Quick Answer
The seven core principles that underpin India's Digital Personal Data Protection Act, 2023 are lawful purpose, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. They are derived from the obligations set out in Sections 4 to 8 of the DPDP Act and form the baseline that every Data Fiduciary must operationalise. Where the principles sit in the DPDP Act The DPDP Act does not list these principles in a single numbered article the way the EU GDPR does in Article 5. Instead, they are distributed across the operative sections covering grounds of processing, notice and consent, the duties of the Data Fiduciary, and the security safeguards required to prevent personal data breaches. Reading these sections together yields the seven-principle structure that Indian privacy practitioners now use to design compliance programmes. The seven principles, broken down # Principle DPDP anchor What it means in practice 1 Lawful purpose
The seven core principles that underpin India's Digital Personal Data Protection Act, 2023 are lawful purpose, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. They are derived from the obligations set out in Sections 4 to 8 of the DPDP Act and form the baseline that every Data Fiduciary must operationalise.
Where the principles sit in the DPDP Act
The DPDP Act does not list these principles in a single numbered article the way the EU GDPR does in Article 5. Instead, they are distributed across the operative sections covering grounds of processing, notice and consent, the duties of the Data Fiduciary, and the security safeguards required to prevent personal data breaches. Reading these sections together yields the seven-principle structure that Indian privacy practitioners now use to design compliance programmes.
The seven principles, broken down
| # | Principle | DPDP anchor | What it means in practice |
|---|---|---|---|
| 1 | Lawful purpose | Sections 4, 6, 7 | Process only with valid consent or under a defined legitimate use such as employment, public interest, or compliance with law |
| 2 | Purpose limitation | Sections 5, 6 | Use data only for the specific purpose disclosed in the notice. New purposes require fresh consent |
| 3 | Data minimisation | Section 4 | Collect only what is necessary for the stated purpose. Avoid speculative collection for future use cases |
| 4 | Accuracy | Section 8(3) | Ensure personal data is complete, accurate, and consistent, especially when used to make decisions about the Data Principal |
| 5 | Storage limitation | Section 8(7) | Erase personal data once the purpose is served and retention is no longer required by law or for legitimate business needs |
| 6 | Security safeguards | Section 8(5) | Implement reasonable technical and organisational measures to prevent breach. Failure here carries the highest penalty tier |
| 7 | Accountability | Sections 8(1), 10 | The Data Fiduciary is responsible for compliance and must demonstrate it. Significant Data Fiduciaries face stricter duties including DPO and audit obligations |
Need help with cloud?
Book a free 30-minute meeting with one of our cloud specialists. We'll analyse your needs and provide actionable recommendations — no obligation, no cost.
How the DPDP principles compare to GDPR
GDPR Article 5 lists six principles plus accountability, including a standalone first principle of "lawfulness, fairness and transparency." The DPDP Act does not name fairness and transparency as a discrete principle. Instead, transparency is embedded in the Section 5 notice requirement, and fairness is implicit in the consent and grievance redressal architecture. Indian organisations that already align to GDPR will find the gap small, but should still revisit notice templates, retention schedules, and breach playbooks against the DPDP-specific wording.
Practical implications for Indian Data Fiduciaries
Translating the principles into controls usually means:
- Lawful purpose — maintain a register of processing activities mapped to consent or a Section 7 legitimate use.
- Purpose limitation — tag every data field with the purpose it serves and block secondary use through access controls.
- Data minimisation — review web forms, app onboarding flows, and integration payloads for unnecessary fields.
- Accuracy — give Data Principals a self-service correction path via the rights workflow under Section 12.
- Storage limitation — implement automated deletion in databases, object stores, and backup systems.
- Security safeguards — adopt encryption, access control, logging, and incident response aligned to recognised frameworks. See our overview of cloud security, SOC, MDR, and penetration testing.
- Accountability — appoint a grievance officer, document policies, and run periodic internal audits.
Common pitfalls
Indian Data Fiduciaries most often slip on storage limitation and processor oversight. Backup retention policies frequently outlive the lawful purpose, and third-party processors hold copies long after the primary system has purged. Contractually binding processors to mirror your retention and breach-notification timelines is non-negotiable.
How Opsio helps
Opsio implements the DPDP principles as concrete cloud controls. Through our managed cloud services we deploy automated data retention, encryption-at-rest, access reviews, and breach detection across AWS, Azure, and GCP estates. Our India delivery team also runs gap assessments against Sections 4 to 8 so you can prove principle-by-principle compliance to internal audit and the Data Protection Board.
Frequently Asked Questions
Are the seven principles legally binding?
Yes, in substance. The DPDP Act enforces them through specific duties on Data Fiduciaries in Sections 4 to 8, and the Data Protection Board can impose financial penalties for breach of those duties.
Does the DPDP Act recognise fairness and transparency as separate principles?No. Unlike GDPR, the DPDP Act folds transparency into the Section 5 notice obligation and does not separately name fairness. The substantive expectation is similar though.Which principle carries the highest penalty?
Security safeguards. Failure to take reasonable security measures to prevent a personal data breach attracts the top penalty tier in the Schedule to the Act. This is why SOC 2 alignment for Indian IT vendors is becoming a common baseline expectation.
How do I prove accountability to a regulator?
Maintain documented policies, processing inventories, DPIA records for high-risk activities, consent logs, incident registers, and evidence of training. Significant Data Fiduciaries must additionally appoint a Data Protection Officer and undergo independent audits.
Do the principles apply to my processors and sub-processors?
Indirectly, yes. The Data Fiduciary remains accountable for processing carried out by its processors, and must impose the same standards contractually. Sub-processor changes typically require prior written notice and the right to object.
Written By
Country Manager, Sweden
Johan leads Opsio's Sweden operations, driving AI adoption, DevOps transformation, security strategy, and cloud solutioning for Nordic enterprises. With 12+ years in enterprise cloud infrastructure, he has delivered 200+ projects across AWS, Azure, and GCP — specialising in Well-Architected reviews, landing zone design, and multi-cloud strategy.
Editorial standards: This article was written by cloud practitioners and peer-reviewed by our engineering team. Content is reviewed quarterly for technical accuracy and relevance to Indian compliance requirements including DPDPA, CERT-In directives, and RBI guidelines. Opsio maintains editorial independence.