Comply ArkComply Ark
    Updated for DPDP Rules 2025 · Last Reviewed: November 20, 2025

    Updated for DPDP Rules 2025

    The Digital Personal Data Protection Act

    A Practical DPDPA Guide for Businesses

    Quick Navigation
    Overview

    Executive Summary

    The Digital Personal Data Protection Act and the DPDP Rules together establish a complete regulatory framework for how personal data must be collected, used, secured, retained, shared, and erased in India.

    Notices

    What You Must Tell Users

    Consent

    How You Obtain and Record Agreement

    Security

    Minimum Safeguards Required

    Rights

    How Users Can Exercise Control

    Breach

    What Happens When Something Goes Wrong

    Retention

    How Long You Can Keep Data

    What the DPDPA, 2023 Establishes

    • A unified framework that regulates the full lifecycle of personal data.
    • Clear duties for organisations that collect, process, or store personal data.
    • Defined rights for individuals, including access, correction, erasure, and grievance redressal.
    • A central authority (the Data Protection Board) responsible for enforcement, inquiries, and penalties.
    • A scalable model that applies to every kind of organisation: startups to public authorities.

    What the DPDP Rules, 2025 Add

    The Rules convert the Act’s principles into operational obligations. They specify:

    • The mandatory structure of notices and how they must be presented.
    • Requirements for valid consent, including the conditions for withdrawal.
    • Processes for verifiable consent for children and persons with disabilities.
    • Minimum security safeguards and mandatory log retention.
    • Mandatory breach notifications to both users and the Board.
    • Detailed retention and erasure timelines (Rule 8 & Third Schedule), including sector-specific rules.
    • A classification of Significant Data Fiduciaries and their additional responsibilities.

    What This Means for Businesses

    Provide clear, standalone privacy notices before collecting any personal data.
    Ensure consent is free, specific, informed, and recorded with a clear audit trail.
    Implement verifiable consent mechanisms for children and persons with disabilities.
    Maintain reasonable security safeguards and retain system logs to prevent misuse.
    Establish a rapid response plan to notify users and the Board of any data breach.
    Delete personal data automatically when its original purpose is fulfilled.

    Why Compliance Must Start Early

    DPDPA compliance involves legal, operational, and technical alignment. Building foundational elements (data mapping, consent tracking, rights workflows, retention logic) requires coordination across teams and systems.

    Starting early reduces operational risk and ensures your organisation can demonstrate accountability from day one.

    Quick Wins
    Publish notices clearly
    Track consent metadata
    Prepare breach templates
    Define retention timelines
    Definitions

    Core Concepts

    Understanding the key terms of the DPDPA is essential. These definitions form the foundation for every obligation in the law.

    Data Principal

    Definition

    The individual whose personal data is being collected or processed. This includes customers, users, employees, contractors, or any identified or identifiable person.

    Implication

    Every obligation in the law is designed around protecting this person’s data and rights. Your systems, policies, and processes must be built with the Data Principal at the centre.

    Data Fiduciary

    Definition

    Any organisation that determines why and how personal data is processed.

    Implication

    Your organisation is a Data Fiduciary whenever it decides how data is collected, used, stored, shared, or erased. This makes you responsible for notices, consent, security, rights fulfilment, breach handling, and retention.

    Data Processor

    Definition

    A third party that processes personal data on behalf of your organisation, following your instructions.

    Implication

    You remain accountable for what your processors do. Contracts must include the required safeguards, and processors must follow your documented instructions.

    Personal Data

    Definition

    Any data about an individual who can be identified directly or indirectly.

    Implication

    If data can identify someone, even through linkage, inference, or combining fields, it is personal data and must be handled according to the DPDPA’s obligations.

    Processing

    Definition

    Any operation performed on personal data. This includes collection, storage, use, sharing, analysis, transfer, or erasure.

    Implication

    Every stage of processing is regulated. You must ensure that each operation complies with the law and aligns with stated purposes and notices.

    Consent

    Definition

    An individual’s agreement to process their personal data, based on clear information and a meaningful choice.

    Implication

    You must be able to show that the person understood the purpose, voluntarily agreed, and had the ability to refuse or withdraw consent.

    See Consent Requirements

    Verifiable Consent

    Definition

    A strengthened form of consent required for children and certain cases involving persons with disabilities.

