What DPDP Act 2023 means for you, in plain English.

The Digital Personal Data Protection Act, 2023 was passed by Parliament in August 2023 and notified into law. The implementing rules, called the Digital Personal Data Protection Rules, 2025, were notified on 13 November 2025. The Data Protection Board of India (DPB) began intake of complaints in early 2026, and the staged operation of the Act runs through May 2027.

Here is what that means, without legalese.

The Act treats you as a person, not as a user.

The most important shift is that the law calls you a Data Principal. Not a customer, not a user, not a subscriber. You are the principal in your own data, and any company that holds your data is acting as your fiduciary. The word "fiduciary" matters. It is the same word the law uses for trustees, executors of estates, and the relationship between a lawyer and a client. It implies a higher standard of care than "service provider".

In practical terms, every Indian company that holds your digital personal data, from a corner real-estate broker with your phone number on a property listing to a Significant Data Fiduciary like Aadhaar-related entities, is now legally required to handle that data with you in mind. They have to tell you what they hold. They have to give you a way to correct or erase it. They have to appoint a Grievance Officer who responds to you within thirty days.

You have five rights you did not have before.

The Act gives you five enumerated rights:

1. Right of access, under Section 11. You can ask any company holding your data: "What do you have on me?" They have to tell you.
2. Right of correction, under Section 11. You can ask them to correct, complete, or update inaccurate data.
3. Right of erasure, under Section 12. You can ask them to delete your data. Rule 14 gives them ninety days to comply. If your data was processed only on the basis of consent and you withdraw that consent, they have to erase what depended on it.
4. Right to nominate, under Section 13. You can name someone to exercise your rights in the event you cannot.
5. Right of grievance, under Section 13. You can complain to the company first; if they do not respond well within thirty days, you can escalate to the Data Protection Board under Section 27.

These rights are real. Every Indian company holding your data, from your local builder to the largest e-commerce platform, is legally required to honour them. The reason most people have not exercised them is logistical, not legal. Vault.in exists to handle the logistics.

The penalties are big enough to matter.

Section 33 of the Act sets penalties for non-compliant Data Fiduciaries. The headline number is Rs 250 crore (Rs 2.5 billion) for failure to take reasonable security safeguards. There are graded penalties for less serious breaches: Rs 200 crore for failure to notify breaches, Rs 200 crore for non-fulfilment of obligations toward children, Rs 50 crore for breach of general obligations. The Board imposes these after a hearing.

These numbers are not theoretical. The DPB has the power to levy them, and the Act gives it judicial autonomy. Indian companies, especially Significant Data Fiduciaries (SDFs, expected to include large e-commerce platforms, ride-hailing services, social networks, and payments companies), have spent the last twelve months trying to clean up their data houses precisely because of these penalty caps.

What is operative today, what is coming.

The rules came into force in stages. Some provisions are already operative:

• Consent notices must be in your language of choice and must explain the purpose clearly.
• Grievance officers must be appointed and contactable.
• Breach reporting must happen within seventy-two hours of detection, both to the Board and to affected users.
• Erasure requests must be honoured within ninety days.

Some provisions phase in by May 2027:

• Significant Data Fiduciary designation and the additional obligations that come with it.
• Consent Managers: licensed intermediaries that hold and revoke consents on your behalf.
• Cross-border transfer restrictions, which will name countries to which data cannot be transferred.
• Children's data: enhanced parental-consent rules under Section 9.

We file under whatever is operative on the date of your filing. Our templates carry a version number and a date, and we keep an audit trail of which version was used for each notice.

Where this falls short, honestly.

The Act has gaps you should know about.

It has narrow exemptions for State processing under Section 17. That means government databases like MCA director filings, Udyam, RERA, eCourts, and the electoral roll are largely outside the easy-erasure regime. You can still ask, but the path is harder and often requires a writ petition rather than a Section 12 notice.

It treats "journalistic" use favourably, which is the right policy choice but means that news archives are not easy targets for erasure even when the underlying story is years old.

It does not yet have a clear cross-border framework, so for foreign data brokers that hold Indian residents' data abroad, GDPR Article 17 or the CCPA opt-out is often the more reliable route in 2026.

And the Board is new. It will take a few years for its decisions to become predictable. We expect the first few significant orders to come down by mid-2026.

What we do, in one paragraph.

Vault.in scans the Indian internet every day, finds where you are exposed, drafts and sends Section 12 notices in your name, tracks the Rule 14 deadline per fiduciary, escalates to the DPB on day ninety-one if needed, and gives you a written report each month with every action we took on your behalf. We are a Data Fiduciary too; we hold your data under the same Act and treat it with the same care we would want for ourselves.

If you want to see what your exposure looks like before you decide anything else, run a free scan. It takes five minutes and tells you a real number.