Cyber Horizon
Back to Blog
India DPDPPrivacyAPAC

India’s DPDP Act: A Practical Compliance Guide

5 June 2026·8 min read·Cyber Horizon Team

India’s Digital Personal Data Protection (DPDP) Act establishes a modern privacy regime for the world’s most populous country. If you process the digital personal data of people in India, it gives them enforceable rights — and gives you concrete obligations, backed by significant penalties.

The key terms

The Act uses its own vocabulary: a data principal is the individual; a data fiduciary decides the purpose and means of processing (akin to a controller); and a data processor processes on a fiduciary’s behalf. Large-scale processors may be designated Significant Data Fiduciaries with extra duties.

Core obligations for fiduciaries

Consent & notice

Process on clear, informed consent (or a lawful legitimate use), with an itemised notice and easy withdrawal.

Purpose limitation

Use data only for the purpose it was collected for, and erase it when that purpose ends.

Security safeguards

Implement reasonable technical and organisational measures to protect personal data.

Breach notification

Notify the Data Protection Board and affected principals of a personal-data breach.

Principal rights

Honour rights to access, correction, erasure and grievance redressal.

How it compares to GDPR

If you already comply with GDPR, you’re a long way there — consent, purpose limitation, security and breach notification all rhyme. But DPDP has its own consent-manager concept, notice requirements, and rules on children’s data, so don’t assume a straight copy-paste. Significant Data Fiduciaries also face additional obligations such as Data Protection Impact Assessments and an independent data auditor.

How to prepare

  • Map where you process Indian personal data, and on what basis.
  • Refresh notices and consent flows to meet DPDP’s itemised requirements.
  • Stand up data-principal rights handling (access, correction, erasure, grievance).
  • Tighten security safeguards and breach-notification readiness.
  • Assess whether you are a Significant Data Fiduciary and plan for the extra duties.

The bottom line

The DPDP Act brings India into line with global privacy norms while keeping its own distinct rules. Build on a GDPR-style foundation, adapt for DPDP’s specifics, and operationalise the rights and safeguards rather than treating the Act as a policy document.

Run DPDP alongside GDPR and your other frameworks

Cyber Horizon maps DPDP to your existing privacy controls, so one programme covers India, the EU and beyond — with evidence kept continuously current.

Book a Demo