    Implication

    If you serve children or users who require a guardian, you must implement identity checks, secure documentation flows, and store verification evidence.

    See Verifiable Consent

    User Account

    Definition

    Any account by which a user can access your service or platform, including registered and authenticated accounts.

    Implication

    Your notice and consent obligations apply at account creation and through ongoing use. Identity checks, rights fulfilment, and verification processes often depend on the structure of the account.

    Significant Data Fiduciary

    Definition

    A special classification for organisations that meet certain criteria and must follow enhanced duties.

    Implication

    If you fall within this designation, your compliance program must include advanced governance and regular reporting.

    See SDF Obligations

    Notice

    Definition

    A clear, standalone explanation of what personal data you collect, why you collect it, how it will be used, and how individuals can exercise their rights.

    Implication

    Notices are the foundation for lawful processing. They must be presented before or at the point of collection.

    See Notices

    Data Breach

    Definition

    Any unauthorised access, disclosure, modification, loss, or other compromise of personal data.

    Implication

    You have obligations to notify both the affected individuals and the Data Protection Board quickly and clearly.

    See Breach

    Retention

    Definition

    The period for which personal data must or may be stored.

    Implication

    Retention must follow purpose limits, sector-specific rules, and additional timelines prescribed in the Schedules.

    See Retention
    Process

    The Compliance Lifecycle

    The DPDPA operates as an end-to-end framework. The most effective way to approach compliance is to understand the law as a sequence of obligations that arise before collection, during processing, and after the purpose is fulfilled.

    Collect

    Providing a clear notice, explaining purpose, and collecting valid/verifiable consent.

    Process

    Ensuring purpose limitation, minimisation, and processing according to instructions.

    Protect

    Applying security safeguards, monitoring logs, and governing processors.

    Respond

    Handling access, correction, erasure, and grievance requests within timelines.

    Notify

    Notifying individuals and the Board immediately in case of a data breach.

    Erase

    Deleting data when the purpose is met or retention period expires.

    Jump to:NoticesConsentRightsBreachRetention
    Before Collection

    Notices

    What Must Be Disclosed Before Collecting Personal Data

    Notices are the starting point of lawful personal data processing. A notice must stand on its own, be easy to read, and be available before any collection or processing begins.

    What Every Notice Must Contain

    Purpose of Processing

    Concise explanation of why data is collected (e.g., Account creation, Delivery).

    Categories of Data

    Clear list of data types (e.g., Contact details, Location, Transaction data).

    Rights Available

    Summary of rights (Access, Correction, Erasure, Grievance).

    Contact Information

    DPO or Grievance Officer details for concerns.

    Withdrawal Instructions

    How to withdraw consent easily.

    Board Complaint

    Right to complain to the Data Protection Board.

    Privacy Notice

    DPDPA Compliant • Version 1.2

    How We Use Your Personal Data

    Effective Date: November 20, 2025

    We Collect
    • Phone Number
    • Email Address
    • Location
    To Enable
    • Account Access
    • Delivery
    • Fraud Check
    Your Rights

    You have the right to access, correct, erase your data, and nominate a representative.

    You can withdraw consent anytime via Account Settings.

    Questions? Contact our Grievance Officer at [email protected]

    Unresolved? You may complain to the Data Protection Board.

    Where Notices Must Appear

    TIMING: BEFORE OR AT COLLECTION

    Website Sign-up

    Before the 'Sign Up' button.

    Mobile Onboarding

    First screen of app launch.

    Transaction Flows

    Checkout or payment pages.

    Version Control is Mandatory

    Your organisation must maintain versioned notices to show what was presented, when, and to whom. This protects you during audits and ensures you can demonstrate what information was available to individuals.

    Individual Empowerment

    Rights of Data Principals

    Individuals have defined rights over their personal data. Your organisation must be able to receive, authenticate, process, and fulfil these rights consistently.

    Right to Access

    What it Means

    Individuals can request a summary of their personal data processed by your organisation and understand why and how it is being used.

    Organisation Requirements
    Provide a clear request form or mechanism.
    Verify the requester's identity or account.
    Provide a structured summary of the personal data being processed.
    Include information on processing purposes, categories, and disclosures.
    Maintain an audit trail of all access requests and responses.

    Compliance Note: Access responses must be accurate, complete, and understandable.

