Enforcement is live  ·  India DPDP Act 2023

Your data practices
are now a legal liability.

India's Digital Personal Data Protection Act 2023 and its Rules — notified 13 November 2025 — impose penalties up to ₹250 crore per breach on every organisation that processes personal data of Indian residents. The compliance clock is running.

Full enforcement deadline

13 May 2027

per DPDP Rules 2025 · Gazette G.S.R. 846(E)

--Days
--Hours
--Mins
--Secs

Typical enterprise compliance programmes take 9–12 months. The time to start is now.

Background

India's landmark data protection law — and it applies to you.

The Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted in August 2023 following a 2017 Supreme Court ruling that privacy is a fundamental right under Article 21 of the Constitution. The DPDP Rules 2025 were notified on 13 November 2025, starting the compliance clock.

Any organisation — domestic or foreign — that processes personal data of individuals in India is covered. There are no carve-outs for company size or sector. If you have a website, an app, an HR system, or a CRM with Indian user data, you are a Data Fiduciary under this law.

Enacted August 2023 Passed by Parliament. Rules notified 13 November 2025 via Gazette G.S.R. 846(E). Full enforcement: 13 May 2027.
Extraterritorial reach Applies to any organisation — Indian or global — that processes personal data of individuals located in India, regardless of where that organisation is based.
Data Protection Board of India An independent quasi-judicial body (Section 18) empowered to investigate breaches, adjudicate complaints, and impose the full penalty schedule.
72-hour breach notification Mandatory notification to the Board and affected individuals within 72 hours of a personal data breach — regardless of its severity.
Enforcement timeline

The compliance window is closing.

Source: DPDP Rules 2025 · Gazette G.S.R. 846(E) notified 13 November 2025

The Schedule.
What non-compliance costs.

Source: The Schedule to the Digital Personal Data Protection Act, 2023 [Section 33(1)] — enacted by Parliament of India
Failure to implement reasonable security safeguards Section 8(5) — the highest single penalty in the Act
₹250 Cr
Failure to notify the Board or Data Principals of a personal data breach Section 8(6) — includes the 72-hour notification obligation
₹200 Cr
Breach of obligations in relation to children's data Section 9 — includes obtaining verifiable parental consent
₹200 Cr
Breach of additional obligations of Significant Data Fiduciaries Section 10 — applies to large-scale data processors designated by Central Govt.
₹150 Cr
Any other breach of the Act or Rules The catch-all clause — covers consent, notice, data erasure, rights fulfilment
₹50 Cr
Penalties are per violation and compound. Each breach of the Act is adjudicated separately by the Data Protection Board. An organisation with a data leak that triggers both a security safeguard failure (₹250 Cr) and a breach notification failure (₹200 Cr) faces a combined maximum exposure of ₹450 crore — before reputational consequences. All sums are credited to the Consolidated Fund of India (Section 34).
TO PUT ₹250 CRORE IN PERSPECTIVE ₹250 Cr Maximum DPDP security penalty = ~25 years of top-exec salaries or $30M USD at current exchange or PER violation Multiple breaches compound separately
What the law requires

Six obligations every Data Fiduciary must meet.

Derived from the DPDP Act 2023 and DPDP Rules 2025 — these are the areas the Data Protection Board will scrutinise first.

Valid Consent

Consent must be free, specific, informed, unconditional and unambiguous — obtained before processing. Pre-ticked boxes and bundled consents are invalid.

Catch-all · up to ₹50 Cr

Clear Privacy Notice

A standalone notice — not buried in T&Cs — stating what data is collected, why, and how. Must be available in languages listed in the Eighth Schedule of the Constitution.

Catch-all · up to ₹50 Cr

Security Safeguards

Reasonable technical and organisational measures to prevent personal data breaches. This carries the highest penalty in the entire Act.

Section 8(5) · up to ₹250 Cr

Breach Notification

Mandatory notification to the Data Protection Board and every affected individual within 72 hours of becoming aware of a personal data breach.

Section 8(6) · up to ₹200 Cr

Data Principal Rights

Individuals have rights to access, correct, and erase their data. You must build and maintain functional channels to honour these requests promptly.

Catch-all · up to ₹50 Cr

Children's Data

Verifiable parental consent before processing data of anyone under 18. No behavioural tracking or targeted advertising directed at children.

Section 9 · up to ₹200 Cr
Our DPDP Practice

Led by the Optivista Consultants team.

End-to-end DPDP readiness — from gap assessment to a compliance programme your Data Protection Officer and auditors will stand behind.

STEP 01

Gap Assessment

Audit your data flows, consent mechanisms, and security posture against the full DPDP Act and Rules checklist. Deliverable: a prioritised gap report.

STEP 02

Compliance Roadmap

A phased remediation plan tied to the DPDP Rules deadlines — consent architecture, privacy notices, breach protocols, and data erasure workflows.

STEP 03

Programme Build

Policies, registers, grievance redressal mechanisms, data breach response plans, and staff training — built for your organisation, not a generic template.

RETAINED

DPO-as-a-Service

For organisations that need a Data Protection Officer function without the full-time headcount. We serve as your retained DPO partner.

The deadline won't wait

Most compliance programmes take
9–12 months to complete.

The DPDP Rules are live. The Data Protection Board is operational. If you are not already in a compliance programme, you are behind. A gap assessment is the right first step — it tells you exactly where you stand and what needs to happen before May 2027.

Or write directly: info@Optivista Consultants.com