1.4 KiB
India's first comprehensive federal privacy law (enacted August 2023, rules drafting in progress, enforcement expected 2026-2027). Key features: consent for personal data processing, data processor obligations, data principal rights (right to access, correction, erasure, grievance redressal), Data Protection Board of India (DPBI) enforcement, significant penalties, exempted government processing for sovereignty/national security.
Penalties: Up to 250 Cr INR (~$30M) per breach. Data fiduciary bears primary responsibility regardless of processor fault.
Who must comply: Any organization processing personal data of Indian residents, where the data is collected in India or used to profile Indian residents. Offshore data processors are in scope.
Why it matters: DPDP is a greenfield privacy regime — India had no comprehensive privacy law before 2023. The rules (implementation details) are being drafted now. This is the widest first-mover window in the global privacy landscape: organizations need compliance tooling that doesn't exist yet. The gate stack's consent-managed data access model maps directly to DPDP's consent framework. A DPDP gate package at $30K/yr (discounted for India market) captures a market of hundreds of thousands of businesses with no incumbent vendor.