Home / Knowledge Center

Knowledge Center

The DPDP Knowledge Hub

Simplifying India’s Digital Personal Data Protection Act (2023) & Rules (2025).

The “Act Simplified” (Glossary)

Speak the Language of Compliance

Data Fiduciary: The “Boss” of the data. If you decide why and how data is collected (e.g., a bank, an e-commerce site), this is you. You are liable for compliance.

Data Principal: The “Owner” of the data. This is your customer, employee, or website visitor whose personal data you hold.

Consent Manager: A new tech intermediary (registered with the DPB) that allows users to manage their consent across multiple platforms in one place.

Significant Data Fiduciary (SDF): Big players (high volume/risk) notified by the government. They need a resident Data Protection Officer (DPO) and independent audits.

Get DPDP Act Document

“Rule Watch” – The 2025 Updates

What Changed with the Nov 2025 Rules?

Consent Architecture: Notice must now be in English + one of the 22 scheduled languages. “Bundled consent” (hiding privacy terms inside T&Cs) is officially invalid.

72-Hour Breach Window: Confirmed. You must report a personal data breach to the Data Protection Board (DPB) and the affected users immediately.

Children’s Data: A “Verifiable Parental Consent” mechanism is now mandatory for any user under 18.

The “Transition Period”: Most SMEs have until [Insert Month] 2026 to fully align their legacy data with new consent norms. Are you ready?

Get DPDP Rules 2025 Document

FAQ

Frequently Asked Questions

“Does this apply to my small startup?”

  • Yes. If you collect digital data (names, phone numbers) of Indian residents, the Act applies. There is no minimum turnover threshold for basic compliance.

“Can I just copy my GDPR privacy policy?”

  • No. The DPDP Act has specific requirements for the “Notice” (Section 5) that are different from GDPR. For example, you must offer the option to access the notice in local Indian languages.

“What happens to the data I collected before 2023?”

  • You must send a fresh notice to all legacy users informing them of the data you hold and their rights. If they withdraw consent, you must delete it.

“Who needs to appoint a Data Protection Officer (DPO)?”

  • Legally, only “Significant Data Fiduciaries.” However, every company must appoint a “Grievance Officer” who answers user queries. We recommend a Virtual DPO for mid-sized firms to handle both roles.

Downloadable Resources

Presentation on Introduction to DPDP Act

Introduction to DPDP ActDownload

Presentation on Building a privacy first mindset

Building a Privacy First MindsetDownload

Presentation on Consent Management System

Consent Management SystemDownload

Presentation on raw reading of DPDP Act 2023 (Part 1)

DPDP Act 2023 Raw Reading (Part 1)Download

Presentation on raw reading of DPDP Rules 2025 (Part 1)

DPDP Rules 2025 Raw Reading (Part 1)Download