Decoding the Digital Personal Data Protection

Decoding the Digital Personal Data Protection Act, 2023

Photographic portrait of Lalit Kalra

8 minute read 21 Nov 2025

Related topics

Technology leader's agenda

The DPDP Act is India's first data protection act, and it establishes a framework for the processing of personal data in India.

Privacy notice requirements under the DPDP Rules 2025
Verifiable consent and child data processing guidelines
Significant data fiduciary (SDF) obligations and compliance
Data principal rights and access mechanisms
Personal data breach notification and reporting duties
Consent manager registration and operational standards
Reasonable safeguards for secure personal data processing
Penalties for non-compliance under the DPDP Act
Industries and business functions impacted by the DPDP framework

In brief

At a time when technology has become the defining paradigm of the 21st century, India’s ongoing data protection regulation underscores the nation’s focus on building a strong data privacy regime and the release of DPDP Rules on 13 November 2025 marks a pivotal moment in this journey.
Building strong privacy governance programs is not only a reputational and business risk requirement but is also an integral part of building a transparent and long-term sustainable organization of the future.

The Digital Personal Data Protection (DPDP) Act, 2023 and associated DPDP Rules 2025 apply to the processing of digital personal data within the territory of India; collected online or collected offline and later digitized. It is also applicable to processing digital personal data outside the territory of India, if it involves providing goods or services to the Data Principals within the territory of India. The DPDP Rules, 2025 focus on how such personal data must be collected, processed, and secured. Rolled out in three phases, the Rules emphasize user consent, data security, data principal rights, and breach reporting, with full compliance expected by 13 May 2027.

Notice

The Act requires Data Fiduciaries to provide a privacy notice in clear and plain language whenever personal data is collected based on consent, explaining what personal data is being collected, the purpose of processing, the methods available to exercise Data Principal rights, and the process for submitting complaints to the Data Protection Board, with the notice made available in English or any of the 22 languages listed in the Eighth Schedule of the Constitution. The Rules build on these obligations by mandating that the privacy notice be presented and be understandable independently. They also detail the required composition of the notice, including :

An itemized list of the data being collected
Specific purpose and specific description of goods or services for which the data is processed
The contact details of the DPO or authorized representative, direct communication links to the website or app through which the Data Principal can withdraw consent, exercise their rights, file a complaint with the Board

Additionally, the Rules require Data Fiduciaries to issue retrospective notices for any personal data processed before the DPDP Act and Rules came into effect.

Verifiable consent

The Act requires Data Fiduciaries to obtain verifiable parental or lawful guardian consent before processing the personal data of a child or a person with disability, prohibits any processing that may cause harm to the Data Principal, and bans behavioral monitoring or targeted advertising directed at children. The Rules expand on these requirements by mandating how the verification is undertaken. Further the rules exempt certain specific purposes from obtaining parental consent like.

Child protection duties → Processing as necessary for legal functions
Subsidy/benefit/service issuance → Only as necessary for provision
Email account creation → Limited to account creation and email use
Real-time location tracking → Only for child safety/security
Blocking harmful content → Only to prevent access to detrimental info/services/ads
Child verification / due diligence → Only as necessary for confirmation

Additionally, they also define specific cases such as child protection duties, issuance of subsidies or services, and email account creation, where parental consent is not mandatory prior to processing a child’s information.

Significant Data Fiduciary (SDF)

DPDP Act underlined the role of Significant Data Fiduciary (SDF), which the government will identify using the volume and sensitivity of personal data processed and risk associated. The specific obligations under this included appointing a Data Protection Officer (DPO) based in India; appointing an independent data auditor; and conducting a Data Protection Impact Assessment (DPIA). The Rules further strengthen this by mandating a SDF to share significant observations / gaps periodically with the Data Protection Board of India.

Citizens’ rights

The Act will empower the citizens of the country as the Data Principal rights specifically allow:

ey-citizens-right-01

ey-citizens-right-02

ey-citizens-right-03

ey-citizens-right-04

Navigating innovation and data privacy for children in the age of AI

Listen to our Cybersecurity Awareness month podcast on intersection of artificial intelligence (AI), DPDP Act and ethical considerations on data privacy for children.

The Rules further strengthen these protections by requiring that Data Principals be able to submit requests through a publicly available mechanism such as a website or app using an identifier provided by the Data Fiduciary, while also obligating the Data Fiduciary to clearly publish the details of how such requests can be made and to address all grievances within 90 days.

Breach Notification

The Act defines a personal data breach as any unauthorized or accidental compromise of personal data’s confidentiality, integrity, or availability, and requires Data Fiduciaries to promptly notify the Board and affected individuals with details for timely protective action.

The Rules build on this by mandating that Data Fiduciaries notify the board and the affected data principals without any delay on becoming aware of a data breach. Further, they have to submit a detailed report to the Board within 72 hours (or an approved extended period).

Consent Manager

As per the DPDP Act, a Consent Manager is as a person registered with the Board who acts as a single point of contact, enabling a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform.

The rules further provide detailed information on obligations as well as the key requirements for companies to register as Consent Managers. They also mandate a Consent Manager to have a minimum net worth of INR2 crore, provide a secure, neutral, and user-friendly platform for managing consent and retain audit trails of all consents for at least seven years.

Reasonable Safeguards

The DPDP Act requires organizations to safeguard personal data at all data processing stages, ensure security measures are appropriate for the data type and associated risks, and maintain responsibility of data protection even when third parties process the data on their behalf.

Penalties

Another salient feature of DPDP Act is the penalty clause. There are penalties for non-compliance of the provisions by data fiduciaries up to INR250 crore. Some of these are:

Breach in observance of duty of Data Principal up to INR10,000
Failure to notify the Data Protection Board and affected Data Principals in the event of a personal data breach is up to INR200 crore
Breach in observance of additional obligation in relation to children up to INR200 crore

Sectors impacted

The Act is expected to have an impact on the majority of organizational areas, including legal, IT, human resources, sales and marketing, procurement, finance, and information security because of the type and volume of personal data that is collected, stored, processed, retained, and disposed of in India. Hence, organizations in these and related sectors must develop a strong data privacy and protection implementation program in view of the DPDP Act, 2023 and DPDP Rules 2025.

Summary

The DPDP Act is a significant step forward for data protection in India. This act is a step towards showcasing India's dedication to fostering a secure and trustworthy environment for both its citizens and businesses.

Download the full pdf

Data Protection and Data Privacy Services

Data protection & privacy services at EY ensures data security, lifecycle management, compliance frameworks, risk assessment & strategic privacy solutions.
Read more
Identity and access management

Discover how EY's identify and access management (IAM) team can help your organization manage digital identities for people, systems, services and users.
Read more
Cybersecurity, strategy, risk, compliance and resilience

Discover how EY's cybersecurity, strategy, risk, compliance & resilience teams can help your organization with its current cyber risk posture and capabilities.
Read more

Related articles

DPDP Rules 2025: Implications and roadmap

DPDP Rules 2025 are now notified, transforming India’s data privacy landscape. Watch EY Partners decode compliance actions, challenges and sector implications.

Demystifying DPDPA and the latest developments: What they mean for you?

In this exclusive EY India webcast, gain early insight into the Digital Personal Data Protection (DPDP) Act and impending 2025 Rules for practical guidance and sectoral impacts.

Cyber insurance in India: From breach recovery to business resilience

Explore how AI, automation, and cybersecurity scoring are transforming Indian cyber insurance pricing, claims, and policies in a changing risk landscape.

Kartik Shinde

About this article

Photographic portrait of Lalit Kalra

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.