The DPDP Act, explained for operators.

Four roles, and why they matter to you.

The Act assigns every party a role, and your obligations follow from the role you occupy — usually more than one.

• Data Principal — the individual the personal data is about. Under the Act they hold rights, not duties. If you collect customer, employee, or user data, every one of those people is a Data Principal you owe obligations to.
• Data Fiduciary — any person or entity that, alone or with others, decides the purpose and means of processing personal data. If your organisation decides why and how data is used, you are a Data Fiduciary. This is the role most enterprises occupy, and it carries the bulk of the Act's duties.
• Data Processor — a party that processes data on behalf of a Fiduciary, under contract. Your cloud host, your email-sending vendor, your analytics provider. You stay accountable for what your Processors do; the contract is your control surface.
• Significant Data Fiduciary (SDF) — a Fiduciary the Central Government designates as significant based on data volume, sensitivity, and risk to Data Principals. SDFs carry heightened duties: a mandatory Data Protection Impact Assessment, an appointed Data Protection Officer based in India, and independent annual audits.

You can be a Fiduciary for your customers and, at the same time, a Processor for a partner whose data you handle. Map every data flow to a role before you map it to a control.

The obligations you feel on day one.

The Act is broad, but a handful of duties touch every collection event and every user interaction. These are where unprepared organisations fail an inquiry.

Notice — Section 5. Before or at the time you collect personal data, you must give the Data Principal a clear, standalone notice: what data, for what purposes, how to exercise their rights, and how to complain to the Data Protection Board of India. Bundling the notice into a wall of terms-and-conditions does not satisfy Section 5.

Consent — Section 6. Where consent is your lawful basis, it must be free, specific, informed, unconditional, and unambiguous — given by a clear affirmative action. Pre-ticked boxes are invalid. Withdrawal must be as easy as the original grant, and you must be able to demonstrate, for any record, what was consented to, by whom, and when.

Rights — Sections 11 to 14. Data Principals have the right to access a summary of their data and processing (§11), to correction and erasure (§12), to grievance redressal (§13), and to nominate another person to exercise their rights (§14). Each carries an operational expectation of timely fulfilment — rights handled in a spreadsheet leave no defensible evidence trail.

Breach notification — Section 8(6). On becoming aware of a personal data breach, a Fiduciary must notify both the Board and every affected Data Principal. The DPDP Rules attach a strict timeline to this — a countdown that is unforgiving without a rehearsed, tooled workflow. Ad hoc breach handling burns the window.

These four are the floor. Section 8 as a whole also requires you to maintain accuracy, apply reasonable security safeguards, and erase data once its purpose is served (subject to legal retention).

The penalty schedule.

The Act sets penalties per the Schedule, assessed by the Board after inquiry. The headline number is large enough to reach the boardroom.

The maximum penalty under the Act is ₹250 Crore per instance of failure to take reasonable security safeguards to prevent a personal data breach. Other failures carry their own ceilings — failing to notify a breach, failing to meet children's-data obligations, and breaching the general duties of a Fiduciary each draw penalties running into tens of crores. The Board determines the actual amount with reference to the nature, gravity, and duration of the breach, the type of data involved, and whether the breach was repetitive.

The practical point for operators: penalties are assessed after an inquiry, and an inquiry turns on evidence. A Fiduciary that can produce tamper-evident, independently verifiable records of consent, notice, and breach response is in a materially different position from one offering database exports that any administrator could have altered.

The enforcement timeline.

The Act passed in 2023, but enforcement is phased. These are the dates that actually govern your runway — converted from the regulatory text to plain calendar dates.

• 13 November 2025 — DPDP Rules go live. The operative Rules that put detail behind the Act's sections — notice content, consent records, breach timelines, the Consent Manager framework — took effect. The law became operable, not just enacted.
• 13 November 2026 — Consent Manager registration opens. The window for entities to register as Consent Managers under Rule 4 begins. India-incorporated entities meeting the data-residency and interoperability obligations can apply from this date.
• 13 May 2027 — full enforcement. The remaining provisions reach full force. By this date a Fiduciary is expected to be operating — not planning — compliant notice, consent, rights, and breach processes.

Treat 13 May 2027 as the line, and work backwards. Consent and notice readiness are not a one-week project; the organisations that fare well in the first wave of inquiries are the ones that started building evidence trails well before the deadline.