Reference · India Data Protection

What is the DPDP Act?

A plain-English reference for India's Digital Personal Data Protection Act 2023 and the Rules 2025. Written to be cited, not to sell.

Section 01

The basics

What is the DPDP Act?

The Digital Personal Data Protection Act 2023 (DPDP Act) is India's primary legislation governing how organisations collect, store, process, and share the personal data of Indian residents. It was passed by Parliament in August 2023 and received Presidential assent on 11 August 2023.

Who does it apply to?

Any organisation that processes the digital personal data of individuals located in India — whether the organisation is based in India or abroad. This includes websites, mobile apps, SaaS platforms, e-commerce stores, fintech products, health platforms, and any other digital service used by Indian residents.

Why does it exist?

India had no comprehensive data protection law until 2023. The Act establishes rights for individuals over their own data (data principals) and obligations for organisations that collect and use it (data fiduciaries). It creates the Data Protection Board of India as the enforcement authority and sets financial penalties for non-compliance.

When does enforcement begin?

The DPDP Rules 2025 were notified by MeitY in January 2025. Full enforcement — including the activation of the Data Protection Board's penalty powers — begins 13 May 2027. The Consent Manager registration window opens in November 2026.

What are the DPDP Rules 2025?

The DPDP Rules 2025 are the secondary legislation made under the Act. They specify the technical and procedural requirements: what a valid notice must contain, how consent must be obtained and stored, how data principal rights requests must be fulfilled, and the timelines for breach notification.

Section 02

The DPDP ecosystem

Layer 01

The Law

DPDP Act 2023 · DPDP Rules 2025

Sets the obligations, rights, timelines, and penalty framework.

Ministry of Electronics & IT (MeitY)

Layer 02

The Regulator

Data Protection Board of India

Receives complaints, conducts inquiries, and imposes penalties on non-compliant data fiduciaries.

Statutory body under the Act

Layer 03

The Infrastructure

Consent Managers

Registered intermediaries that store and manage consent artefacts on behalf of data principals. Your product must interface with a registered Consent Manager.

Registered platforms e.g. ConsenPro

Layer 04

The Implementation

Engineering partners

Build the consent system, rights portal, and breach runbook inside your product — the code that talks to the Consent Manager and satisfies the Board.

Smoketrees · getdpdpcompliant.com

Important distinction: Consent Managers manage the consent record on behalf of the data principal. We build the consent system inside your product \u2014 the flows, the withdrawal mechanism, the rights portal \u2014 that integrates with the Consent Manager and satisfies the Board's requirements.

Section 03

What you must do as a Data Fiduciary

Each obligation explained as a product engineering problem.

Lawful consent

You must obtain free, specific, informed, and unambiguous consent before processing personal data. Consent must be requested for a specific purpose. Bundled or pre-ticked consent is not valid.

Engineering implication: Consent must be wired into your product UI, stored with a timestamp and purpose record, and retrievable on demand. It cannot be a checkbox in a terms document.

Notice

Before or at the time of collecting data, you must provide a notice in clear and plain language that states what data is being collected, for what purpose, how long it will be retained, and how the data principal can withdraw consent.

Engineering implication: Notice must be delivered at the point of data collection — not buried in a privacy policy linked from the footer.

Consent withdrawal

Data principals must be able to withdraw consent at any time, as easily as they gave it. Withdrawal must be honoured without affecting services to which the data was not relevant.

Engineering implication: Your product must have a withdrawal mechanism, and your backend must stop processing that data — and propagate the withdrawal to third-party processors.

Data principal rights

Individuals have the right to access a summary of their personal data, correct inaccuracies, and request erasure. These rights must be fulfilled within the timelines specified in the Rules.

Engineering implication: You need a rights portal — a mechanism for individuals to make requests and a backend system to fulfil them from live data.

Grievance redressal

Every data fiduciary must designate a contact for data principal grievances and provide a mechanism to raise them. Grievances must be acknowledged and resolved within defined timelines.

Engineering implication: A named officer, a documented intake process, and a logged resolution workflow.

Breach notification

You must notify the Data Protection Board and affected data principals of a personal data breach. The Rules specify the timeline and the minimum content of the notification.

Engineering implication: Detection hooks in your infrastructure and a breach notification runbook that your team can execute in hours, not days.

Data retention

Personal data must not be retained beyond the period necessary for the purpose for which it was collected. Once that purpose is served, data must be erased.

Engineering implication: Retention schedules per data category and automated deletion pipelines. Most products have no deletion logic today.

Children's data

Processing personal data of children (under 18) requires verifiable parental consent. Tracking, behavioural monitoring, and targeted advertising directed at children is prohibited.

Engineering implication: Age verification flows, parental consent mechanisms, and suppression logic for under-18 profiles.

Processor agreements

Data fiduciaries are responsible for the acts of their data processors (third-party vendors, APIs, analytics tools). You must have data processing agreements with each processor.

Engineering implication: An audit of your third-party app stack and DPA templates reviewed against your actual integrations.

Section 04

What Smoketrees builds for each obligation

Not implied. Stated explicitly. Every DPDP obligation mapped to a concrete engineering deliverable.

DPDP Obligation
What Smoketrees delivers
Valid consent collection
Consent flow designed and built into your product
Consent withdrawal mechanism
One-click withdrawal wired to your backend and propagated to processors
Data principal rights (access, correction, erasure)
Rights portal built and connected to live data
Grievance redressal
Named officer setup and documented intake workflow
Breach detection and notification
Detection hooks and 72-hour notification runbook
Data retention and erasure
Retention schedules and automated deletion pipelines
Processor agreements
DPA templates reviewed against your app stack
Children's data safeguards
Age verification and parental consent flows
Compliance evidence
Evidence pack and audit trail documentation

Section 05

Key definitions

Each term defined in one sentence. Written for citation.

Data Fiduciary
An organisation or individual that determines the purpose and means of processing personal data. If your product collects or uses data about Indian residents, you are a data fiduciary.
Data Principal
The individual to whom the personal data relates — in most cases, your user or customer.
Significant Data Fiduciary
A data fiduciary designated by the Central Government as processing data at a scale or sensitivity that warrants additional obligations, including appointment of a Data Protection Officer and independent audit.
Consent Manager
A registered intermediary platform (registered with the Data Protection Board) that stores, manages, and provides access to consent artefacts on behalf of data principals. Examples include ConsenPro.
Data Protection Board of India
The statutory adjudicatory body established under the DPDP Act, empowered to investigate complaints, conduct inquiries, and impose financial penalties on data fiduciaries.
Personal Data
Any data about an identifiable individual — including name, contact details, financial records, health information, device identifiers, and behavioural data generated through use of a digital service.
Processing
Any operation performed on personal data — including collection, storage, use, sharing, transfer, and erasure. If your product does any of these things with data about individuals, you are processing personal data.

Section 06

Enforcement timeline

Aug 2023

Act passed

Digital Personal Data Protection Act 2023 receives Presidential assent.

Jan 2025

Rules notified

DPDP Rules 2025 published by MeitY, setting technical and procedural requirements.

Nov 2026

Consent Manager registration opens

Platforms like ConsenPro can register with the Data Protection Board. Products must begin wiring into registered Consent Managers.

Upcoming
13 May 2027

Full enforcement begins

Data Protection Board penalty powers activate. Non-compliant organisations become liable for penalties up to ₹250 Cr.

Upcoming

Next step

Now you know what's required. Find out how much of it your product already does.

Answer 10 questions about your product. We analyse your gaps against every obligation above and send a personalised report to your inbox.

Take the free readiness check →See how we work