- Data Privacy & Compliance
- January 17, 2026
DPDP Act 2023 Explained: A Complete Guide for Businesses in India
If you run a business that collects even basic customer information — a name, a phone number, an email address — the DPDP Act 2023 now applies to you. The Digital Personal Data Protection Act, passed in August 2023, is India’s first comprehensive law governing how personal data is collected, stored, processed, and shared. For years, Indian businesses operated in a gray area shaped loosely by IT Rules and sector-specific guidelines. That gray area is closing fast, and companies that haven’t started preparing are already behind.
At D2i Technology, we work with businesses across sectors to build digital products that are both accessible and compliant, so we’ve spent a good amount of time unpacking what this law actually requires. This guide walks through what the DPDP Act 2023 covers, who it applies to, what compliance looks like in practice, and where most businesses tend to trip up — with insights drawn from our own client work at D2i Technology.
What Is the DPDP Act 2023?
The Digital Personal Data Protection Act, 2023 is India’s dedicated data privacy legislation. It replaces the patchwork of rules that previously governed personal data under the Information Technology Act, 2000, and introduces a structured framework built around consent, purpose limitation, and accountability.
At its core, the law recognizes two parties: the Data Principal (the individual whose data is collected) and the Data Fiduciary (the entity that decides why and how that data is processed). If your business collects personal data — through a website form, a mobile app, a CRM, or even a WhatsApp inquiry — you are very likely a Data Fiduciary under this law.
Why This Law Matters Now
A few things make 2023-24 a genuine turning point rather than another compliance formality:
- India has over 800 million internet users, and digital transactions touch nearly every sector, from retail to healthcare to fintech.
- The law applies not just to companies physically located in India, but to any business — domestic or foreign — that processes the personal data of individuals in India in connection with offering goods or services.
- Penalties are steep. Non-compliance can attract fines running into hundreds of crores of rupees, depending on the nature and scale of the breach.
This isn’t a niche IT concern. It’s a business risk that sits alongside financial and legal risk, and it needs to be treated that way. That’s precisely why teams like ours at D2i Technology are increasingly brought in early, before a compliance gap turns into a legal one.
Who Needs to Comply?
The DPDP Act casts a wide net. It applies to:
- Businesses that collect personal data of Indian citizens, regardless of where the company is headquartered
- E-commerce platforms, SaaS companies, healthcare providers, ed-tech platforms, and fintech firms
- Any organization using cookies, analytics tools, or CRM systems that store identifiable customer data
- Third-party vendors and data processors working on behalf of a Data Fiduciary
There are limited exemptions — for instance, data processed for personal or domestic purposes, or data made publicly available by the individual themselves — but these are narrow and shouldn’t be relied on as a compliance shortcut.
Key Pillars of the DPDP Act 2023
1. Consent as the Legal Basis for Processing
Consent under this law has to be free, specific, informed, unconditional, and unambiguous. Pre-ticked checkboxes, buried consent clauses in a 40-page terms document, or bundled consent for unrelated purposes won’t hold up. Businesses need clear, itemized consent requests that explain exactly what data is being collected and why.
There’s also a provision for deemed consent in specific situations — such as when an individual voluntarily provides data for a stated purpose, or in cases involving state functions, medical emergencies, or employment-related processing. This is meant to be an exception, not a default.
2. Purpose Limitation and Data Minimization
Businesses can only use personal data for the purpose it was originally collected for. If a customer shares their phone number for order updates, using that same number for unrelated marketing campaigns without fresh consent is a violation. Data minimization — collecting only what’s genuinely needed — is baked into the law’s intent, even where it isn’t spelled out as a rigid checklist.
3. Rights of the Data Principal
Individuals now have clearly defined rights, including the right to:
- Access information about what personal data is being processed
- Request correction or erasure of their data
- Withdraw consent at any time, as easily as it was given
- Nominate another person to exercise these rights in case of death or incapacity
- File grievances directly with the business before escalating to the Data Protection Board
Businesses need a functioning process to handle these requests within a reasonable timeframe — not just a policy document that says they will.
