The Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent on August 11, 2023. After nearly a decade of drafts, consultations, and withdrawals, India now has a comprehensive legal framework governing how organisations collect, store, process, and delete personal data of Indian citizens.
For IT leaders and CIOs at Indian enterprises, the DPDP Act is not an abstract compliance exercise. It has direct, practical implications for how your cloud infrastructure is configured, how your applications handle user data, and what your vendors are contractually obligated to do on your behalf.
What is the DPDP Act?
The Digital Personal Data Protection Act 2023 is India’s primary law governing the processing of personal data. It establishes the rights of individuals (called “Data Principals”) over their personal data, and the obligations of organisations (called “Data Fiduciaries”) that collect and process that data.
The law applies to:
- Any organisation processing digital personal data within India
- Any organisation processing personal data outside India if the processing is in connection with offering goods or services to individuals in India
Key Terms You Need to Know
Personal Data: Any data that can identify an individual — names, email addresses, phone numbers, financial data, health records, location data, device identifiers, and more.
Data Principal: The individual whose personal data is being processed. Under the DPDP Act, Data Principals have specific rights including the right to access their data, correct it, and request its deletion.
Data Fiduciary: An organisation that determines the purpose and means of processing personal data. If your company collects and uses customer data, you are a Data Fiduciary.
Data Processor: A third party that processes data on behalf of a Data Fiduciary — this includes cloud providers like AWS, Microsoft Azure, and Google Cloud, as well as SaaS vendors.
What Does the DPDP Act Require?
1. Lawful Basis for Processing
The DPDP Act requires that personal data only be processed for a lawful purpose. The primary lawful basis under the Act is consent — freely given, specific, informed, and unambiguous. For most Indian enterprises, this means you need a clear consent mechanism for every data collection point — website forms, mobile apps, CRM systems, and third-party integrations.
2. Notice Requirements
When collecting personal data, organisations must provide individuals with a clear notice that includes what data is being collected, the purpose for which it will be used, how to exercise their rights under the Act, and contact details for the Data Protection Officer (if applicable).
3. Data Principal Rights
Under the DPDP Act, every Indian citizen has the right to:
- Access a summary of their personal data held by your organisation
- Correct inaccurate or outdated personal data
- Erase their personal data when it is no longer needed for the original purpose
- Grievance redressal — the right to raise a complaint if these rights are denied
- Nominate another person to exercise their rights in the event of death or incapacity
4. Data Retention and Deletion
The DPDP Act introduces an explicit obligation to delete personal data once the purpose for which it was collected has been fulfilled, or once the Data Principal withdraws consent. Cloud storage is cheap, but storing personal data indefinitely is now a legal liability.
5. Data Breach Notification
In the event of a personal data breach, organisations must notify the Data Protection Board of India within a prescribed timeframe. Early indications suggest a 72-hour window — consistent with GDPR.
Penalties Under the DPDP Act
| Violation | Maximum Penalty |
| Failure to implement reasonable security safeguards | ₹250 crore |
| Failure to notify a data breach | ₹200 crore |
| Breach of obligations related to children’s data | ₹200 crore |
| Breach of Data Fiduciary obligations | ₹50 crore |
| Breach of Data Principal rights obligations | ₹10,000 per complaint |
What the DPDP Act Means for Your Cloud Infrastructure
For Indian enterprises running workloads on AWS, Microsoft Azure, or Google Cloud, the DPDP Act creates specific cloud governance obligations:
- Your cloud provider is a Data Processor. You need a formal Data Processing Agreement (DPA) with your cloud provider.
- Data localisation requirements are coming. The Act empowers the Government to restrict the transfer of certain categories of personal data outside India.
- Your backup and DR configuration matters. If your data is replicated to cloud regions outside India, you may have a cross-border transfer obligation.
- Access controls and security are now a legal obligation. Encryption at rest, access logging, IAM policies, and security monitoring are required.
DPDP Act Implementation Timeline
As of April 2026, the DPDP Act has received Presidential assent but the subordinate rules are still being finalised by MeitY. The Data Protection Board of India is in the process of being constituted. Organisations that begin compliance work now will be significantly better positioned than those who wait for enforcement to begin.
CloudFirst helps Indian enterprises assess their cloud infrastructure against DPDP Act requirements. Speak with a CloudFirst expert today → cloudfirst.in/contact-sales.php
Frequently Asked Questions
Q: Does the DPDP Act apply to B2B data?
The DPDP Act applies to personal data of individuals — i.e., natural persons. B2B data (company names, company emails) is generally not personal data. However, individual contact data — a named person’s work email or phone number — is personal data even in a B2B context.
Q: Is the DPDP Act the same as GDPR?
No, but it draws significant inspiration from GDPR. Key differences include the consent framework, the role of Consent Managers, and the Data Protection Board model. GDPR has a broader set of lawful bases for processing; the DPDP Act’s primary lawful basis is consent plus enumerated “legitimate uses.”
Q: When will enforcement begin?
The DPDP Act is in force, but enforcement through the Data Protection Board of India will begin once the Board is constituted and the subordinate rules are notified. MeitY has not announced a specific enforcement start date as of April 2026.
Q: Do we need a Data Protection Officer?
Only Significant Data Fiduciaries are required to appoint a DPO under the DPDP Act. However, even organisations that are not designated Significant Data Fiduciaries should consider appointing a privacy lead as a best practice.
