DPDP Compliance India
Act, Rules, Penalties & Requirements
DPDP compliance India is now the single most urgent regulatory obligation facing every organisation that processes digital personal data of Indian residents. The Digital Personal Data Protection Act 2023, enacted on 11 August 2023, creates a comprehensive framework of obligations for data fiduciaries, rights for data principals, and penalties up to Rs 250 crore per contravention — enforced by the newly established Data Protection Board of India. This pillar guide provides a definitive section-by-section analysis of every compliance requirement under the Act, the complete penalty framework, a practical 8-step roadmap, and a focused assessment of why banks and NBFCs face the highest regulatory risk.
Unified Chambers and Associates advises banks, NBFCs, ARCs, fintech companies, and corporates on end-to-end DPDP compliance — from consent architecture and privacy notices to Data Protection Board representation and penalty defence. Senior Partner Advocate Subodh Bajpai, LLM, MBA (XLRI), leads every engagement personally.
What is DPDP Compliance?
DPDP compliance is the process of aligning an organisation’s data processing activities with the requirements of the Digital Personal Data Protection Act 2023. Unlike the earlier Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, which were narrow in scope and loosely enforced, the DPDP Act creates a comprehensive, penalty-backed regime that applies to every digital processing of personal data in India.
The Act’s architecture rests on five foundational pillars. First, the concept of the Data Fiduciary — any person or entity that alone or jointly determines the purpose and means of processing personal data. Every company, bank, NBFC, hospital, school, or government body that collects digital personal data is a data fiduciary. Second, the Data Principal — the individual whose personal data is being processed. The Act grants data principals enforceable rights including access, correction, erasure, and grievance redressal.
Third, the Data Protection Board of India (DPBI) — the adjudicatory authority that receives complaints, investigates contraventions, and imposes penalties. Unlike a traditional regulator, the DPBI operates as a digital office with proceedings conducted entirely online. Fourth, the consent mechanism — the DPDP Act mandates free, specific, informed, and unconditional consent as the primary legal basis for processing personal data, departing from the vague “consent” provisions of the IT Act regime. Fifth, lawful processing without consent — Section 7 recognises certain legitimate uses (employment, government services, medical emergencies, legal proceedings) where data can be processed without consent.
Understanding these five pillars is the starting point of compliance. Every subsequent obligation — notices, security safeguards, breach notification, children’s data protections, cross-border transfer restrictions, and Significant Data Fiduciary duties — flows from this architecture. The pages linked below provide deep-dive analysis of each component: DPDP Lawyer India for our practice overview, Data Protection Board India for the adjudicatory authority, and DPDP for Banks for sector-specific analysis.
Key Obligations Under the
DPDP Act 2023
The DPDP Act 2023 contains 44 sections across 8 chapters and a Schedule of penalties. The following section-by-section breakdown covers every obligation that a data fiduciary must satisfy for compliance. Each provision carries specific penalty exposure as set out in the Schedule.
DPDP Penalty Framework
7 Tiers, Up to Rs 250 Crore Per Contravention
The DPDP Act Schedule prescribes monetary penalties — not imprisonment — for contraventions. Each contravention attracts a separate penalty, and repeat offences attract cumulative penalties. The Data Protection Board determines the penalty amount within each tier based on the nature, gravity, and duration of the contravention, the type and nature of personal data affected, the repetitive nature of the contravention, and whether the data fiduciary made any gain or avoided any loss. For a detailed analysis of each penalty tier, see our complete penalty guide.
Breach of security safeguards to prevent personal data breach — the highest penalty under the Act.
Failure to notify the Data Protection Board and each affected data principal of a personal data breach without delay.
Breach of any obligation relating to processing of children's personal data, including failure to obtain verifiable parental consent or conducting tracking and behavioural monitoring.
Failure by a Significant Data Fiduciary to comply with additional obligations — including DPO appointment, Data Auditor appointment, and periodic DPIA.
Data principal failing to comply with duties — furnishing false information, filing frivolous complaints, or suppressing material information.
Breach of voluntary undertaking accepted by the Board — penalty extends to the amount applicable for the underlying contravention.
Breach of any other provision of the Act or rules made thereunder — the catch-all penalty tier.
The Schedule prescribes Rs 250 crore for security safeguard breach (Sl.1, Section 8(5)) and Rs 200 crore for breach notification failure (Sl.2, Section 8(6)). The cumulative effect means a single data breach incident at a large bank could trigger penalties under Sl.1, Sl.2, and Sl.7 simultaneously — a combined exposure of Rs 500 crore from one incident.
