Vora

Data protection

DPDPA 2023: a plain-English compliance checklist

Published 5 July 2026 · by Vora

The Digital Personal Data Protection Act, 2023, usually shortened to DPDPA, is India's main data-protection law. It applies to any business that handles the digital personal data of people in India, who the Act calls data principals. If you collect names, emails, phone numbers, or payment details, it applies to you. Here is a practical way to get in shape.

The checklist

  1. Map what you hold. Know what personal data you collect, why you collect it, where it lives, and who you share it with.
  2. Get consent properly. Consent has to be free, specific, informed, and unambiguous, given by a clear action. Keep a record of it.
  3. Give a clear notice. Tell people what you collect, what it is for, and how they can use their rights, in plain language and in the listed Indian languages where relevant.
  4. Respect people's rights. Offer easy ways to access, correct, and erase data, and to withdraw consent as simply as it was given.
  5. Keep only what you need. Use data for the purpose you stated, and delete it once that purpose is done.
  6. Secure it. Put reasonable safeguards in place to prevent a breach.
  7. Be ready for a breach. Have a plan to notify the Data Protection Board and the people affected if personal data is exposed.
  8. Take extra care with children. Processing a child's data generally needs verifiable parental consent, and tracking or targeting children is restricted.
  9. Name a grievance contact. Publish a point of contact for data complaints, and answer them within a reasonable time.
  10. Cover your vendors. Use a written contract with anyone who processes personal data on your behalf.

Where this shows up in your contracts

Vendor and SaaS agreements increasingly need data-processing terms that match the DPDPA. When you review a contract, check that the confidentiality and data clauses actually reflect these duties.

Try Vora on your next contract

Vora is a pocket AI legal assistant built for India. Upload a contract and it reviews and drafts, builds issues lists, and runs legal research grounded in Indian law. Use it for a fast first pass before you bring in a lawyer.

Try Vora free

Frequently asked questions

Who does the DPDPA apply to?

It applies to processing digital personal data inside India, and to processing outside India that involves offering goods or services to people in India. In practice, most businesses that handle Indian customers' data are covered.

What counts as personal data?

Any data about a person who can be identified by it or in relation to it, such as a name, email, phone number, or a payment identifier held in digital form.

Do I need consent for every use of data?

Usually yes. Consent must be free, specific, informed, and unambiguous, although the Act does allow some defined legitimate uses. The safe habit is a clear notice plus recorded consent for each purpose.

What happens if a business does not comply?

The Data Protection Board of India can impose significant financial penalties, depending on how serious the failure is. It is worth treating compliance as a priority rather than an afterthought.

Can Vora help with DPDPA clauses?

Vora can review vendor and SaaS agreements, flag whether the data and confidentiality clauses line up with DPDPA duties, and suggest improvements. It is a helpful first pass, not a replacement for legal advice.