EverydayPDF Logo
DPDP Act 2023 · India

What is the DPDP Act 2023? A Plain-English Guide

Updated July 5, 2026·9 min read·EverydayPDF Research

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive law governing how personal data is collected, used, stored and shared. It received Presidential assent on 11 August 2023, and the detailed rules that make it operational — the DPDP Rules, 2025 — were notified on 13 November 2025. Full compliance obligations take effect on 13 May 2027.

If your organisation — a company, a law firm, a CA practice, a school, a hospital, or even a sole proprietor with a website — processes the personal data of people in India in digital form, the DPDP Act applies to you.

The key players: who is who under the DPDP Act

TermWho it meansEveryday example
Data PrincipalThe individual the personal data is aboutYour client, customer, employee or website visitor
Data FiduciaryThe person or entity that decides why and how personal data is processedA company collecting customer KYC documents
Data ProcessorAn entity that processes personal data on behalf of a Data FiduciaryA cloud tool your firm uploads client PDFs to
Significant Data Fiduciary (SDF)A Data Fiduciary notified by the government based on volume/sensitivity of data and riskLarge platforms, fintechs, health-data companies
Consent ManagerA registered platform through which individuals give, manage and withdraw consentInteroperable consent dashboards (operational from November 2026)
Data Protection Board of IndiaThe adjudicating body that hears complaints and imposes penaltiesThe regulator you answer to after a breach

What data does the DPDP Act cover?

The Act covers digital personal data — any data about an identifiable individual that is collected digitally, or collected offline and later digitised. Unlike the GDPR, the DPDP Act does not create a separate category of "sensitive" personal data: an Aadhaar number, a medical record and an email address are all simply "personal data", protected by the same obligations.

  • Applies to processing within India, and to processing outside India if it relates to offering goods or services to people in India.
  • Does not apply to personal data processed by an individual for purely personal or domestic purposes.
  • Does not apply to personal data that the individual has themselves made publicly available, or that is required to be made public under law.

The seven core obligations of a Data Fiduciary

  1. Process personal data only with consent, or for a defined "legitimate use" (Section 7) — there is no GDPR-style open-ended "legitimate interest" ground.
  2. Give a clear, itemised notice before or when seeking consent — what data, what purpose, how to complain, how to withdraw.
  3. Implement reasonable security safeguards to prevent personal data breaches (Section 8(5)).
  4. Notify the Data Protection Board and each affected individual in the event of a personal data breach.
  5. Erase personal data once the purpose is served and retention is no longer necessary (unless law requires retention).
  6. Establish a grievance-redressal mechanism and answer Data Principals' requests for access, correction and erasure.
  7. Ensure any Data Processor you engage (including any online tool you send personal data to) operates under a valid contract.

What rights do individuals get?

  • Right to access a summary of their personal data and the processing activities performed on it.
  • Right to correction, completion and updating of their data.
  • Right to erasure once the purpose is served.
  • Right to grievance redressal from the Data Fiduciary, and escalation to the Data Protection Board.
  • Right to nominate another person to exercise these rights in case of death or incapacity — a provision unique to India.

What happens if you don't comply?

The Data Protection Board can impose monetary penalties of up to ₹250 crore per instance for failing to maintain reasonable security safeguards — the highest slab in the penalty schedule. Breach-notification failures and violations of children's-data provisions carry penalties up to ₹200 crore. See our detailed penalties guide for the full schedule.

The document angle most firms miss

Every PDF a professional handles — an ITR acknowledgement, a bank statement, a vakalatnama — is a container of personal data. Uploading it to a cloud-based converter or compressor transfers that data to a third-party processor, which triggers DPDP obligations. Tools that process files entirely in your browser avoid that transfer altogether, because the data never leaves your device.

Handle documents the zero-upload way

EverydayPDF compresses, merges, redacts and converts PDFs entirely in your browser. No file ever reaches a server — so there is no third-party data transfer to explain.

Explore the tools

Frequently asked questions

Is the DPDP Act 2023 currently in force?+

Partially. The DPDP Rules 2025 were notified on 13 November 2025 with phased commencement: provisions establishing the Data Protection Board took effect immediately, consent-manager provisions take effect by November 2026, and all remaining substantive obligations become enforceable on 13 May 2027. Organisations are expected to use this transition window to become compliant.

Does the DPDP Act apply to small businesses and individual professionals?+

Yes. Any person or entity that determines the purpose and means of processing digital personal data is a Data Fiduciary — including sole practitioners, small firms and startups. The government may notify relaxed obligations for certain classes such as startups, but the core duties of lawful processing, security safeguards and breach notification apply broadly.

What is the difference between a Data Fiduciary and a Data Processor?+

A Data Fiduciary decides why and how personal data is processed (for example, a CA firm handling client tax documents). A Data Processor processes data on the fiduciary's behalf (for example, a cloud PDF tool the firm uploads those documents to). The fiduciary remains responsible for what its processors do with the data.

Does the DPDP Act restrict sending data outside India?+

The Act permits cross-border transfers by default, except to countries specifically restricted by government notification (a "negative list" approach). However, sector regulators like the RBI may impose stricter localisation rules that continue to apply.

Is there a separate category for sensitive personal data?+

No. Unlike the GDPR or India's older SPDI Rules, the DPDP Act treats all digital personal data uniformly. Financial data, health records and identifiers like Aadhaar or PAN receive the same statutory protection as any other personal data — though their leak is far more damaging in practice, which matters when penalties are assessed.

Continue reading

This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.