DPDP Compliance Roadmap
8 Steps to Full Compliance
Achieving DPDP compliance is not a one-time project — it is a continuous programme that requires legal, technical, and organisational alignment. The following 8-step roadmap, developed from our advisory engagements with banks, NBFCs, and corporates, provides a structured implementation path from gap assessment to ongoing audit.
Data Mapping & Processing Inventory
Identify every digital personal data processing activity across the organisation. Map data flows from collection points (websites, mobile apps, loan applications, KYC processes, HR systems) through processing activities (storage, analysis, sharing with credit bureaus, transfer to ARCs, cloud hosting) to deletion. Classify each data element by category (financial, identity, biometric, health, children’s data) and identify the legal basis for processing (consent, contract, legitimate use under Section 7). This inventory becomes the foundation for every subsequent compliance step. For banks and NBFCs, this typically involves mapping 50-200 distinct data processing activities across retail lending, corporate lending, treasury, HR, and vendor management functions.
Gap Assessment Against DPDP Requirements
Compare existing data protection practices against every obligation in the DPDP Act. Evaluate current consent mechanisms (do they meet the “free, specific, informed, unconditional” standard?), privacy notices (do they satisfy Section 5 requirements in all 22 scheduled languages?), security safeguards (are they “reasonable” as required by Section 8(5)?), breach notification procedures (can you notify the DPBI and affected data principals “without delay”?), data retention policies (do you erase data when the purpose is fulfilled?), and children’s data handling (do you have verifiable parental consent mechanisms?). The gap assessment report becomes the compliance project plan.
Consent Architecture & Notice Design
Design and implement a DPDP-compliant consent management system. This requires: granular consent collection tied to each specific processing purpose (not blanket terms acceptance); a Consent Manager registered with the Data Protection Board as an intermediary between data principals and data fiduciaries (Section 6(9)); a consent withdrawal mechanism that is as accessible as the consent collection mechanism; a Section 5 privacy notice in clear, plain language, available in English and all scheduled languages; and for pre-existing data processing, a retrospective notice to all existing data principals under Section 5(2) with an opportunity to withdraw consent. For a bank with 10 million customers, this retrospective notice requirement alone is a massive operational and legal project.
Data Principal Rights Infrastructure
Build workflows and technical systems to honour data principal rights within prescribed timelines. This includes: an authenticated portal or mechanism for data principals to submit access requests (Section 11), correction and erasure requests (Section 12), and grievances (Section 13); internal routing to the appropriate data custodians across departments; automated or semi-automated responses for high-volume requests; escalation pathways to the DPO for complex requests; documentation and audit trails for every request received and action taken; and a nomination registry for Section 14 nominations. The grievance redressal mechanism must be published prominently and the data fiduciary must respond within the timeframe prescribed in the rules — failure to do so gives the data principal the right to approach the Data Protection Board directly.
Security Safeguards & Breach Response SOP
Implement “reasonable security safeguards” as required by Section 8(5) — the Act deliberately avoids prescribing specific technical measures, allowing for standards appropriate to the size, nature, and volume of data processed. However, for regulated entities, this must be read alongside sector-specific requirements: RBI Master Direction on IT Governance and Cyber Security for banks, IRDAI cybersecurity guidelines for insurers, SEBI Circular on Cyber Security for market participants. In parallel, build a data breach incident response Standard Operating Procedure (SOP) covering: detection and containment, forensic evidence preservation, CERT-In notification within 6 hours, DPBI notification “without delay,” affected data principal notification, regulatory coordination, and post-incident review. Test the SOP through tabletop exercises at least annually. Failure to maintain adequate safeguards attracts up to Rs 250 crore per breach (Schedule Sl.1).
DPO Appointment & Governance Structure
For organisations likely to be classified as Significant Data Fiduciaries — and any organisation that voluntarily wishes to demonstrate compliance maturity — appoint a Data Protection Officer based in India. The DPO should report directly to the Board of Directors (not to the IT or legal department head) and have: direct access to senior management, sufficient budget and resources, independence from operational conflicts of interest, authority to halt processing activities that violate the Act, and the mandate to represent the organisation before the Data Protection Board. In parallel, establish a Data Protection Committee comprising the DPO, Chief Information Security Officer, Head of Legal, Head of Compliance, and business unit representatives to oversee ongoing compliance governance.
