DPDPA
Digital Personal Data Protection Act, 2023
India's first comprehensive data protection law. Governs the processing of digital personal data including health records, telemedicine data, and patient information across all healthcare organizations operating in India.
MeitY — Data Protection FrameworkUp to ₹250 crore (~$30M USD) per violation
6 to 12 months for full DPDPA compliance implementation
Minutes — consent management, data rights, breach notification, and audit logging generated automatically
The Digital Personal Data Protection Act was enacted in August 2023 with implementation rules notified in November 2025. It represents a watershed moment for data protection in India, establishing clear obligations for any organization processing digital personal data of Indian residents. For healthcare apps, the DPDPA is especially significant because health data receives heightened protection. The Act introduces concepts like Data Fiduciaries (organizations collecting data), Data Principals (individuals), and Consent Managers — and mandates purpose-specific, time-bound consent before processing personal data. Unlike GDPR, DPDPA allows "deemed consent" in emergencies and public health scenarios. Most provisions have an 18-month implementation window from rule notification, making mid-2027 the compliance deadline for most organizations.
What It Covers
Consent management — purpose-specific, informed, freely given consent with easy withdrawal
Data Principal rights — access, correction, erasure, grievance redressal, nomination of representative
Data Fiduciary obligations — purpose limitation, data minimization, storage limitation, accuracy
Significant Data Fiduciary — additional obligations for large-scale processors (DPO appointment, audits, DPIA)
Cross-border data transfer — allowed to notified countries, restricted to others
Children's data — verifiable parental consent required, no behavioral tracking of minors
Data breach notification — mandatory reporting to Data Protection Board of India
Penalties & Enforcement
Failure to prevent data breach: up to ₹250 crore (~$30M)
Non-compliance with children's data provisions: up to ₹200 crore (~$24M)
Failure to notify Data Protection Board of breach: up to ₹200 crore (~$24M)
Non-fulfillment of Data Fiduciary obligations: up to ₹150 crore (~$18M)
Failure to appoint Data Protection Officer (Significant Data Fiduciary): up to ₹150 crore
Enforcement by Data Protection Board of India (DPBI) — a quasi-judicial body
Real Enforcement Examples
N/A
2022
AIIMS Delhi
Ransomware attack on India's premier hospital disrupted services for 15 days. Over 40 million patient records at risk. Highlighted urgent need for healthcare data protection.
N/A
2023
CoWIN Platform
Alleged exposure of personal data of Indian citizens via Telegram bots. Government denied breach but incident accelerated DPDPA enforcement discussions.
How VertiComply Helps
Consent management with granular opt-in/opt-out flows per DPDPA requirements
Data Principal rights endpoints — access, correction, erasure built into generated code
Purpose limitation — data processing tied to specific, declared purposes
Data breach detection and notification workflows
Storage limitation — automated data retention and deletion policies
Audit trail for all personal data processing activities
Cross-border transfer documentation and safeguards
Frequently Asked Questions
Does DPDPA apply to healthcare apps?
Yes. Any app processing digital personal data of Indian residents must comply. Health data receives heightened protection. Hospitals, clinics, telemedicine platforms, health insurance companies, and their vendors are all covered.
How is DPDPA different from GDPR?
DPDPA is simpler with fewer data subject rights (no portability right). It allows deemed consent in emergencies. Penalties are capped (GDPR is percentage-based). DPDPA has no equivalent of GDPR's DPO mandate for all organizations — only Significant Data Fiduciaries need one.
When does DPDPA enforcement begin?
Implementation rules were notified in November 2025 with an 18-month compliance window, making mid-2027 the effective deadline for most organizations. Some provisions may be enforced earlier.
Do I need both DPDPA and HIPAA?
If your app serves Indian users, DPDPA applies. If it also handles US patient data, HIPAA applies. Many healthcare apps serving both markets need both. VertiComply supports both frameworks simultaneously.
What is a Significant Data Fiduciary?
An organization processing large volumes of personal data or sensitive data (including health data). They must appoint a Data Protection Officer, conduct DPIAs, and undergo periodic audits. Most healthcare platforms handling patient data at scale qualify.
Related Articles
Build DPDPA-compliant from day one
VertiComply generates production-ready code with DPDPA safeguards built in automatically.
Quick Facts
Region
India
Category
Data Protection
Max Penalty
Up to
Manual Timeline
6 to 12 months
With VertiComply
Minutes