Resource Center

India's Digital Personal Data Protection Act

A practical, plain-English guide to the DPDPA — what it is, who it covers, the obligations it creates, and how to build a programme that holds up. Not legal advice.

What is the DPDPA?

The Digital Personal Data Protection Act is India's data-protection law. It governs how organisations collect, use, store and share the personal data of individuals in India, and establishes the rights those individuals hold.

Who it applies to

The Act applies to any Data Fiduciary processing personal data within India, and to processing outside India connected with offering goods or services to individuals in India. In practice: if you serve Indian users, you're in scope.

Key roles & terms

Browse all terms in the glossary.

Obligations

  • Lawful, purpose-bound processing with a valid legal basis.
  • Clear notice and valid, withdrawable consent.
  • Reasonable security safeguards.
  • Breach notification to the Board and affected individuals.
  • Accountability — records, and (for Significant Data Fiduciaries) a DPO and impact assessments.

Data-principal rights

Individuals can access their data, request correction and erasure, raise grievances, and nominate others. Fulfilling a DSAR depends on knowing where a person's data lives — which is why discovery matters.

How to comply

  1. Discover & classify personal data across systems and endpoints.
  2. Stand up compliant notice, consent and a way to receive rights requests.
  3. Maintain records of processing, retention schedules and breach procedures.
  4. Keep evidence and a readiness view you can show leadership and regulators.

See it in one platform

Fortifyze covers discovery, consent, rights, DPIA, records and evidence — built natively for the DPDPA.

Get started freeExplore the platform

Frequently asked questions

Who does the DPDPA apply to?

Any organisation that determines how and why personal data is processed (a Data Fiduciary), for processing within India and for offering goods or services to individuals in India.

What is the legal basis for processing under the DPDPA?

Most processing relies on consent — which must be free, specific, informed, unambiguous and withdrawable — though certain 'legitimate uses' are also recognised.

What rights do individuals have?

Data Principals can access their personal data, request correction and erasure, raise grievances, and nominate another person to exercise rights on their behalf.

Where should an organisation start?

With data discovery — building a live map of what personal data you hold and where — because every other obligation depends on knowing your data.

This guide is general information and not legal advice. Consult qualified counsel for your obligations.