Quick Answer
The Digital Personal Data Protection Act, 2023 (DPDP Act) applies to the processing of digital personal data within India, and to processing carried out outside India where it relates to offering goods or services to Data Principals located in India. It is administered by the Ministry of Electronics and Information Technology (MeitY) and enforced through the Data Protection Board of India (DPB). Scope and definitions under the DPDP Act The Act regulates personal data that is either collected in digital form, or collected in non-digital form and later digitised. It does not apply to non-automated processing, processing for purely personal or domestic use, or to publicly available personal data where the Data Principal has voluntarily made it public. Limited exemptions exist for certain government processing activities related to sovereignty, security of the State, public order, and research, archival, or statistical purposes notified by the Central Government.
Free VAPT
CERT-In aligned VAPT and DPDP Act-ready reporting.
ApplyThe Digital Personal Data Protection Act, 2023 (DPDP Act) applies to the processing of digital personal data within India, and to processing carried out outside India where it relates to offering goods or services to Data Principals located in India. It is administered by the Ministry of Electronics and Information Technology (MeitY) and enforced through the Data Protection Board of India (DPB).
Scope and definitions under the DPDP Act
The Act regulates personal data that is either collected in digital form, or collected in non-digital form and later digitised. It does not apply to non-automated processing, processing for purely personal or domestic use, or to publicly available personal data where the Data Principal has voluntarily made it public. Limited exemptions exist for certain government processing activities related to sovereignty, security of the State, public order, and research, archival, or statistical purposes notified by the Central Government.
Three principal roles are defined in the Act:
- Data Principal — the individual to whom the personal data relates. For children under 18, this includes the parent or lawful guardian.
- Data Fiduciary — any person who, alone or with others, determines the purpose and means of processing personal data. This is the primary accountable entity.
- Data Processor — any person who processes personal data on behalf of a Data Fiduciary under a valid contract.
Territorial and material application
| Trigger | Applies? | Notes |
|---|---|---|
| Digital personal data processed inside India | Yes | Includes both Indian and foreign Data Principals |
| Processing outside India tied to goods or services offered to Indian Data Principals | Yes | Extraterritorial reach similar to GDPR Article 3(2) |
| Non-digital and non-digitised paper records | No | Outside the Act's scope |
| Personal or domestic processing by an individual | No | Household exemption |
| Publicly available data voluntarily disclosed | No | For example, professional details on a public registry |
| State processing under notified exemptions | Conditional | Sovereignty, security, public order, prevention of offences |
Need help with cloud?
Book a free 30-minute meeting with one of our cloud specialists. We'll analyse your needs and provide actionable recommendations — no obligation, no cost.
Significant Data Fiduciary designation
The Central Government may classify any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary (SDF) based on volume and sensitivity of data processed, risk to electoral democracy, risk to sovereignty, public order, and other factors. SDFs carry additional obligations including appointing an India-based Data Protection Officer, an independent data auditor, and conducting periodic Data Protection Impact Assessments. Large BFSI platforms, health-tech aggregators, e-commerce marketplaces, and social media intermediaries are likely candidates for SDF status once thresholds are notified.
Who must comply and how to get started
Every entity that touches digital personal data of Indian residents is in scope, from small fintechs and SaaS vendors to multinational cloud providers, hospitals, schools, and government contractors. Practical first steps:
- Map data flows. Identify what personal data you collect, where it is stored, who has access, and how long it is retained.
- Draft notices and consent artefacts in clear language and the eighth-schedule languages of the Indian Constitution.
- Establish a grievance redressal mechanism and publish contact details for your Data Protection Officer or grievance officer.
- Review processor contracts to ensure security, breach notification, and sub-processor controls are documented.
- Build a breach response runbook aligned to the DPB notification timeline.
How Opsio helps
Opsio's India team helps Data Fiduciaries operationalise DPDP requirements on AWS, Azure, and GCP environments. We design consent capture, data classification, retention automation, and breach detection patterns as part of our cybersecurity services, and we map technical controls to DPDP Section 8 security safeguard obligations. Talk to us via our India contact page if you need a readiness assessment.
Frequently Asked Questions
When does the DPDP Act come into force?
The Act was notified in August 2023, but its operative provisions take effect on dates notified by the Central Government. Implementation is being phased through the Draft DPDP Rules and successive MeitY notifications. Organisations should treat the law as effectively live for planning purposes and align controls now.
Does the DPDP Act apply to employee data?
Yes. Employee personal data processed by an employer in India falls within the Act, although employment-related processing has some carve-outs from consent requirements under legitimate uses listed in Section 7.
How is the DPDP Act different from the older SPDI Rules?
The 2011 SPDI Rules under IT Act Section 43A focus narrowly on sensitive personal data and reasonable security practices. The DPDP Act covers all digital personal data, introduces consent and rights frameworks, and establishes a regulator. See our note on whether the SPDI Rules are still in force.
What penalties apply under the DPDP Act?
The DPDP Act provides for financial penalties up to specified maximums per contravention, imposed by the Data Protection Board after inquiry. Failure to take reasonable security safeguards to prevent a personal data breach carries the highest tier of penalty. Refer to the Schedule of the Act for current ceilings.
Does the Act allow cross-border data transfers?
Yes, with restrictions. The Central Government may notify countries or territories to which transfer is restricted. Sector-specific localization rules from RBI, IRDAI, and SEBI continue to apply on top of the DPDP regime. See data localization in India under RBI for the payments-sector view.
Written By
Country Manager, Sweden
Johan leads Opsio's Sweden operations, driving AI adoption, DevOps transformation, security strategy, and cloud solutioning for Nordic enterprises. With 12+ years in enterprise cloud infrastructure, he has delivered 200+ projects across AWS, Azure, and GCP — specialising in Well-Architected reviews, landing zone design, and multi-cloud strategy.
Editorial standards: This article was written by cloud practitioners and peer-reviewed by our engineering team. Content is reviewed quarterly for technical accuracy and relevance to Indian compliance requirements including DPDPA, CERT-In directives, and RBI guidelines. Opsio maintains editorial independence.