EverydayPDF Logo
The DPDP Knowledge Hub

The DPDP Act 2023, explained properly.

India's Digital Personal Data Protection Act is now being enforced in phases — the Rules were notified on 13 November 2025 and full compliance is due by 13 May 2027. These guides cover what the law says, what it costs to ignore, and exactly what to do about it — written for the lawyers, CAs and businesses who handle personal data every day.

In force now

Data Protection Board

Operational since 13 Nov 2025 — complaints can already be filed.

November 2026

Consent Managers go live

Interoperable consent dashboards for granting and withdrawing consent.

13 May 2027

Full enforcement

All obligations enforceable — penalties up to ₹250 crore per instance.

Understand the law

Comply in practice

Penalties at a glance

ViolationMaximum penalty
Failure of reasonable security safeguards₹250 crore
Failure to notify a personal data breach₹200 crore
Violating children's data obligations₹200 crore
Significant Data Fiduciary failures₹150 crore
Any other violation of the Act or Rules₹50 crore

Imposed per instance by the Data Protection Board of India. Read the full penalties guide →

Quick answers

What is the DPDP Act 2023 in simple terms?+

The Digital Personal Data Protection Act, 2023 is India's law governing how organisations collect, use, store and share digital personal data. It requires consent or a defined legitimate use for processing, mandates security safeguards and breach notification, gives individuals rights over their data, and is enforced by the Data Protection Board of India with penalties up to ₹250 crore.

Is the DPDP Act in force right now?+

Partially. The DPDP Rules 2025 were notified on 13 November 2025. The Data Protection Board is already operational; consent-manager provisions commence in November 2026; and all remaining obligations become enforceable on 13 May 2027 — the hard compliance deadline.

Who has to comply with the DPDP Act?+

Every person or entity that processes digital personal data of individuals in India and decides the purpose of that processing — companies of any size, law firms, CA practices, hospitals, schools and sole proprietors alike. Processing abroad is also covered when connected to offering goods or services to people in India.

What are the penalties for violating the DPDP Act?+

The Data Protection Board can impose up to ₹250 crore per instance for failing to maintain reasonable security safeguards, up to ₹200 crore for not notifying breaches or for violating children's-data rules, up to ₹150 crore for Significant Data Fiduciary failures, and up to ₹50 crore for other violations.

How is the DPDP Act different from GDPR?+

The DPDP Act is consent-centric (no open-ended "legitimate interest" ground), covers only digital personal data, has no separate sensitive-data category, requires notification of every breach, uses absolute penalty caps instead of turnover percentages, and introduces unique concepts like consent managers and the right to nominate.

What does the DPDP Act mean for handling documents like PDFs?+

Documents containing personal data — KYC copies, tax filings, bank statements, court papers — fall squarely within the Act. Uploading them to cloud tools transfers the data to a third-party processor, which requires contracts and verified safeguards. Processing them client-side in the browser avoids the transfer entirely, which is how every EverydayPDF tool works.

The simplest DPDP safeguard: stop uploading documents.

Every EverydayPDF tool — compress, merge, redact, OCR, convert, sign — runs entirely in your browser. Files never touch a server, so there is no processor to audit and no transfer to explain.

This hub is general information about the DPDP Act, 2023 and DPDP Rules, 2025 — not legal advice. Consult a qualified professional for advice on your specific obligations.