    Request Processing Workflow

    1
    Request Received
    2
    Identity Verification
    3
    Evaluation
    4
    Action Taken
    5
    Response Sent
    6
    Audit Logged
    Safeguards

    Security & Reasonable Safeguards

    Security is not optional. Organisations must adopt technical and organisational measures appropriate to the nature, volume, and sensitivity of the data. Failures here trigger breach obligations.

    Minimum Safeguards Checklist

    • Role-based access control (RBAC)
    • Least privilege principles enforced
    • Multi-factor authentication (MFA)
    • Regular access rights reviews

    Security Maturity Scale

    Basic Level

    Ad-hoc policies, manual access control, basic firewalling.

    Required Evidence

    Access Matrix
    Log Entry
    Policy Doc
    Incident Report

    Chain of Responsibility

    Data Fiduciary

    Ultimate Liability

    Contract

    Data Processor

    Operational Security

    Oversight

    Sub-Processor

    Cascaded Terms

    Mandatory Reporting

    Data Breach Response

    Data fiduciaries that suffer a personal data breach must report details to the Board "without delay" and provide a detailed report within 72 hours. This is in addition to existing reporting obligations under other Indian laws.

    Notify The Board

    Primary DPDPA Obligation

    Without Delay

    Initial Intimation

    72 Hours

    Detailed Report

    Notify Data Principals

    Transparency Obligation

    You must inform impacted individuals to the best of your ability. Notification must include:

    • Details of the personal data breach
    • Consequences likely to arise
    • Contact info of an organisation representative

    Parallel Reporting Obligations

    6 Hours

    CERT-In Reporting

    Mandatory for all service providers, intermediaries, and body corporates to report cybersecurity incidents.

    2 Hours

    Financial Sector

    Banks and financial institutions must report to relevant regulators (e.g., RBI) starting at 2 hours in certain cases.

    Variable

    Stock Exchanges

    Public listed companies have obligations to disclose material events/incidents to stock exchanges.

    Parallel

    IRDAI (Insurers)

    Insurers must send a copy of the CERT-In report to the Insurance Regulatory and Development Authority.

    Immediate

    UIDAI (Aadhaar)

    Specific obligation to inform Unique Identification Authority of India for Aadhaar-related breaches.

    Critical

    NCIIPC

    Report incidents impacting Critical Information Infrastructure to the NCIIPC.

    Unified Incident Response

    Organisations should integrate these varying timelines into a single Incident Response Plan (IRP) to ensure no deadline is missed.

    1
    Detect
    2
    Contain
    3
    Report
    4
    Mitigate
    Lifecycle End

    Retention & Erasure

    Knowing When to Let Go

    Retention is limited strictly to the period necessary to fulfil the purpose. Organisations must define retention periods, send pre-erasure notices, and erase data securely.

    Purpose-Based Retention

    Data must be retained only for as long as it is needed for the original purpose communicated in the notice.

    No Indefinite Storage

    Personal data cannot be kept 'just in case'. If the purpose is completed, the data becomes eligible for erasure.

    Lawful Exceptions Apply

    If another law requires longer retention (e.g., Tax, PMLA), that period overrides general limits.

    Logs Retained Separately

    Operational logs for security & audit must be retained for the required minimum period, distinct from user data.

    1
    Detect Completion

    Purpose fulfilled

    2
    Check Exceptions

    Legal retention check

    3
    Pre-Erasure Notice

    Notify user

    4
    Secure Erasure

    Delete across systems

    5
    Update Logs

    Record evidence

    Pre-Erasure Notice Requirement

    Before erasing data, you must give individuals a final chance to retain it.

    System Notice
    #DEL-9921

    Scheduled for Deletion

    The purpose for collecting your Transaction History has been fulfilled.

    Erasure in 48h
    Confirm retention below, or data will be permanently removed.

    Sector-Specific Rules

    Third Schedule

    Mandatory 3-Year Retention

    Specific classes of Data Fiduciaries must retain personal data for exactly 3 years after the last interaction.

    E-Commerce
    > 20M Users
    Social Media
    > 20M Users
    Online Gaming
    > 5M Users

    Overrides general purpose-based retention.

    Business Considerations for Compliance

    • Build a structured data inventory with retention tags
    • Implement automated erasure mechanisms where possible
    • Coordinate retention schedules with legal & engineering
    • Regularly audit retention workflows and backup purges
    Enhanced Governance

    Significant Data Fiduciaries (SDFs)

    Higher Stakes, Stricter Rules

    Organisations designated as SDFs based on scale, sensitivity, or risk must comply with enhanced governance, audits, and accountability measures.

