What is the DPDPA? A practical guide for Indian businesses

India's Digital Personal Data Protection Act (DPDPA) sets the rules for how organisations collect, use and protect the personal data of individuals in India. If your business handles customer, employee or user data — and almost every business does — the DPDPA applies to you. This guide explains what it means in practice.

Who the DPDPA applies to

The Act governs any organisation (a "Data Fiduciary") that determines how and why personal data is processed. It applies to processing inside India, and to processing outside India where goods or services are offered to people in India. In short: if you serve Indian users, you are in scope.

The core obligations

While the full text is detailed, the day-to-day obligations cluster into a handful of themes:

• Lawful, purpose-bound processing. Collect personal data only for a clear, stated purpose, with a valid legal basis — most commonly consent.
• Notice and consent. Tell people what you collect and why, in clear language, and obtain free, specific, informed consent. People can withdraw consent as easily as they gave it.
• Data principal rights. Individuals can request access to, correction of, and erasure of their data, and can raise grievances. You must respond within reasonable timelines.
• Security safeguards. Protect personal data with reasonable security — encryption, access control and breach response.
• Breach notification. Report personal data breaches to the Data Protection Board and affected individuals.
• Accountability. Keep records, and (for Significant Data Fiduciaries) appoint a Data Protection Officer and conduct impact assessments.

The problem most teams hit first

Before you can honour any of these obligations, you have to answer a deceptively hard question: what personal data do we hold, and where? Personal data sprawls across databases, cloud storage, mailboxes, SaaS apps, spreadsheets and employee laptops. Most organisations simply don't have a current map.

This is why data discovery is the natural starting point for DPDPA readiness. You can't protect, minimise, or fulfil rights requests against data you can't see.

A pragmatic path to readiness

You don't need to do everything at once. A sensible sequence:

1. Discover & classify. Map where personal data lives and how sensitive it is.
2. Fix the basics. Stand up compliant notice and consent, and a way to receive rights requests and grievances.
3. Operationalise. Maintain records of processing, retention schedules and breach procedures.
4. Prove it. Keep evidence and a readiness view you can show leadership and regulators.

How Fortifyze helps

Fortifyze is built natively for the DPDPA. It discovers and classifies personal data across your systems and endpoints, automates consent and data-subject rights, supports DPIAs and records of processing, and keeps you continuously audit-ready — all in one platform.

Ready to see where your personal data lives? Talk to our team or get started.

This guide is for general information and is not legal advice. Consult qualified counsel for your specific obligations.