Enforcement is live · India DPDP Act 2023
Your data practices
are now a legal liability.
India's Digital Personal Data Protection Act 2023 and its Rules — notified 13 November 2025 — impose penalties up to ₹250 crore per breach on every organisation that processes personal data of Indian residents. The compliance clock is running.
13 May 2027
per DPDP Rules 2025 · Gazette G.S.R. 846(E)
Typical enterprise compliance programmes take 9–12 months. The time to start is now.
India's landmark data protection law — and it applies to you.
The Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted in August 2023 following a 2017 Supreme Court ruling that privacy is a fundamental right under Article 21 of the Constitution. The DPDP Rules 2025 were notified on 13 November 2025, starting the compliance clock.
Any organisation — domestic or foreign — that processes personal data of individuals in India is covered. There are no carve-outs for company size or sector. If you have a website, an app, an HR system, or a CRM with Indian user data, you are a Data Fiduciary under this law.
The compliance window is closing.
Source: DPDP Rules 2025 · Gazette G.S.R. 846(E) notified 13 November 2025
The Schedule.
What non-compliance costs.
Source: The Schedule to the Digital Personal Data Protection Act, 2023 [Section 33(1)] — enacted by Parliament of India
Six obligations every Data Fiduciary must meet.
Derived from the DPDP Act 2023 and DPDP Rules 2025 — these are the areas the Data Protection Board will scrutinise first.
Valid Consent
Consent must be free, specific, informed, unconditional and unambiguous — obtained before processing. Pre-ticked boxes and bundled consents are invalid.
Catch-all · up to ₹50 CrClear Privacy Notice
A standalone notice — not buried in T&Cs — stating what data is collected, why, and how. Must be available in languages listed in the Eighth Schedule of the Constitution.
Catch-all · up to ₹50 CrSecurity Safeguards
Reasonable technical and organisational measures to prevent personal data breaches. This carries the highest penalty in the entire Act.
Section 8(5) · up to ₹250 CrBreach Notification
Mandatory notification to the Data Protection Board and every affected individual within 72 hours of becoming aware of a personal data breach.
Section 8(6) · up to ₹200 CrData Principal Rights
Individuals have rights to access, correct, and erase their data. You must build and maintain functional channels to honour these requests promptly.
Catch-all · up to ₹50 CrChildren's Data
Verifiable parental consent before processing data of anyone under 18. No behavioural tracking or targeted advertising directed at children.
Section 9 · up to ₹200 CrLed by the Optivista Consultants team.
End-to-end DPDP readiness — from gap assessment to a compliance programme your Data Protection Officer and auditors will stand behind.
Most compliance programmes take
9–12 months to complete.
The DPDP Rules are live. The Data Protection Board is operational. If you are not already in a compliance programme, you are behind. A gap assessment is the right first step — it tells you exactly where you stand and what needs to happen before May 2027.
Or write directly: info@Optivista Consultants.com