    ObligationStandard Data FiduciarySignificant Data Fiduciary
    Data Protection OfficerRecommendedMandatory (India-based)
    Independent Data AuditAd-hoc / VoluntaryMandatory Annual Audit
    DPIANot Explicitly MandatedMandatory Annual Assessment
    Algorithmic ImpactGeneral Harm ProvisionsMandatory Risk Assessment

    SDF Compliance Dashboard

    Governance View
    Last Sync: Just now
    DPIA Status
    On Track
    Audit Cycle
    Due in 30d
    Algo Risks
    2 Flagged
    Transfer Check
    Verified

    Upcoming Deadlines

    Submit Annual Audit Report
    Nov 30
    Algorithmic Impact Review
    Dec 15
    Cross-Border Safeguard Refresh
    Dec 20

    Annual Cycle

    Compliance Rhythm

    Q1: Risk Assessment

    DPIA & Algorithmic Checks

    Q2: Policy Review

    Update safeguards & contracts

    Q3: Independent Audit

    External auditor review

    Q4: Board Reporting

    Submit findings to regulator

    Algorithmic Accountability Flow

    Input Data
    Processing Logic
    Output Decisions
    Impact Assessment

    If your organisation uses automated decision-making, you must assess risks of bias, discrimination, and harm to individuals.

    Conditional Exceptions

    Exemptions & Special Conditions

    Narrow, Conditional, Documented

    Not all organisations are treated equally. Some specific purposes or classes of fiduciaries may be exempt from certain obligations. These are not blanket permissions; they are strictly conditional.

    Exemptions are narrow and conditional

    Misuse of exemptions increases regulatory exposure. You must document the specific basis for every exemption claimed.

    Exemption Eligibility Check

    Two paths to exemption eligibility

    1

    Research / Archiving Path

    What is the processing type?
    Is it for research or archiving?
    Are safeguards in place?
    ✓ Eligible under 2nd Schedule
    2

    Child Services Path

    What is the fiduciary class?
    Are services child-safe?
    Does it meet 4th Schedule criteria?
    ✓ Eligible under 4th Schedule

    Exemption Scope Matrix

    TypeConditionsStill Required
    Research    		Strictly for research purpose. No decisions affecting individuals.Security Safeguards, Data Minimisation
    Archiving    		Public interest. Historical value.Protection against misuse.
    Child Services    		Exempt from Age Verification & Tracking obligations (Section 9(1)/(3)).No harmful tracking/ads.

    Documentation

    Exemption Record

    Required for audit trail

    • Exemption Type Cited
    • Justification & Purpose
    • Safeguards Implemented
    • Review Log
    • Internal Approval
    Global Operations

    Cross-Border Data Transfers

    The "Blacklist" Approach

    The DPDPA simplifies international data transfers by shifting from a "Whitelist" (Adequacy) approach to a "Blacklist" approach. Transfers are permitted by default unless specifically prohibited.

    PERMITTED

    The Default Rule: Transfers are Permitted

    Open Borders by Default

    You can transfer personal data to any country unless the Government specifically prohibits it.

    • No "Adequacy" Required: You do not need to prove the destination country has specific data laws.
    • Restricted Territories: If a country is notified on the "Blacklist", transfers are banned.
    CAUTION

    The 'Highest Standard' Rule

    Sectoral Laws Override

    If another Indian law (like RBI regulations for payments) requires data to be stored in India, that law takes precedence over the DPDPA.

    Check sector rules (Banking, Insurance, Telecom) before transferring.
    RESTRICTION

    Significant Data Fiduciaries (SDFs)

    Stricter Controls

    If you are designated as a Significant Data Fiduciary, the Government may restrict you further.

    • Localisation Mandates: Government can mandate processing within India for specific data categories based on national security or public order.

    Your Liability Remains

    Accountability Follows Data

    Even if a transfer is legal, you remain fully responsible for the data's safety.

    • Contracts: You must have a valid contract with the foreign processor ensuring data protection.
    • Breach Liability: If the foreign processor causes a breach, you are liable for the penalty in India.
    Regulatory Authority

    The Data Protection Board

    Digital, Agile, Independent

    The Board is an independent body that enforces compliance, conducts inquiries, imposes penalties, and directs remedial actions. It operates through a "digital office" for efficiency.

