Short answer

If your business processes personal data of people in India, the DPDP Act 2023 applies to you. Compliance boils down to: lawful consent with clear notices, purpose limitation, security safeguards, breach notification, honouring data principal requests (access / correction / erasure) on time, a named grievance officer, and records that prove all of it. Penalties for getting it wrong run up to ₹250 crore per breach.

Most DPDP content online is written for lawyers. This is the operator's version — what to actually set up, roughly in the order the Data Protection Board will care about it. (If you're an individual trying to get your data deleted, you want the data-deletion guide instead.)

First: does it apply to you, and when?

The Act covers digital personal data processed in India (and processing outside India connected to offering goods or services to people in India). If you have Indian users, customers, employees or leads in a database — you're a data fiduciary. The Act was passed in August 2023; the DPDP Rules were notified in 2025 with phased timelines, so obligations are landing in stages. The practical read: build compliance now — retrofitting consent and records later is far more expensive.

The checklist

1. Map your personal data

You can't protect or delete what you can't find. Inventory every store of personal data: CRMs, marketing lists, analytics, spreadsheets, vendor tools, backups. For each — what data, whose, why you have it, where it came from, who it's shared with, how long you keep it.

2. Consent and notice

Consent must be free, specific, informed, unconditional and unambiguous — given for a stated purpose, with a notice in plain language (and available in Indian languages listed in the Constitution's Eighth Schedule). No pre-ticked boxes, no bundling ("agree to everything or leave"). Users must be able to withdraw consent as easily as they gave it. Legacy data collected before the Act needs a fresh notice.

3. Purpose limitation and data minimisation

Use the data only for the purpose you stated, and collect only what that purpose needs. When the purpose is served (or consent is withdrawn), delete the data unless a law requires you to retain it — and make your processors delete it too.

4. Security safeguards

"Reasonable security safeguards to prevent personal data breach" is the single most expensive line in the Act — its breach carries the top ₹250 crore penalty tier. At minimum: encryption at rest and in transit, access control with least privilege, vendor/processor contracts with security obligations, and tested backups. Here's how Saaph approaches security →

5. Breach notification

On a personal data breach you must notify both the Data Protection Board and every affected user — the Rules set the format and timelines. Failing to notify has its own penalty tier (up to ₹200 crore). Have an incident-response runbook before you need it: who declares, who drafts the notice, who informs users. (If your own data was in someone else's breach, see what to do after a data breach →)

6. Honour data principal requests — especially erasure

Users have the right to access, correction, erasure, grievance redressal and nomination. You need a working intake (email or form), identity verification, and a tracked workflow that responds within the prescribed timelines. This isn't theoretical: services like Saaph send DPDP erasure requests on users' behalf every day, with statutory deadlines tracked and escalation to the Board when companies stay silent. A request you ignore becomes a complaint you answer.

7. Grievance officer and contact

Publish a named grievance officer / contact and respond within the prescribed period. Users must be told this channel exists in your privacy notice.

8. Children's data

Processing a child's data (under 18) requires verifiable parental consent, and tracking or targeted advertising directed at children is prohibited. Violations here carry a penalty tier up to ₹200 crore.

9. Records & logging — prove it happened

Searches like "logging solution as per DPDP Act 2023" get at the real operational core: you must be able to demonstrate compliance. Keep auditable records of:

You don't need exotic software to start — a disciplined ticketing queue plus immutable logs beats an unused "compliance platform". What matters is that the record exists before the Board asks.

10. Significant Data Fiduciary extras

If the government notifies your class of business as a Significant Data Fiduciary (based on data volume, sensitivity, risk), add: an India-based Data Protection Officer, an independent data auditor, and periodic Data Protection Impact Assessments.

The penalty schedule, briefly

FailurePenalty (up to, per breach)
Reasonable security safeguards not taken₹250 crore
Not notifying the Board / affected users of a breach₹200 crore
Obligations relating to children's data₹200 crore
Significant Data Fiduciary obligations₹150 crore
Other obligations under the Act₹50 crore

The Board weighs gravity, repetitiveness and mitigation — but these ceilings are why "we'll deal with it when the notice comes" is a bad plan.

The other side of the desk

Remember that every obligation above is someone's right. Indians are already exercising them — Saaph's users send DPDP erasure requests to Indian companies and escalate to the Data Protection Board when they're ignored. Companies with a clean intake-and-respond workflow close these in minutes; companies without one collect complaints.

See what data of yours is out there

Compliance officer by day, data principal always. Saaph scans 50+ Indian platforms for your personal data and helps you remove it under the DPDP Act — free to scan.

Run a free scan →

FAQ

Is the DPDP Act 2023 in force?

The Act passed in August 2023 and the DPDP Rules were notified in 2025 with phased timelines — obligations are landing in stages, so implementation should be underway now, not at the last deadline.

What's the maximum penalty?

Up to ₹250 crore per breach for failing to take reasonable security safeguards; other failures have tiers of ₹200 crore, ₹150 crore and ₹50 crore.

Do we need a logging solution for DPDP compliance?

You need auditable records of consent, processing, requests and deletions. Start with disciplined ticketing + immutable logs; buy tooling when volume demands it.

Do foreign companies have to comply?

Yes, if they process personal data in connection with offering goods or services to people in India.

General information as of July 2026, based on the DPDP Act 2023 and notified Rules; timelines and requirements evolve. This is not legal advice — consult counsel for your specific obligations.