Contract Remediation & Third-Party Agreements
Review and update all contracts involving personal data processing: customer agreements, loan documentation, KYC consent forms, employee contracts, vendor and service provider agreements (especially cloud providers, IT outsourcing partners, and data analytics firms), data processing agreements with third parties, credit bureau data sharing arrangements, and NPA portfolio transfer agreements with ARCs. Each contract must clearly allocate DPDP Act obligations — specifying the role of each party as data fiduciary or data processor, the processing instructions, security requirements, breach notification obligations, sub-processing restrictions, audit rights, and data return or deletion upon termination. For banks, this exercise typically involves reviewing 200-500 active contracts.
Ongoing Audit, DPIA & Training
DPDP compliance is not a one-time project. Establish a recurring audit cycle: quarterly internal reviews of data processing activities, annual Data Protection Impact Assessments (DPIA) for high-risk processing, periodic penetration testing and vulnerability assessments of systems holding personal data, annual training programmes for all employees handling personal data (customer-facing staff, IT teams, HR, legal, compliance, collections teams, vendor management), and engagement of an independent Data Auditor (mandatory for SDFs under Section 10). Maintain comprehensive documentation of all compliance activities — the Data Protection Board will expect evidence of continuous compliance efforts, not just point-in-time attestation. Build a compliance calendar that tracks DPDP obligations alongside sector-specific requirements (RBI IT governance reviews, SEBI cybersecurity audits, IRDAI compliance certificates) to avoid duplication of effort.
Why Banks and NBFCs Face the
Highest DPDP Risk
India’s banking and financial services sector processes the most sensitive and voluminous personal data in the country — and consequently faces the highest exposure under the DPDP Act. Every loan application generates a data footprint that includes: Aadhaar number and biometric authentication, PAN card and income tax returns, CIBIL/credit bureau scores, bank statements, salary slips and employment records, property documents and valuation reports, family member details (for co-applicants and guarantors), and post-disbursement data including repayment patterns, default indicators, and collection records.
The DPDP Act intersects with debt recovery at multiple pressure points. When a bank initiates DRT proceedings against a defaulting borrower, or when an ARC acquires an NPA portfolio, the borrower’s personal data follows the recovery trail. Under the DPDP Act, the borrower is a data principal with enforceable rights — they can demand to know what data is held about them (Section 11), request correction of inaccurate records (Section 12), or file a complaint with the Data Protection Board alleging that the bank or ARC processed their data without valid consent or beyond the original purpose.
The dual regulatory burden is significant. Banks must comply simultaneously with: RBI Master Direction on IT Governance, Risk Management, and Cybersecurity Framework; RBI Circular on data localisation of payment system data; CERT-In Directions mandating 6-hour breach notification; SEBI cybersecurity framework (for bank-sponsored mutual funds and subsidiaries); and now the DPDP Act’s consent, notice, security safeguard, breach notification, and data principal rights obligations. Non-compliance with any single regime does not excuse non-compliance with another — a bank that meets RBI data localisation requirements but fails DPDP consent standards still faces the full penalty of up to Rs 250 crore.
This is precisely why financial institutions benefit from engaging a law firm that already understands their data systems from the inside — through years of handling their DRT, SARFAESI, and NPA recovery matters. Unified Chambers already represents banks and NBFCs at all 39 DRTs across India. We handle the same loan files, KYC records, and borrower data that DPDP now protects. A single firm managing both debt recovery litigation and data protection compliance eliminates coordination overhead and ensures consistency when the same borrower files both a DRT defence and a DPBI complaint. For sector-specific analysis, see our dedicated DPDP for Banks & NBFCs page.
Consent Re-Architecture for Legacy Data
The Blanket Consent Problem
Banks and financial institutions processing personal data under old “blanket” consent forms face a massive re-consenting exercise. Legacy KYC consent — typically a single signature on an account opening form authorising the bank to “use your data for any purpose related to banking services” — does not meet the DPDP Act’s standard of consent being free, specific, informed, and unambiguous under Section 4. Each processing purpose must now be separately disclosed in a clear-language notice, and the data principal must affirmatively consent to each.
Transitioning millions of existing customer records to DPDP-compliant consent before full enforcement by mid-2027 (18 months from the November 2025 Rules notification) is both a technical and legal undertaking. It requires a comprehensive purpose-mapping audit (identifying every purpose for which existing data is being processed), a gap analysis (comparing existing consent language against DPDP requirements), a re-consent campaign design (digital and physical channels for obtaining fresh consent), and a contingency plan for data principals who refuse to re-consent — including determining which data must be erased and which can be retained under alternative legal bases.
