India's Digital Personal Data Protection Act, 2023 (DPDP Act), is the country's first comprehensive data privacy legislation. It governs how personal data of Indian residents may be collected, processed, stored, and transferred. Enacted in August 2023 and progressively operationalised through rules and regulations, the DPDP Act fundamentally changes the legal framework for any application, platform, or service that processes personal data in India. These obligations apply regardless of whether the data fiduciary is incorporated in India or operates from outside the country. This is a practical Digital Personal Data Protection Act engineering guide for software development teams. The Act is not primarily a legal document for engineering teams. It is a set of engineering requirements: consent must be collected in specific ways, data principal rights must be technically honoured, security obligations must be implemented, and breach notification must be automated. This guide covers the engineering reality of how to build DPDP compliant applications in India in 2026, what the Act requires, what must be built, and how to structure the implementation.
The DPDP Act: What It Is, Who Must Comply, and What It Means for Engineering Teams
The Digital Personal Data Protection Act, 2023 (hereinafter the Act or DPDP Act) received Presidential assent on 11 August 2023. It is India's first omnibus personal data protection legislation, replacing a fragmented framework of sector-specific rules with a unified national standard. The Act establishes a rights-based approach to personal data protection: individuals (termed Data Principals under the Act) have specific rights over their personal data, and organisations (termed Data Fiduciaries) processing that data have specific obligations.
The DPDP Act is not GDPR. This DPDP Act vs GDPR comparison for developers matters in practice: both share structural similarities such as consent-based processing, individual rights, and a supervisory authority, but they differ significantly in scope, enforcement architecture, and specific obligations. Engineering teams with GDPR experience will find familiar concepts alongside important differences, particularly in the consent framework's specific requirements, the children's data provisions, and India's data localisation considerations under the Significant Data Fiduciary category.
Scope: Who Must Comply
| Actor | Compliance Obligation | Non-Indian Entities | Exemption |
| Data Fiduciary | Full compliance: lawful basis, notice, consent management, data principal rights, security, breach notification | Explicit extra-territorial scope. A US company processing Indian users' data must comply. | Government state functions; research/journalism/archiving in public interest; national security; personal/domestic use |
Significant Data Fiduciary (SDF) Notified by the Central Government
| All Data Fiduciary obligations plus: DPO appointment; independent data auditor; periodic DPIA; additional prescribed obligations | Same as Data Fiduciary. SDFs are expected to be large technology platforms and data-intensive businesses. | Not separately defined. SDF status is notified by the Central Government based on volume, sensitivity, and risk criteria. |
| Data Processor | Process only as directed by the Data Fiduciary. No independent lawful basis obligations. Must comply with security obligations. | Relevant to offshore software firms, cloud providers, and BPO/KPO processing Indian personal data. | No independent exemption. Obligations flow through the Data Fiduciary-Data Processor contract. |
| Individual Developer / Startup | Full Data Fiduciary obligations apply. No size threshold exemptions. Startup provisions may appear in the final Rules. | Obligations apply regardless of the company registration country if processing Indian residents' data. | Processing for personal/domestic purposes only (no commercial purpose) |
Definitions Every Engineering Team Must Understand
- Personal Data: Any data about an individual who is identifiable by or in relation to such data. This covers name, email, phone number, Aadhaar number, PAN, biometric data, location data, health data, financial data, browsing history, device identifiers (IMEI, MAC address), and IP addresses where they can identify a person. All of these are personal data under India data protection law software development requirements.
- Digital Personal Data: Personal data in digital form, or personal data collected in non-digital form but subsequently digitised. Any personal data stored in databases, logs, cookies, mobile app storage, or cloud services is digital personal data subject to the Act.
- Processing: Wholly or partly automated operations on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, erasure, and destruction. Any application that collects user data, stores it in a database, serves it to users, or deletes it is performing processing. There is no processing that falls outside the Act's scope.
- Consent: Free, specific, informed, unconditional, and unambiguous indication of a Data Principal's wishes by a clear affirmative action. Pre-ticked checkboxes are not valid consent. Bundled consent for multiple unrelated purposes is not valid. Silence is not consent. Users must be able to withdraw consent as easily as they gave it.
- Legitimate Uses: Processing without consent for specific purposes: state-provided benefits, medical emergency, breakdown of public order, compliance with laws, employment purposes, and sovereign functions. Legitimate uses are narrower than GDPR's legitimate interests. There is no general legitimate interest basis in the DPDP Act for commercial processing. Consent is the primary basis for commercial data processing.
- Data Principal: The individual to whom personal data relates. In an application serving Indian users, every end-user is a Data Principal. Employees whose HR data is processed are Data Principals. Customers whose financial data is processed are Data Principals.
- Data Fiduciary: An entity that, alone or in conjunction with others, determines the purpose and means of processing personal data. The organisation that decides what data to collect and why. Most software product companies are the Data Fiduciary for the personal data of their users.
The Compliance Timeline You Need to Know
The DPDP Rules, 2025, were notified on November 13, 2025. That notification also set a fixed, phased compliance schedule that every engineering team must anchor their roadmap to.
- Phase I became effective immediately on November 13, 2025. This phase covers the establishment of the Data Protection Board of India. The Board exists. Enforcement infrastructure is being built.
- Phase II covers the Consent Manager registration framework and becomes effective November 13, 2026. By this date, Consent Managers must be operational and registered with the Board.
- Phase III is where the full weight of the Act lands. All substantive operational compliance obligations, including consent mechanisms, data rights, security safeguards, breach notification, children's data protections, and cross-border transfer rules under Section 16, become enforceable from May 13, 2027.

Lawful Basis for Processing: Consent Architecture and Legitimate Uses
The DPDP Act establishes two primary bases for lawful processing of personal data: consent of the Data Principal and certain specified legitimate uses. Unlike GDPR's six lawful bases, including a broad legitimate interests provision, the DPDP Act provides no general legitimate interest basis for commercial processing. Consent is therefore the primary lawful basis for most commercial applications processing personal data of Indian users. This makes the design of the consent architecture a central engineering requirement for DPDP Act compliance for software developers.
Read more: How to Build DPDP-Compliant Applications in India
Sign in to leave a comment.