If your business operates in India — or processes data of Indian citizens anywhere in the world — the Digital Personal Data Protection (DPDP) Act 2023 is no longer optional reading. It is your most urgent legal obligation before 2026.
India’s DPDP Act 2023 marks a watershed moment in data governance, placing India alongside the European Union’s GDPR and California’s CCPA as a global data protection standard-setter. Whether you are a multinational corporation entering the Indian market, an NRI-owned business, a fast-growing domestic startup, or a global enterprise with Indian operations, non-compliance carries serious financial and reputational consequences.
At Khanna & Associates, the best law firm in Jaipur with decades of expertise in corporate and digital law, we have guided hundreds of Indian and international clients through complex regulatory transitions. Based in Mansarovar, Jaipur, Rajasthan, our team is already helping businesses prepare comprehensive DPDP compliance frameworks — well ahead of the 2026 enforcement deadline.
This authoritative guide covers everything you need to know: what the Act demands, who it applies to, what penalties await non-compliant entities, and exactly how to protect your business in time.
What Is the DPDP Act 2023? A Complete Definition & Overview
The Digital Personal Data Protection Act, 2023 (officially Act No. 22 of 2023) received Presidential assent on 11 August 2023. It is India’s first comprehensive, standalone data protection legislation, replacing the fragmented privacy provisions of the IT Act, 2000.
The Act governs the processing of digital personal data — any information relating to an identified or identifiable individual — within India. Crucially, it also applies to data processing outside India if it relates to offering goods or services to individuals located in India. This extraterritorial scope is why foreign companies, MNCs, global SaaS platforms, and overseas investors must act immediately.
The Act establishes:
- Rights of Data Principals (individuals whose data is collected)
- Obligations of Data Fiduciaries (businesses that collect and process data)
- The establishment of a Data Protection Board of India
- Penalty provisions reaching up to ₹250 crore per violation
For authoritative government updates, refer to the Ministry of Electronics and Information Technology (MeitY) — the nodal ministry overseeing DPDP implementation.
Legal Framework & Regulations Under the DPDP Act 2023
The DPDP Act 2023 rests on seven foundational principles: lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. Every data fiduciary operating in India must embed these into their daily business operations.
Key provisions every business must understand:
Consent Architecture: All data collection requires free, specific, informed, unconditional, and unambiguous consent. Pre-ticked boxes or bundled consents are now illegal. Businesses must redesign every digital consent mechanism — from website cookies to mobile app sign-ups.
Data Localisation & Cross-Border Transfers: While the Act permits cross-border data transfers to “trusted geographies” to be notified by the central government, businesses must track where Indian citizen data flows globally. MNCs transferring HR data, customer records, or financial information outside India are especially vulnerable.
Significant Data Fiduciaries (SDFs): Certain high-risk processors — large social media platforms, healthcare providers, financial institutions — will be designated as SDFs, triggering additional obligations including Data Protection Impact Assessments (DPIAs) and appointment of Data Protection Officers (DPOs).
Children’s Data: Processing data of minors under 18 requires verifiable parental consent. EdTech companies, gaming platforms, and e-commerce businesses must overhaul their onboarding processes immediately.
At Khanna & Associates, our Cybersecurity & Data Protection practice team has developed step-by-step compliance roadmaps. We also assist in Corporate Compliance, Contract Drafting, IT & Technology law, FinTech & Digital Payments, and Information Technology regulations. Foreign businesses entering India benefit from our Foreign Direct Investments and Setting Up Business in India advisory. We further support with NRI Legal Services, International Trade & Investment, Company Formation, and Banking & Finance compliance services. Our ESG & Sustainability Compliance team also integrates DPDP requirements into broader governance frameworks.
Key Compliance Requirements, Timelines & Penalties
What must be done before the 2026 deadline:
- Data Audit & Mapping: Identify every category of personal data your organisation collects, stores, and processes. Document lawful bases for each processing activity.
- Privacy Policy Overhaul: Existing privacy policies must be rewritten to meet DPDP standards — clear, layered, and accessible in multiple Indian languages.
- Consent Management Platform (CMP): Deploy technical infrastructure to collect, record, and honour consents in real time.
- Grievance Redressal Officer: Every data fiduciary must appoint an internal officer to handle data principal complaints within a prescribed timeline.
- Data Breach Notification: The Act requires notification to the Data Protection Board and affected individuals within a strict timeframe following a data breach — likely 72 hours (rules awaited).
- Vendor Contracts: All third-party data processors must be contractually bound to DPDP obligations. Legacy vendor contracts must be reviewed and renegotiated.
Penalty Structure (per the Act):
| Violation | Maximum Penalty |
|---|---|
| Breach of child data provisions | ₹200 crore |
| Failure to implement security safeguards | ₹250 crore |
| Non-fulfilment of Data Fiduciary obligations | ₹150 crore |
| Non-compliance with Board orders | ₹50 crore |
Real-world example: A Bengaluru-based B2B SaaS company serving European clients already complied with GDPR — yet needed significant restructuring for DPDP because India’s consent model differs materially in language, granularity, and withdrawal mechanics. A proactive legal audit saved them months of remediation.
Common Mistakes Indian and Foreign Businesses Make
Many organisations underestimate the DPDP Act’s reach. Here are the most costly errors:
Mistake 1 — Assuming GDPR Compliance Is Enough: GDPR and DPDP share principles but differ sharply in consent language requirements, children’s data thresholds, and localisation obligations. Do not assume your EU compliance covers India.