4. Data Breach Notification
If a data breach occurs, the Data Fiduciary is required to notify both the Data Protection Board of India and the affected individuals. The law doesn’t currently specify an exact notification window in the Act itself, but rules under it are expected to define stricter timelines, so businesses should plan for prompt disclosure rather than waiting for clarity.
5. Data Protection Officer and Significant Data Fiduciaries
Certain businesses — classified as Significant Data Fiduciaries based on the volume and sensitivity of data they process — will face additional obligations, including appointing a Data Protection Officer based in India, conducting periodic Data Protection Impact Assessments, and undergoing independent data audits.
What Compliance Actually Looks Like
Reading the Act is one thing; operationalizing it is another. Based on what we’ve seen while working on client platforms at D2i Technology, here’s where compliance work typically starts:
Data Mapping and Audit
Before anything else, a business needs to know what personal data it collects, where it’s stored, who has access to it, and why it’s being processed. Most companies are surprised by how scattered this data actually is — spread across CRMs, spreadsheets, email threads, and third-party tools.
Updating Consent Mechanisms
Websites, apps, and forms need consent flows redesigned to be specific and revocable. This often means rebuilding cookie banners, sign-up forms, and privacy notices from scratch rather than patching old ones.
Vendor and Third-Party Review
If your business shares data with payment gateways, analytics providers, or marketing tools, those relationships need to be reviewed for compliance too. A Data Fiduciary remains accountable even when a third-party processor mishandles data.
Building Grievance Redressal Processes
A visible, functioning channel for users to raise data-related complaints isn’t optional. It has to be built into the product, not just mentioned in a policy PDF.
Accessibility and Usability of Privacy Notices
This is where D2i Technology’s own work often intersects with compliance efforts. A privacy policy or consent form that’s technically compliant but impossible to read on mobile, or unusable with a screen reader, doesn’t actually meet the spirit of “informed consent.” We’ve worked with several clients on our accessibility testing services to make sure consent flows and data forms are usable by everyone, including users with disabilities — strengthening both compliance and user trust.
Penalties for Non-Compliance
The DPDP Act 2023 backs its requirements with real financial consequences. Penalties can range up to ₹250 crore for serious violations, such as failing to implement reasonable security safeguards or not reporting a data breach. Smaller violations, like failing to fulfill a data principal’s request, still carry meaningful fines. The Data Protection Board of India has the authority to investigate complaints and impose penalties, and businesses will need documented processes to demonstrate good-faith compliance if questioned.
Common Mistakes Businesses Are Making
From what we’ve observed across client engagements at D2i Technology, a few patterns show up repeatedly:
- Treating this as a one-time legal exercise instead of an ongoing operational practice
- Copy-pasting privacy policy templates without mapping them to actual data flows
- Ignoring third-party and vendor data-sharing agreements
- Underestimating how much technical rework consent forms and data request workflows require
- Assuming smaller businesses are exempt — the law doesn’t set a minimum size threshold for most obligations
How to Start Preparing Today
- Run a data audit across every system, form, and tool that touches personal data.
- Rebuild consent flows so they’re specific, easy to understand, and easy to withdraw.
- Assign internal ownership — someone in your organization needs to own privacy compliance, even before a formal DPO is legally required.
- Review vendor contracts for data-sharing clauses and processor obligations.
- Test your systems for accessibility and usability, not just legal wording, so consent and rights requests genuinely work for every user.
Our team at D2i Technology has worked closely with businesses to combine web accessibility with usable, compliant digital experiences — because a privacy framework only works if real users can actually engage with it. Whether you need a full data audit or just a second opinion on your consent flows, D2i Technology can help you get there without over-engineering the process.
Final Thoughts
The DPDP Act 2023 signals a permanent shift in how Indian businesses are expected to handle personal data. It’s not a one-time filing or a document you draft and forget — it’s an ongoing responsibility that touches product design, vendor management, and customer trust. Businesses that start building compliant, accessible systems now, with the right technology partner, will be in a far stronger position than those scrambling once enforcement rules are fully notified. D2i Technology is here to help make that transition smoother.
Frequently Asked Questions
Need Help Preparing for DPDP Act Compliance?
From data audits to accessible consent flows, D2i Technology helps businesses build digital systems that are compliant, usable, and future-ready.