The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection law. It came into force in August 2023 and its substantive provisions are being notified progressively. For Indian founders, the question is no longer if it applies — it is what exactly do I need to do, and by when?
Who does the DPDP Act apply to?
The Act applies to any person or entity that processes digital personal data of individuals in India — whether you are an Indian company, a foreign company targeting Indian users, or even an individual operating a business that collects personal data. If your website, app, platform or operations collect names, emails, phone numbers, device IDs, IP addresses or any other data that identifies an individual — you are a Data Fiduciary under the Act.
What are the core obligations?
The Act creates several mandatory obligations. First, you must collect data only for specified, clear and lawful purposes — and only with the explicit consent of the individual. Second, you must provide a clear, accessible Privacy Notice explaining what data you collect, why, and how it is used. Third, you must establish a mechanism for Data Principals (individuals) to access, correct and erase their data. Fourth, you must designate a Grievance Officer and publish their contact details. Fifth, you must implement security safeguards proportionate to the sensitivity and volume of data you process.
What are the penalties?
The DPDP Act introduces significant financial penalties. A failure to take reasonable security safeguards resulting in a data breach attracts penalties of up to ₹250 crores. Failure to notify the Data Protection Board in the event of a breach: up to ₹200 crores. Non-fulfilment of obligations regarding children's data: up to ₹200 crores. Non-compliance with additional obligations for Significant Data Fiduciaries: up to ₹150 crores. Other general non-compliance: up to ₹50 crores per instance.
What should your startup do immediately?
Start with a data inventory — map every category of personal data your business collects, where it is stored, how it is used and with whom it is shared. Then audit your existing privacy policy against DPDP requirements. In most cases, your current policy will be non-compliant. Next, implement a consent management mechanism on all data collection touchpoints. Then designate a Grievance Officer and publish their contact details on your website. Finally, establish internal procedures for responding to data principal requests within the Act's prescribed timelines.
Is a privacy policy alone sufficient?
No — and this is the most common misconception. A privacy policy is one component of DPDP compliance. Full compliance also requires a functional consent architecture, operational Grievance Officer, documented data principal rights procedures, vendor data processing agreements, and internal security protocols. Vilot's DPDP Compliance Package delivers the complete framework — not just the policy document.