This is not merely a compliance checkbox exercise — it is a strategic data governance transformation that requires specialist counsel. Unified Chambers advises financial institutions on structuring consent re-architecture programmes that maintain business continuity while achieving full DPDP compliance.
DPDP Compliance — Key Questions Answered
What is DPDP compliance and who does it apply to?
DPDP compliance refers to the full set of obligations imposed by the Digital Personal Data Protection Act 2023 on any entity that processes digital personal data in India. The Act applies to every "data fiduciary" — any person or organisation that determines the purpose and means of processing personal data. This includes banks, NBFCs, fintech platforms, healthcare providers, e-commerce companies, EdTech platforms, insurance companies, telecom operators, and any corporate entity collecting employee or customer data digitally. Even foreign companies processing data of Indian residents are covered under the Act's extraterritorial application. The only exemptions are for personal data processed for personal or domestic purposes, and data made publicly available by the data principal or required by law.
What are the key obligations of a data fiduciary under the DPDP Act?
A data fiduciary must comply with six core obligations under the DPDP Act 2023: (1) Obtain free, specific, informed, and unconditional consent before processing personal data (Section 4); (2) Provide a clear notice in plain language at the time of seeking consent, describing data to be collected, purpose of processing, and data principal rights (Section 5); (3) Process personal data only for lawful purposes — either with consent or for certain legitimate uses specified under Section 7; (4) Maintain accuracy of personal data, implement reasonable security safeguards, notify breaches to the Data Protection Board and affected data principals, and erase data once the purpose is fulfilled (Section 8); (5) Obtain verifiable parental consent before processing children's data and refrain from tracking, behavioural monitoring, or targeted advertising directed at children (Section 9); (6) If classified as a Significant Data Fiduciary, appoint a DPO based in India, appoint an independent Data Auditor, and conduct periodic Data Protection Impact Assessments (Section 10).
What is the maximum penalty under the DPDP Act 2023?
The maximum penalty under the DPDP Act 2023 is Rs 250 crore per contravention, prescribed under Schedule Sl.1 for breach of security safeguards (Section 8(5)). The seven penalty tiers in the Schedule are: Sl.1 — security safeguard breach, up to Rs 250 crore; Sl.2 — breach notification failure (Section 8(6)), up to Rs 200 crore; Sl.3 — children's data breach (Section 9), up to Rs 200 crore; Sl.4 — SDF obligations breach (Section 10), up to Rs 150 crore; Sl.5 — Data Principal duties breach (Section 15), up to Rs 10,000; Sl.6 — voluntary undertaking breach (Section 32), penalty extends to the amount applicable for the underlying breach; Sl.7 — any other provision, up to Rs 50 crore. A single data breach incident at a bank could trigger Sl.1 (Rs 250 crore) plus Sl.2 (Rs 200 crore) plus Sl.7 (Rs 50 crore) simultaneously — a combined exposure of Rs 500 crore from one incident.
How is DPDP consent different from existing consent mechanisms?
DPDP consent is fundamentally different from the blanket terms-and-conditions consent that Indian companies have historically relied upon. Under Section 4, consent must be free (no bundling with unrelated services), specific (tied to a defined purpose), informed (preceded by a clear notice under Section 5), unconditional (cannot be contingent on accepting unrelated processing), and limited to the personal data necessary for the stated purpose. The data principal can withdraw consent at any time, and withdrawal must be as easy as giving consent. Most critically, existing consents obtained before the Act commenced are not automatically valid — data fiduciaries must issue a fresh notice describing the processing and give data principals the right to withdraw. For banks and NBFCs, this means retrospective consent remediation across millions of loan accounts, KYC records, and credit bureau authorisations.
What is a Significant Data Fiduciary and what additional obligations apply?
A Significant Data Fiduciary (SDF) is a data fiduciary notified by the Central Government under Section 10 of the DPDP Act based on factors including: volume and sensitivity of personal data processed, risk to the rights of data principals, potential impact on sovereignty and integrity of India, risk to electoral democracy, and security of the State. SDFs face three additional obligations beyond the standard data fiduciary duties: (1) Appointment of a Data Protection Officer (DPO) who must be based in India and serve as the point of contact for grievance redressal; (2) Appointment of an independent Data Auditor to evaluate compliance; and (3) Periodic Data Protection Impact Assessments (DPIA) to evaluate the risk of processing activities. Large banks (SBI, HDFC, ICICI), major NBFCs, telecom operators (Jio, Airtel, Vi), social media platforms, and e-commerce companies are widely expected to be classified as SDFs when the Government issues the notification.