Mistake 2 — Ignoring HR Data: Employee data is personal data. Many multinational HR platforms processing Indian employee records overseas are inadvertently non-compliant.
Mistake 3 — No Written Consent Records: Oral or implied consent is not valid. Businesses that collected customer data informally via WhatsApp, email, or physical forms face serious retrospective risk.
Mistake 4 — Overlooking Startup Exemptions: The government may notify exemptions for startups, but relying on these without legal verification is dangerous.
Mistake 5 — Delayed Vendor Management: Supply chain data flows are among the most overlooked compliance gaps. Every vendor who touches your customer data is now part of your compliance obligation.
As the top law firm in Jaipur, Khanna & Associates proactively audits these gaps, prevents regulatory exposure, and resolves disputes through our Dispute Resolution and Arbitration & Reconciliation practices.
Expert Tips from Senior Legal Advisors at Khanna & Associates
Tip 1 — Start With a Data Flow Map, Not a Policy Document Most companies begin with rewriting their privacy policy. That is the wrong starting point. Map every data flow first — collection, storage, processing, sharing — then build policies around reality, not aspiration.
Tip 2 — Build Consent Infrastructure That Scales If you are a D2C brand or marketplace with millions of users, manual consent records are unworkable. Invest in automated Consent Management Platforms that integrate with your CRM and can produce compliance evidence on demand.
Tip 3 — Cross-Border Businesses Must Monitor Trusted Geographies Notifications The government will release a whitelist of countries to which Indian data can legally flow. Monitor MeitY notifications closely. If your data centres are outside India, establish a legal contingency plan now.
Tip 4 — Appoint a DPO With Real Authority Data Protection Officers must have genuine organisational authority. Tokenistic appointments attract regulatory scrutiny. Ensure your DPO reports directly to senior leadership.
Tip 5 — Integrate DPDP Into Your M&A Due Diligence If you are acquiring an Indian company or entering a joint venture, DPDP compliance status is now a material due diligence item. Inherited data liabilities can be catastrophic.
Tip 6 — Document Everything The Data Protection Board can demand evidence of compliance at any time. Maintain contemporaneous records of all consent transactions, DPIAs, breach assessments, and training programmes.
Conclusion: Act Now — Not When the Deadline Arrives
The DPDP Act 2023 is India’s most significant privacy legislation in the digital age. With enforcement expected to fully activate in 2026, the compliance window is narrowing rapidly. For Indian enterprises, global startups, MNCs, and NRI-owned businesses alike, the cost of inaction dramatically exceeds the cost of compliance.
Khanna & Associates — the best law firm in Jaipur and a trusted partner for top-tier Indian and international clients — offers end-to-end DPDP compliance services tailored to your industry, scale, and cross-border footprint. From initial data audits to regulatory filings, DPO appointment, consent infrastructure design, and Data Protection Board representation, our senior advocates stand ready.
📍 Khanna & Associates 47 SMS Colony, Shipra Path, Mansarovar 302020, Jaipur, Rajasthan, India 📞 +91-9461620007 📧 info@khannaandassociates.com 🌐 www.khannaandassociates.com
Do not wait for the deadline. Schedule your DPDP compliance audit today.
Frequently Asked Questions (FAQs)
Q1. Does the DPDP Act 2023 apply to foreign companies that only collect data of Indian users online? Yes, absolutely. The DPDP Act 2023 has extraterritorial application. Any entity — regardless of its country of incorporation — that processes personal data of individuals located in India for the purpose of offering goods or services is fully bound by the Act’s provisions. Foreign companies, global SaaS platforms, and e-commerce businesses serving Indian consumers must comply before the 2026 enforcement deadline.
Q2. What is the difference between a Data Fiduciary and a Data Processor under the DPDP Act 2023? A Data Fiduciary is the entity that determines the purpose and means of processing personal data — essentially, the organisation that decides why and how data is used. A Data Processor processes data on behalf of a Fiduciary, following its instructions. Both carry compliance obligations, but Fiduciaries bear primary accountability, including consent management, security safeguards, and grievance redressal under India’s data protection law.
Q3. What penalty can a business face for violating children’s data protection rules under the DPDP Act? Processing children’s personal data without verifiable parental consent, or conducting targeted advertising directed at children, can attract penalties of up to ₹200 crore per violation. For businesses in EdTech, gaming, food delivery, or e-commerce with significant under-18 users in India, this is among the highest-risk provisions and demands immediate compliance architecture review.
Q4. How is India’s DPDP Act different from Europe’s GDPR for multinational businesses? While DPDP and GDPR share foundational principles — consent, purpose limitation, data minimisation — there are critical differences. DPDP requires consent notices in multiple Indian languages, uses a unique “consent manager” intermediary mechanism, has different data localisation rules pending government notification, and sets an 18-year threshold for children’s data (versus 16 in most EU states). GDPR compliance does not automatically satisfy DPDP obligations.
Q5. Can an NRI or overseas Indian company get legal help for DPDP compliance in India? Yes. Khanna & Associates, a leading law firm in Jaipur, provides dedicated NRI legal services and international compliance advisory. Our team assists NRI-owned businesses, overseas Indian companies, and foreign investors with complete DPDP compliance frameworks, Indian data localisation strategy, cross-border data transfer structuring, and ongoing regulatory monitoring — fully remotely or through our Jaipur office.