The DPDP Act 2023, explained properly.
India's Digital Personal Data Protection Act is now being enforced in phases — the Rules were notified on 13 November 2025 and full compliance is due by 13 May 2027. These guides cover what the law says, what it costs to ignore, and exactly what to do about it — written for the lawyers, CAs and businesses who handle personal data every day.
In force now
Data Protection Board
Operational since 13 Nov 2025 — complaints can already be filed.
November 2026
Consent Managers go live
Interoperable consent dashboards for granting and withdrawing consent.
13 May 2027
Full enforcement
All obligations enforceable — penalties up to ₹250 crore per instance.
Understand the law
What is the DPDP Act?
India's first comprehensive data protection law, explained in plain English — definitions, scope, rights and duties.
9 min read
DPDP Rules 2025
The rules that switched the Act on — notification, phased commencement, and the 13 May 2027 hard deadline.
8 min read
Penalties under DPDP
The full fine schedule — from ₹10,000 for individuals to ₹250 crore for security-safeguard failures.
7 min read
Enforcement timeline
From the 2023 Act to the May 2027 hard deadline — every date, and what to do in each quarter.
6 min read
DPDP vs GDPR
A side-by-side comparison for teams that operate under both regimes — where India's law is stricter, and where it is lighter.
8 min read
Consent requirements
The anatomy of valid consent — notice contents, withdrawal, Section 7 legitimate uses, and consent managers.
7 min read
Comply in practice
Compliance checklist
Twelve concrete steps — from data mapping to breach drills — sized for firms without a compliance department.
10 min read
For lawyers & law firms
Client PII in filings, redaction duties, cloud-tool risk and privilege — what changes for legal practice.
9 min read
For CAs & tax professionals
PAN, 26AS, bank statements, Form 16 — obligations for the practice that holds a city's financial data.
9 min read
For small businesses
Right-sized compliance: what a 10-person company must do, what it can skip, and a one-week starter plan.
8 min read
Is your PDF tool compliant?
The five questions to ask any document tool before sending client files to it — and the architecture that makes them moot.
8 min read
Penalties at a glance
| Violation | Maximum penalty |
|---|---|
| Failure of reasonable security safeguards | ₹250 crore |
| Failure to notify a personal data breach | ₹200 crore |
| Violating children's data obligations | ₹200 crore |
| Significant Data Fiduciary failures | ₹150 crore |
| Any other violation of the Act or Rules | ₹50 crore |
Imposed per instance by the Data Protection Board of India. Read the full penalties guide →
Quick answers
What is the DPDP Act 2023 in simple terms?+
The Digital Personal Data Protection Act, 2023 is India's law governing how organisations collect, use, store and share digital personal data. It requires consent or a defined legitimate use for processing, mandates security safeguards and breach notification, gives individuals rights over their data, and is enforced by the Data Protection Board of India with penalties up to ₹250 crore.
Is the DPDP Act in force right now?+
Partially. The DPDP Rules 2025 were notified on 13 November 2025. The Data Protection Board is already operational; consent-manager provisions commence in November 2026; and all remaining obligations become enforceable on 13 May 2027 — the hard compliance deadline.
Who has to comply with the DPDP Act?+
Every person or entity that processes digital personal data of individuals in India and decides the purpose of that processing — companies of any size, law firms, CA practices, hospitals, schools and sole proprietors alike. Processing abroad is also covered when connected to offering goods or services to people in India.
What are the penalties for violating the DPDP Act?+
The Data Protection Board can impose up to ₹250 crore per instance for failing to maintain reasonable security safeguards, up to ₹200 crore for not notifying breaches or for violating children's-data rules, up to ₹150 crore for Significant Data Fiduciary failures, and up to ₹50 crore for other violations.
How is the DPDP Act different from GDPR?+
The DPDP Act is consent-centric (no open-ended "legitimate interest" ground), covers only digital personal data, has no separate sensitive-data category, requires notification of every breach, uses absolute penalty caps instead of turnover percentages, and introduces unique concepts like consent managers and the right to nominate.
What does the DPDP Act mean for handling documents like PDFs?+
Documents containing personal data — KYC copies, tax filings, bank statements, court papers — fall squarely within the Act. Uploading them to cloud tools transfers the data to a third-party processor, which requires contracts and verified safeguards. Processing them client-side in the browser avoids the transfer entirely, which is how every EverydayPDF tool works.
The simplest DPDP safeguard: stop uploading documents.
Every EverydayPDF tool — compress, merge, redact, OCR, convert, sign — runs entirely in your browser. Files never touch a server, so there is no processor to audit and no transfer to explain.
This hub is general information about the DPDP Act, 2023 and DPDP Rules, 2025 — not legal advice. Consult a qualified professional for advice on your specific obligations.