What rights do data principals have under the DPDP Act?
The DPDP Act grants data principals (individuals whose data is processed) six specific rights: (1) Right to Information (Section 11) — obtain a summary of personal data being processed and the processing activities; (2) Right to Correction and Erasure (Section 12) — demand correction of inaccurate data, completion of incomplete data, updating of outdated data, and erasure of data no longer necessary; (3) Right to Grievance Redressal (Section 13) — every data fiduciary must have a grievance mechanism and respond within the prescribed period; (4) Right to Nominate (Section 14) — nominate another individual to exercise rights in case of death or incapacity; (5) Right to withdraw consent at any time under Section 6(4); and (6) Right to approach the Data Protection Board if the data fiduciary fails to address grievances. These rights are enforceable with penalties — failure to honour a data principal's request can lead to proceedings before the Board and penalties up to Rs 250 crore (for security safeguard breach under Section 8(5)).
How does the DPDP Act handle cross-border data transfer?
Section 16 of the DPDP Act governs cross-border data transfer through a negative list approach — the Central Government may notify specific countries or territories to which personal data transfer is restricted or prohibited. Until such notification, data transfer to any country is permitted, making the DPDP Act more permissive than the GDPR's adequacy-based framework. However, this could change rapidly once the Government begins issuing notifications. For banks and NBFCs, the DPDP cross-border regime interacts with RBI's existing data localisation mandates — the 2018 RBI Circular requiring payment system data to be stored only in India, and the 2023 Master Direction on IT Governance requiring core banking data localisation. Companies must therefore comply with both regimes simultaneously: DPDP Section 16 restrictions on personal data transfers plus sector-specific data localisation rules.
What is the Data Protection Board of India and how does it function?
The Data Protection Board of India (DPBI) is the adjudicatory authority established under Sections 18-26 of the DPDP Act 2023. It is not a regulator in the traditional sense — it does not issue licences or frame regulations. Its primary function is to receive complaints from data principals, investigate alleged contraventions by data fiduciaries, conduct inquiry proceedings, and impose monetary penalties prescribed in the Schedule. The Board functions as a digital office with proceedings conducted entirely online. Its orders carry the same enforceability as a civil court decree. Key procedural features include: right of the data fiduciary to be heard before any penalty is imposed, requirement for the Board to follow principles of natural justice, and the ability of the Board to issue interim orders. Appeals from DPBI orders lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and further appeals to the Supreme Court of India on questions of law.
How long does a company have to report a data breach under DPDP?
The DPDP Act requires data fiduciaries to notify the Data Protection Board of India and each affected data principal of a personal data breach "without delay" — no specific hour count is prescribed in the Act itself. However, two parallel obligations create effective timelines: (a) CERT-In Directions 2022 mandate reporting cyber security incidents, including data breaches, within 6 hours of becoming aware; (b) Industry best practice and regulatory expectation point toward 72 hours for detailed DPBI notification, aligned with global standards. Failure to notify the Board and affected individuals can attract penalties up to Rs 200 crore per contravention under Schedule Sl.2 (Section 8(6)). The practical compliance approach is to report to CERT-In within 6 hours, issue a preliminary notification to the DPBI within 24-48 hours, and send detailed notifications to affected data principals within 72 hours.
Can existing contracts and privacy policies serve as DPDP compliance?
No. Existing contracts, privacy policies, and terms of service almost certainly do not meet DPDP Act requirements. The Act demands specific, granular consent tied to each processing purpose — not blanket acceptance of terms and conditions. The notice under Section 5 must be a standalone, clear-language document describing each item of personal data collected, the specific purpose for each, the data principal's right to withdraw consent, and the procedure for grievance redressal. Most legacy Indian privacy policies were drafted under the Information Technology (Reasonable Security Practices and Procedures) Rules 2011, which had far less stringent consent and notice requirements. Companies must undertake a comprehensive contract remediation exercise — updating customer agreements, employee data processing notices, vendor data processing agreements, and consent mechanisms across all digital touchpoints.
DPDP Compliance Starts With
One Conversation
WhatsApp Advocate Subodh Bajpai directly. Describe your organisation, the personal data you process, and your compliance timeline. Senior Partner response within one business day. Minimum engagement: Rs 50 lakhs.