Go Back
Blog

An Overview of India's Digital Personal Data Protection Act (DPDPA) of 2023

Read this blog post for a high level overview of the Digital Personal Data Protection Act (DPDPA) of 2023, the new privacy law in India.

The Digital Personal Data Protection Act (DPDPA) 2023 was enacted after more than a decade of effort to establish a comprehensive data protection framework in India. It officially became law on August 11, 2023, following approval by Parliament and assent from the President of India. The Act is designed to regulate the processing of digital personal data in a way that protects individuals’ rights while ensuring data is used for lawful purposes.

The rapid growth of digital platforms and services, combined with previously limited regulatory oversight, made such legislation necessary. Before the DPDPA, India did not have a standalone data protection law, and personal data processing was primarily governed under the Information Technology Act, 2000.

Background and Evolution

The DPDPA builds on years of legal and policy development:

  • In 2017, the Supreme Court’s Puttaswamy judgment recognized privacy as a fundamental right and called for a robust data protection law.
  • The Justice Srikrishna Committee developed an initial framework and draft bill.
  • This evolved into the Personal Data Protection Bill, 2019, followed by a revised version in 2021 after review by a Joint Parliamentary Committee.
  • A further revision in 2022 introduced significant changes, leading to the final version of the DPDPA after public consultation.

The Act reflects India’s need to balance privacy, economic growth, national security, and global data protection trends.

Scope and Applicability

The DPDPA applies to:

  • Personal data collected in digital form
  • Personal data originally non-digital but later digitized

It does not apply to:

  • Purely non-digital records (e.g., paper files not digitized)
  • Data used for personal or domestic purposes
  • Data made publicly available by the individual or under legal obligation

Territorial Scope

  • Applies within India
  • Also applies outside India if data processing relates to offering goods or services to individuals in India

Enforcement Timeline

The law is not yet fully enforceable. The Ministry of Electronics and Information Technology (MeitY) will announce phased implementation timelines.

  • Compliance windows may be relatively short
  • Some provisions could allow as little as six months for organizations to comply
  • This is significantly shorter than GDPR’s 24-month transition period

Key Purpose

The DPDPA aims to:

  • Safeguard individuals’ personal data
  • Ensure lawful and transparent data processing
  • Establish accountability for organizations handling personal data

Key Takeaway

The DPDPA marks a major milestone in India’s digital regulatory landscape. It introduces a modern framework for data protection while aligning with global privacy trends—making it essential for organizations handling Indian personal data to prepare for compliance as enforcement begins.

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information