The Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent on 11 August 2023 and is India's landmark data protection legislation. It establishes a comprehensive framework governing the processing of digital personal data of Indian residents — both within India and extraterritorially when processing relates to offering goods/services to individuals in India. The Act creates a Data Protection Board of India (DPBI) as the adjudicatory authority with penalty powers up to ₹250 crore per violation.

The DPDP Act introduces key concepts: Data Fiduciary (entity that determines purpose and means of processing — equivalent to GDPR Controller), Data Principal (individual whose data is processed — equivalent to GDPR Data Subject), and Consent Manager (DPBI-registered intermediary for managing consent). Significant Data Fiduciaries (SDFs) — large-scale processors notified by the government — face additional obligations including data localisation requirements, audits, and DPO appointment. Rules defining specific thresholds and SDF criteria are expected in 2025–26.

🌍 Opportunity: Organisations already compliant with GDPR or ISO 27001 are significantly ahead — the DPDP Act shares principles of lawful processing, consent, purpose limitation, and data minimisation. Joint compliance with GDPR and DPDP Act is achievable with a single privacy programme.