for NBFCs under Digital Lending 2025 guidelines

Free Download
CallWhatsApp
Chat with us!