india_dpdp

India DPDP

Digital Personal Data Protection Act, 2023

India | DPDP Rules 2025 notified November 13–14, 2025

India's first comprehensive digital privacy law governs how organizations process digital personal data of Indian citizens. The DPDP Rules 2025 give the Act full operational effect through a phased compliance timeline, with full compliance required by May 2027. RAIL Score checks content against 10 DPDP requirements covering consent, notice, security, breach notification, children's data, and cross-border transfers.

Official Resources

meity.gov.in — DPDP Rules 2025 text
pib.gov.in — Press Information Bureau overview
DLA Piper India Profile — Data protection overview

Maximum Penalties

Violation Type	Maximum Fine
Failure to take reasonable security safeguards	INR 250 crore (~$30M)
Failure to notify breach to Data Protection Board	INR 200 crore (~$24M)
Failure to notify affected Data Principals	INR 200 crore (~$24M)
Non-compliance with SDF obligations	INR 150 crore (~$18M)
Children's data violations	INR 200 crore (~$24M)
Other violations	INR 50 crore (~$6M)

Phased Compliance Timeline

Phase	Date	What Activates	Status
Phase 1	November 14, 2025	Data Protection Board of India (DPBI) established; definitions operational; Act framework active	Active
Phase 2	November 2026	Consent Manager registration and oversight begins	Upcoming
Phase 3	May 2027	Full compliance: notices, consent, breach reporting, security safeguards, rights management, cross-border transfers, SDF obligations	Upcoming

As of March 2026, India is in Phase 1. Substantive compliance duties activate in May 2027.

Requirements Checked by RAIL Score

ID	Provision	Requirement	What RAIL Evaluates
DPDP-001	Sec. 4, Rule 3	Consent-first processing	Is valid consent described as the lawful basis?
DPDP-002	Sec. 5, Rule 4	Notice to Data Principals	Are individuals informed of purpose, data used, rights?
DPDP-003	Sec. 6	Consent specificity	Is consent free, specific, informed, unconditional?
DPDP-004	Sec. 8, Rule 6	Security safeguards	Are encryption, access controls, logging mentioned?
DPDP-005	Sec. 8(6), Rule 7	Breach notification	Is breach detection and Board notification process described?
DPDP-006	Sec. 9, Rule 10	Children's data	Are children (under 18) data handled with parental consent?
DPDP-007	Sec. 11	Right to access	Can Data Principals access their data?
DPDP-008	Sec. 12	Right to correction/erasure	Are correction and deletion rights provided?
DPDP-009	Sec. 16	SDF obligations	Annual DPIA, audit, algorithmic transparency (if applicable)
DPDP-010	Sec. 16(4)	Cross-border transfers	Are data transfer restrictions addressed?

Key Differences from GDPR

Aspect	GDPR	India DPDP
Legal basis options	6 bases (consent, contract, legitimate interest, etc.)	Consent is primary — limited other grounds
Breach notification threshold	Risk of harm to individuals	Any breach must be reported (no threshold)
Right to data portability	Explicit (Art. 20)	Not explicitly included
DPO requirement	Risk-based	Voluntary (SDFs have DPO obligations)
Non-digital data	Covered if digitised	Only digital personal data
Legitimate interests	Yes	No general legitimate interests basis

Significant Data Fiduciaries (SDFs)

Certain companies will be designated as SDFs by the Government based on data volume, sensitivity, and risk. SDFs face enhanced obligations:

Annual Data Protection Impact Assessment (DPIA)
Independent data protection audit every 12 months
Reports submitted to the Data Protection Board
Due diligence on algorithmic systems (bias, transparency)
Restrictions on mergers/acquisitions without Board approval
Prohibition on tracking children's behaviour for targeted advertising

The SDF list has not yet been published as of March 2026. Expected before Phase 3 (May 2027).

Current Status (March 2026)

DPBI membership: Search-cum-selection committee to be constituted; board members not yet publicly announced
SDF list: Not yet published; expected before Phase 3
Cross-border transfer restrictions: Government to maintain a list of approved countries; not yet published
Children's data consent mechanism: Technical implementation guidance expected

india_ai_gov

India AI Governance Framework

India's National Strategy for Artificial Intelligence (NITI Aayog) and MeitY's Responsible AI for All framework provide governance guidelines. India has taken a principles-based, non-binding approach to AI governance (in contrast to the EU's mandatory regulation), with the IndiaAI Mission focusing on:

Responsible AI development and safety
Bias and fairness in AI systems
Privacy-preserving AI
AI for social good

indiaai.gov.in meity.gov.in NITI Aayog AI Strategy

API Example

See the Compliance API reference for full endpoint documentation, parameters, and response schema.

Python — India DPDP compliance check

from rail_score_sdk import RailScoreClient

client = RailScoreClient(api_key="YOUR_RAIL_API_KEY")

result = client.compliance_check(
    content="""
    Our EdTech platform collects students' learning data, progress reports,
    and device usage patterns. Parents can register on behalf of children.
    Data is stored on servers in India and Singapore.
    """,
    framework="india_dpdp",
    context={
        "domain": "education",
        "data_subjects": ["children"],
        "jurisdiction": "IN",
        "processes_personal_data": True
    },
    strict_mode=True
)

print(f"DPDP Score: {result.compliance_score.score}/10 ({result.compliance_score.label})")
print(f"Passed: {result.requirements_passed}/{result.requirements_checked}")

for issue in result.issues:
    print(f"[{issue.severity.upper()}] {issue.description}")

Sources: MeitY · PIB India · India Briefing · IndiaAI