Sammati

Resource guide

DPDPA: What your business needs to know

India’s Digital Personal Data Protection Act, 2023 (“DPDPA”) is a landmark privacy law that affects every organisation collecting or processing the personal data of Indian residents. Here’s a plain-language overview.

This guide is informational only. It is not legal advice. Review your obligations with your legal counsel and the official DPDPA text.

1. What is the DPDPA?

The Digital Personal Data Protection Act, 2023 is India’s first comprehensive data protection legislation, passed by Parliament in August 2023. It creates rights for individuals (“Data Principals”) over their personal data and duties for organisations that collect or process it (“Data Fiduciaries”).

Enforcement rules (DPDPA Rules) are expected around mid-2027. Getting your consent infrastructure right now gives you the runway to test, iterate, and be audit-ready before day one of enforcement.

2. Who does it apply to?

The DPDPA applies to you if you:

  • Collect or process personal data of individuals in India
  • Process such data digitally (or in a form intended to be processed digitally)
  • Operate outside India but offer goods or services to individuals in India (with certain exceptions)

Exceptions include personal or domestic use and certain government processing. “Significant Data Fiduciaries” — those handling large volumes or sensitive data — face additional obligations (DPIA, data audits, DPO appointment).

3. Key requirements

Consent — free, specific, informed

You must obtain consent before processing personal data, unless a legitimate use applies. Consent must be free, specific, informed, unconditional, and unambiguous. A “consent notice” must describe purposes in plain language and be available in multiple Indian languages. Pre-ticked boxes do not count.

Data Principal rights

Individuals have the right to access a summary of their data, correct or erase it, withdraw consent at any time, and nominate another person to exercise rights on their behalf. Grievance redressal must be available and timely.

Data security and breach notification

Fiduciaries must implement reasonable security safeguards. Breaches must be notified to the Data Protection Board of India and affected individuals.

Children’s data

Processing personal data of anyone under 18 requires verifiable parental consent. Significant restrictions apply on behavioural tracking and targeted advertising for children.

4. How Sammati helps

Sammati is built around the specific consent model the DPDPA requires:

  • Verifiable receipts — every consent is stored in a hash-chained, append-only ledger. Data Principals can verify their receipt independently, with no login.
  • Purpose-level granularity — your consent notice maps each purpose separately; withdrawal of one does not affect others.
  • DSR workflow — access, correction, and erasure (via crypto-shred) requests are tracked end-to-end.
  • Grievance management — a built-in grievance channel tied to your DPDPA obligations.

Sammati supports your DPDPA obligations. Compliance depends on how you configure and use the platform — review with your legal team.

Ready to get started?

See Sammati live, or book a free readiness assessment to map your DPDPA exposure.

More detail: sammati.app