Pune · serving all India Mon–Fri, 9:30–18:30 IST
hello@kybrtech.com +91 20 1234 5678
Home/Resources

A short, honest guide
to the DPDPA.

We get the same questions from compliance heads, CIOs and CFOs across sectors. Here's a plain-language primer and answers to the questions you're probably about to ask.

DPDPA in 60 seconds

What the law actually says.

The Digital Personal Data Protection Act, 2023 is India's first comprehensive data protection law. It applies to any organisation that processes the personal data of individuals in India — regardless of where the organisation is based.

The core idea

Individuals — called Data Principals — own their personal data. Organisations — called Data Fiduciaries — can process that data only for clearly stated, lawful purposes, and only with the principal's consent or under specific legitimate uses defined in the Act.

The Data Protection Board of India enforces the Act and can impose penalties of up to ₹250 crore per instance for serious breaches.

Who is in scope

Almost every organisation operating digitally in India. The Act exempts certain government processing and very limited research activities, but the working assumption for any commercial enterprise should be: you are in scope.

The seven rights of a Data Principal

01

Right to information

About what's processed, why, and how.

02

Right to access

To their own personal data on request.

03

Correction & erasure

To fix or delete inaccurate data.

04

Nomination

For incapacity or in case of death.

05

Grievance redressal

Via a clearly published channel.

06

Withdraw consent

As easily as it was given.

07

Data portability

Where applicable, in standard formats.

Your obligations

What you must do.

The DPDPA places concrete duties on every Data Fiduciary. These are the obligations any meaningful compliance programme has to address.

DUTY 01

Lawful basis

Process personal data only with consent, or under the specifically defined "legitimate uses" in the Act.

DUTY 02

Clear notice

Give Data Principals a clear, itemised notice of what data is collected, why, and how — before collection.

DUTY 03

Purpose limitation

Use personal data only for the purpose disclosed. Want to use it differently? You need fresh consent.

DUTY 04

Data minimisation

Collect only what's necessary for the stated purpose. Delete when no longer needed or consent is withdrawn.

DUTY 05

Security safeguards

Implement reasonable technical and organisational measures — encryption, access controls, audit logs.

DUTY 06

Breach notification

Report breaches to the Data Protection Board and affected individuals within prescribed timelines.

Frequently asked

The questions everyone asks first.

Short, direct answers below. For longer, sector-specific responses, get in touch.

Do we need to comply if we already follow GDPR?
GDPR compliance is a strong foundation, but not a free pass. DPDPA has Indian-specific provisions — particularly around consent for minors, the role of Consent Managers, and notification to the Data Protection Board — with no direct GDPR equivalent. The right approach is usually a delta assessment.
What is a Significant Data Fiduciary?
The Central Government designates certain Data Fiduciaries as "Significant" based on volume and sensitivity of data processed, risk to electoral democracy and other factors. SDFs face additional obligations: a DPO based in India, periodic data protection impact assessments, and independent audits.
How long does a typical DPDPA implementation take?
For a mid-sized organisation, plan for 12 to 16 weeks from kickoff to operational readiness. Larger institutions with complex legacy systems can run 6 to 9 months, often in parallel waves.
Can we just buy a tool and call it done?
No — but we understand the temptation. Consent Mitra and similar platforms are useful infrastructure, but DPDPA compliance is fundamentally a governance question: policies, accountability, decision-making frameworks, training. Tools support compliance; they don't constitute it.
What happens if we ignore this?
The Data Protection Board can impose penalties of up to ₹250 crore per instance for serious failures. Beyond financial penalties, there are reputational consequences and — for regulated sectors — secondary action by sectoral regulators (RBI, IRDAI, etc.).
How do you charge for your services?
Gap assessments are fixed-fee, scoped at the outset. Implementation work is typically time-and-materials with capped estimates. DPO-as-a-Service and audits run on annual retainers. Consent Mitra is licensed on annual subscription. We share indicative pricing after a 30-minute scoping call.
Still have questions?

A 30-minute call is
free and useful.

Schedule a call