Skip to content
Regulation · DPDP Act 2023

DPDP Act 2023 — what changes for AI in Indian enterprises

India’s first comprehensive personal-data law arrived in 2023. Draft DPDP Rules were released in 2025 with phased implementation timelines. Together, they reshape every AI deployment that touches personal data — model training, agent runs, audit logs, the whole pipeline. Here’s what the law actually requires, and where Vihaya’s primitives are designed to line up against each obligation.

up to ₹250Cr
Maximum penalty under the Act
6 hours
CERT-In cyber-incident reporting window (separate obligation)
Aug 2023
Date of enactment

What the Act establishes

The Act creates the data fiduciary — the entity that determines the purpose and means of processing personal data. Banks, insurers, hospitals, and telcos are all data fiduciaries for their customers’ personal data. Every AI system they deploy that touches that data inherits the fiduciary’s obligations.

Those obligations are concrete: process only for the specified purpose; obtain valid consent; maintain reasonable security safeguards; respect the data principal’s rights to access, correction, and erasure; notify breaches without delay. Penalties for failure may extend to ₹250 crore.

How Vihaya’s primitives are designed to map to DPDP obligations

DPDP obligationVihaya primitiveHow it would land
Purpose limitationAudit trail with purpose fieldEvery action designed to record the declared purpose
Consent record-keepingCompliance packageConsent events designed to link to data-principal records
Reasonable security safeguardsEncryption + audit + RBACDesigned for TLS 1.2+, at-rest via KMS, append-only log, scoped roles
Breach notificationIncident-event hooksDesigned to surface into the customer’s CERT-In reporting workflow
Right to erasurePer-tenant data deletionHard-delete primitives with audit trail of the deletion itself
Children’s data protectionAdaptive guardrailsPluggable rules designed to block child-data processing without parental consent

DPDP & AI FAQ

What is the DPDP Act 2023?

The Digital Personal Data Protection Act 2023 is India’s federal personal-data-protection law, enacted in August 2023. It establishes the data-fiduciary role (the entity that determines the purpose and means of processing), the data-principal’s rights, notice and consent requirements, purpose limitation, breach-notification obligations, and penalties that may extend to ₹250 crore. Draft DPDP Rules were released in January 2025 with phased implementation timelines.

Does DPDP apply to AI systems?

Yes — emphatically. Any AI system processing personal data of individuals in India falls under DPDP. Training data, prompts, model outputs, and audit logs are all in scope when they touch personal data. Cross-border transfer of personal data is restricted by the Act and notified countries list.

What’s the breach-notification timeline?

DPDP requires notification to the Data Protection Board of India and to affected data principals ‘without delay’. Paired with CERT-In’s directions (which require notification within 6 hours of detection for specified cyber incidents), enterprises operate to a 6-hour internal-reporting target.

How does Vihaya help with DPDP compliance?

Vihaya’s append-only audit trail is designed to record every data-processing action with purpose, actor, resource, and outcome — supporting the data fiduciary’s obligations. PII redaction in logs is configurable per tenant. Consent + notice surfaces are designed to wire into the customer’s existing data-principal touchpoints during the engagement. Breach-detection hooks are designed to integrate with the customer’s CERT-In reporting workflow. DPDP compliance is the data fiduciary’s organisational determination; Vihaya provides primitives, not certification.

What penalties does DPDP impose?

Penalties may extend to ₹250 crore for failure to take reasonable security safeguards; up to ₹200 crore for failure to notify a breach; and up to ₹200 crore for non-compliance with children’s data protection. These maximum-penalty figures changed the cost of an audit-failure or breach materially — and made audit-grade decisioning a board-level concern.

Next step

Want to see this in your environment?

30-minute discovery call. We follow up with a draft SOW shortly after.

Talk to us about a pilot