The Digital Personal Data Protection Act 2023 has moved from legislation to enforcement. Every Indian enterprise that processes personal data is now in scope — with penalties that can reach ₹250 Crore per incident. Here is the definitive 7-obligation compliance checklist, sector-specific requirements, how AI systems change the compliance calculus, and an 8-week path from gap to compliant.

Enforcement Alert: The Digital Personal Data Protection (DPDP) Act 2023 is in force. Non-compliance penalties reach ₹250 Crore per incident — and are cumulative, not capped. Every enterprise processing personal data of Indian citizens is in scope with no size threshold and no sector exemption.
The Digital Personal Data Protection Act 2023 regulates the processing of "personal data" — any data by which an individual can be identified. Every organisation that determines how and why personal data is processed is a "data fiduciary" under the Act. The individuals whose data is processed are "data principals." This relationship creates binding obligations on how data is collected, stored, processed, transferred, and deleted.
What changed versus the old IT Act framework is significant. Consent under the IT Act was often implicit or buried in terms and conditions. Under DPDP, consent must be explicit, purpose-specific, freely given, and revocable at any time. You cannot condition a service on consenting to unrelated data collection. The burden of proof — that valid consent was obtained — sits entirely with the data fiduciary.
Enforcement sits with the Data Protection Board of India, which can receive complaints directly from data principals, investigate, hold hearings, and impose financial penalties. The Board's orders are binding and can be appealed only to the Telecom Disputes Settlement and Appellate Tribunal. This is a real, operational regulator — not a consultation paper still under review.

The Act creates seven foundational obligations for every data fiduciary. For enterprises running AI systems, each carries a specific technical implication that goes well beyond updating a privacy policy.
| Obligation | What It Requires | AI-System Impact | Penalty Risk |
|---|---|---|---|
| Lawful basis & consent | Explicit, purpose-specific, revocable consent before processing personal data | LLM training data, chatbot sessions, personalisation engines all need auditable consent | Up to ₹250 Cr |
| Purpose limitation | Data used only for the purpose for which consent was obtained | Cannot repurpose training data or use customer service logs for marketing models | Up to ₹200 Cr |
| Data minimisation | Collect only what is necessary for the stated purpose | AI inputs and feature pipelines must be pruned of unnecessary PII fields | Up to ₹150 Cr |
| Data accuracy & quality | Maintain accurate, current records and correct errors promptly | AI systems must not perpetuate stale or incorrect personal data in outputs or recommendations | Up to ₹100 Cr |
| Storage limitation | Delete personal data once the processing purpose is fulfilled | AI pipelines must honour data retention windows — logs and embeddings cannot accumulate indefinitely | Up to ₹100 Cr |
| Right to access & correction | Respond to data access or correction requests within 30 days | AI systems must be able to retrieve and surface all PII held on a specific individual | Up to ₹150 Cr |
| Right to erasure | Delete all personal data on request — the 'Right to be Forgotten' | Vector DBs, RAG stores, and training datasets must support targeted purge operations without full retraining | Up to ₹250 Cr |
Standard compliance programmes assume databases, forms, and CRM records. AI systems add a layer of complexity that most compliance frameworks have not caught up to yet — and that most vendors won't flag until you ask.
Historical customer data used to train models may require retroactive consent audits. Data collected under the old IT Act framework often does not meet DPDP's explicit-consent standard.
Sending personal data to foreign AI APIs constitutes a cross-border transfer. For regulated sectors this is prohibited. For others, it requires explicit contractual safeguards.
When an individual requests erasure, you must remove their data from vector databases, RAG stores, and training datasets — without necessarily retraining the full model. Design this in from day one.
When an AI system makes a decision that significantly affects an individual — a loan rejection, a hiring decision — the Act requires disclosure that the decision was made by an automated system.

The DPDP Act sets a compliance floor. Several regulated sectors face additional requirements from their sectoral regulators — RBI, IRDAI, SEBI — that stack on top of DPDP and are often significantly stricter. Failing to account for both layers is one of the most common compliance gaps we see.
Payment data, customer financial records, and transaction histories must remain in India. Foreign AI APIs are effectively prohibited for this data. On-premise or India-hosted LLMs are the only compliant path.
Patient records are sensitive personal data under DPDP, attracting the highest penalty tier. Explicit consent is required before every AI use — diagnostic AI, appointment scheduling, patient communication.
Marketing consent cannot be bundled with T&Cs or purchase flows. Opt-out must be as easy as opt-in. Behavioural data and purchase history used for AI recommendations need purpose-specific consent.
Employee personal data in HRMS, payroll, leave systems, and AI-driven performance tools is fully in scope. Employers are data fiduciaries for their employees under DPDP — no blanket employment-contract exemption.
Most enterprises can move from a cold start to a defensible DPDP compliance posture in 8 weeks — not because the task is simple, but because the work is well-structured. The key is to sequence correctly: understand before you fix, fix architecture before you update policy.
The fastest way to comply with DPDP is to build AI systems where compliance is a property of the architecture — not an afterthought bolted onto a foreign cloud setup. At Swaran Soft, every AI deployment runs on open-source models (Sarvam AI, Mistral, Llama) on-premise or on Indian cloud infrastructure — AWS Mumbai, Azure India. No personal data leaves Indian jurisdiction.
This approach means consent management, data erasure workflows, and breach notification readiness are designed into the system from day one — not retrofitted six months after go-live. Enterprises we work with achieve DPDP compliance while cutting AI operating costs 70–80% versus foreign proprietary APIs. The same architectural decision that satisfies the regulator also eliminates per-token API costs.
Our architects will map your data flows, identify DPDP gaps, and design a remediation path — in a free 45-minute session. No commitment required.

AI Architect and Entrepreneur building India's Edge AI ecosystem. 25+ years in enterprise technology. Founder of Swaran Soft, Gignaati, and Copilots.in.
The 7-obligation DPDP checklist with AI-system requirements — ready to share with your legal and engineering teams.
Talk to a DPDP Architect
Free 45-min assessment. Map your data flows and identify DPDP gaps before the regulator does.
Book Free Assessment