DPDPA
Digital Personal Data Protection Act, 2023
India's first comprehensive data-protection law — and our home turf.
Act
DPDP Act, 2023
Region
India
Regulator
Data Protection Board of India
Max penalty
₹250 crore
Overview
What is DPDPA?
The Digital Personal Data Protection Act, 2023 is India's landmark privacy law, governing the processing of digital personal data. It introduces clear obligations for Data Fiduciaries (the organizations deciding how data is used) and rights for Data Principals (the individuals).
It is built around consent, purpose limitation, and accountability, with oversight by the Data Protection Board of India. Penalties can reach up to ₹250 crore per instance — making readiness a board-level priority for Indian businesses.
Who needs it: Any organization processing the digital personal data of individuals in India — domestic companies and global firms serving Indian users alike.
Inside the framework
Key obligations & concepts
Consent & notice
Collect data on clear, informed consent with notice of purpose — and make withdrawal as easy as giving it.
Data Principal rights
Access, correction, erasure, and grievance redressal for individuals.
Data Fiduciary duties
Security safeguards, breach notification, and accountability for how data is processed.
Significant Data Fiduciaries
Higher-risk processors face extra duties: impact assessments, audits, and a Data Protection Officer.
Consent Managers & the Board
A new ecosystem of registered Consent Managers, overseen by the Data Protection Board of India.
With RegShield
Get DPDPA-ready in a fraction of the time
AI evidence mapping
Upload a policy, screenshot, or config and RegShield maps it to the right DPDPA controls in seconds — with confidence scores you can defend in front of an auditor.
Reuse across frameworks
Evidence you collect for DPDPA is automatically reused across every other framework you've activated — so the work compounds instead of repeating.
Gaps & audit-ready reports
See your DPDPA readiness score, the exact gaps that remain, and concrete remediation steps — then export an audit-ready report.
FAQ
Common questions
Who is a Data Fiduciary?
Any person or entity that determines the purpose and means of processing personal data — broadly analogous to a 'controller' under GDPR.
How does DPDPA compare to GDPR?
It shares core ideas — consent, rights, accountability — but is leaner and tailored to India. RegShield treats DPDPA as a first-class framework, not a GDPR afterthought.
Is data localization required?
The Act permits cross-border transfers except to countries the government may restrict. RegShield keeps your data resident in India by default.