Q: What are the maximum penalties under DPDPA?

DPDPA prescribes penalties up to ₹250 Crores under Section 33. Failure to protect children's data attracts up to ₹200 Crores. The Data Protection Board determines penalties based on severity.

Q: When does DPDPA become fully enforceable?

DPDPA received Presidential Assent in August 2023. DPDP Rules 2025 were notified in November 2025, triggering an 18-month compliance runway. Full enforcement with operative penalties is expected by May 2027.

Q: Does DPDPA require appointing a Data Protection Officer?

Under Section 10, only Significant Data Fiduciaries are mandated to appoint a DPO. The DPO must be based in India and serves as the point of contact for the Data Protection Board.

Q: Can personal data be transferred outside India under DPDPA?

Section 16 permits cross-border transfers to all countries except those on the government's restricted list (negative list). Unlike GDPR, it does not require adequacy decisions for permitted jurisdictions.

Q: How does DPDPA compare to GDPR?

DPDPA is principles-based with broader exemptions. It uses a negative-list approach to cross-border transfers, has no right to data portability, uses a centralised Data Protection Board, and prescribes fixed penalty amounts rather than revenue percentages.

Q: What is a Significant Data Fiduciary under DPDPA?

Under Section 10, the Central Government may notify Data Fiduciaries as Significant based on volume and sensitivity of data processed, risk to Data Principals, and other factors. SDFs have enhanced obligations including DPO appointment, periodic audits, and DPIAs.

Insights & Answers

What practitioners and boards are asking

What is DPDPA 2023 and who does it apply to?

The Digital Personal Data Protection Act, 2023 (DPDPA) is India's comprehensive data privacy legislation. It applies to all entities processing digital personal data in India, and to foreign entities processing data of Indian residents under Section 3. There is no revenue or size threshold. every Data Fiduciary processing digital personal data is within scope.

What are the maximum penalties under DPDPA?

DPDPA prescribes penalties up to ₹250 Crore under Section 33 read with the Schedule. The penalty for failure to protect children's data is up to ₹200 Crore. The Data Protection Board of India determines penalties based on the nature, gravity, and duration of the breach.

What is the Vibe Data Privacy Framework by AMLEGALS?

Vibe Data Privacy™ is AMLEGALS' proprietary governance framework built from the DPDPA 2023 statutory text. It measures compliance across five operational layers. Signal (privacy frequency across consent records and data flows), Pulse (governance stance against all 44 Sections and 15 Rules), Drift (compliance entropy and deviations from baseline), Dividend (privacy ROI through trust metrics and audit readiness), and Culture (organisational privacy maturity). producing a single Board ready Vibe Pulse Score (VPS) from 0 to 100.

When will DPDPA be fully enforceable?

DPDPA received Presidential Assent in August 2023. The DPDP Rules 2025 were notified in November 2025, triggering an 18 month compliance runway. Full enforcement with operative penalties is expected by May 2027. Organisations should achieve compliance before enforcement begins.

How does DPDPA compare to GDPR?

DPDPA and GDPR are structurally independent frameworks. Key differences: (1) DPDPA uses a negative list approach for cross border transfers under Section 16 versus GDPR's adequacy model; (2) No right to data portability under DPDPA; (3) Centralised Data Protection Board versus multiple supervisory authorities; (4) Fixed penalty amounts versus revenue percentages; (5) DPDPA applies only to digital personal data, not paper records.

What is a Significant Data Fiduciary under DPDPA?

Under Section 10, the Central Government may notify a Data Fiduciary as Significant based on volume and sensitivity of data processed, risk to Data Principals, and other prescribed factors. SDFs have enhanced obligations including mandatory DPO appointment (based in India), periodic audits by independent auditors, and Data Protection Impact Assessments.

Does DPDPA apply to foreign companies?

Yes. Section 3 of DPDPA extends its applicability to processing of digital personal data outside India if such processing is in connection with offering goods or services to Data Principals within India. This extraterritorial scope means foreign companies processing Indian residents' data must comply regardless of their physical location.