    Chairperson & Members

    Experts in law, tech, and governance who oversee proceedings and sign off on decisions.

    Digital Office

    A fully digital ecosystem for filings, notices, hearings, and pronouncements.

    Adjudication Wing

    Conducts inquiries, reviews evidence, determines non-compliance, and imposes penalties.

    How Proceedings Work

    1
    Complaint / Incident
    2
    Preliminary Review
    3
    Formal Inquiry
    4
    Hearing
    5
    Decision & Orders

    Organisation Readiness

    Appoint a nodal contact for Board communications
    Maintain 'always-ready' evidence packs (Logs, Policies)
    Establish rapid legal review workflow for notices
    Ensure ability to export data in standard formats
    Train key personnel on inquiry procedures

    Alternative Resolution & Appeals

    Voluntary Undertaking

    Organisations can admit to a breach and propose specific actions to remediate it. If the Board accepts this undertaking, it acts as a bar to further proceedings for that specific matter.

    Mediation

    If the Board believes a complaint can be resolved amicably, it may direct the parties to attempt mediation through a mutually agreed mediator.

    Appellate Tribunal

    Decisions of the Board are not final. Any person aggrieved by an order may appeal to the TDSAT (Appellate Tribunal) within 60 days.

    Enforcement

    Enforcement & Penalties

    Accountability Has Consequences

    Penalties are tiered based on severity, harm, and nature of violation. The Board considers mitigation efforts, past conduct, and proportionality before imposing sanctions.

    Up to ₹250 Crores

    Security Failures

    Failure to take reasonable security safeguards to prevent a personal data breach.

    High RiskMax Penalty
    Up to ₹200 Crores

    Breach Notification

    Failure to notify the Board or affected individuals of a data breach.

    Critical Risk80% Max
    Up to ₹200 Crores

    Children's Data

    Processing child data without verifiable consent or failing to ensure safety.

    Strict Liability80% Max
    Up to ₹150 Crores

    SDF Obligations

    Breach of additional obligations for Significant Data Fiduciaries (Audits, DPO).

    Enhanced Duty60% Max
    Up to ₹50 Crores

    General Non-Compliance

    Breach of any other provision of the Act or Rules not listed above.

    General20% Max
    Up to ₹10,000

    Data Principal Duties

    Breach of duties by individuals (e.g., impersonation, false grievances).

    IndividualFixed Cap

    Factors Determining Penalties

    Nature & Severity
    Duration of Violation
    Harm Caused
    Mitigation Steps
    Safeguards Used
    Cooperation
    Prior History
    Impact Scale
    Action Plan

    Implementation Roadmap

    From Assessment to Automation

    Compliance is not a single task; it is a coordinated set of activities. This roadmap provides a structured 3-phase plan to build a strong governance foundation.

    Data Inventory: The Foundation

    Without knowing what personal data you hold, where it lives, and why it exists, no compliance process (notices, consent, security, rights) can function. Start here.

    Collection Points
    Storage Locations
    Transfers
    Processors
    Retention Rules
    Phase 1

    Foundation

    0–30 Days
    • Build Data Inventory & Map Flows
    • Draft Accurate Notices
    • Establish Consent Mechanisms
    • Set Up Grievance Channel
    • Assign Compliance Roles
    • Implement Basic Security Controls
    Phase 2

    Compliance Build-Out

    30–90 Days
    • Implement Rights Workflows
    • Define Retention & Erasure Rules
    • Build Breach Response Protocol
    • Update Processor Contracts
    • Create Internal Evidence Packs
    • Enhance Logging & Monitoring
    Phase 3

    Governance & Maturity

    90–180 Days
    • Establish Governance Committee
    • Conduct SDF Assessment (if applicable)
    • Automate Rights & Erasure
    • Prepare for Consent Managers
    • Continuous Team Training
    • Quarterly Risk Reviews
    Resource Center

    Downloads & Templates

    Implementation-Ready Tools

    Standardised templates to help you build a strong, evidence-driven compliance posture. From notices to breach logs, these resources accelerate your readiness.

    Coming Soon

    We are finalizing our comprehensive library of 25+ battle-tested notices, consent forms, and breach logs.

    Launching soon

    Frequently Asked Questions