DPDP Act 2023 Explained: Deadlines, Penalties and How to Comply

Who must comply

The DPDP Act applies to every Data Fiduciary processing digital personal data of individuals in India, including certain offshore processing that targets India.

Organisations designated as Significant Data Fiduciaries face additional duties, including Data Protection Impact Assessments, annual audits, and appointing a Data Protection Officer and an independent data auditor.

The phased timeline

The DPDP Rules 2025 commence in stages, so the obligations land over an 18-month window.

• 13 November 2025: Rules notified; foundational provisions in force
• Around 13 November 2026: Consent Manager registration opens
• Around 13 May 2027: substantive obligations (notice, consent, security, breach, rights, retention) apply

Penalties

Penalties are imposed per violation by the Data Protection Board and are significant.

• Up to INR 250 crore for failing to take reasonable security safeguards
• Up to INR 200 crore for breach-notification or children's-data failures
• Up to INR 150 crore for breaches of Significant Data Fiduciary obligations

How to prepare, and how DPDP differs from GDPR

DPDP is leaner and consent-centric. Unlike the GDPR it has no legitimate-interest basis, no default data-localisation mandate, flat rupee penalty caps rather than turnover percentages, and DPO requirements only for Significant Data Fiduciaries. GDPR compliance helps but does not equal DPDP compliance.

Building consent and breach machinery takes 12 to 18 months, so the time to start is now. IntelligenceX provides DPDP readiness assessments, DPIAs, consent-architecture review and the independent data audit for SDFs.