DPDP Act 2023 — what changes for AI in Indian enterprises
India’s first comprehensive personal-data law arrived in 2023. Draft DPDP Rules were released in 2025 with phased implementation timelines. Together, they reshape every AI deployment that touches personal data — model training, agent runs, audit logs, the whole pipeline. Here’s what the law actually requires, and where Vihaya’s primitives are designed to line up against each obligation.
What the Act establishes
The Act creates the data fiduciary — the entity that determines the purpose and means of processing personal data. Banks, insurers, hospitals, and telcos are all data fiduciaries for their customers’ personal data. Every AI system they deploy that touches that data inherits the fiduciary’s obligations.
Those obligations are concrete: process only for the specified purpose; obtain valid consent; maintain reasonable security safeguards; respect the data principal’s rights to access, correction, and erasure; notify breaches without delay. Penalties for failure may extend to ₹250 crore.
How Vihaya’s primitives are designed to map to DPDP obligations
| DPDP obligation | Vihaya primitive | How it would land |
|---|---|---|
| Purpose limitation | Audit trail with purpose field | Every action designed to record the declared purpose |
| Consent record-keeping | Compliance package | Consent events designed to link to data-principal records |
| Reasonable security safeguards | Encryption + audit + RBAC | Designed for TLS 1.2+, at-rest via KMS, append-only log, scoped roles |
| Breach notification | Incident-event hooks | Designed to surface into the customer’s CERT-In reporting workflow |
| Right to erasure | Per-tenant data deletion | Hard-delete primitives with audit trail of the deletion itself |
| Children’s data protection | Adaptive guardrails | Pluggable rules designed to block child-data processing without parental consent |
DPDP & AI FAQ
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 is India’s federal personal-data-protection law, enacted in August 2023. It establishes the data-fiduciary role (the entity that determines the purpose and means of processing), the data-principal’s rights, notice and consent requirements, purpose limitation, breach-notification obligations, and penalties that may extend to ₹250 crore. Draft DPDP Rules were released in January 2025 with phased implementation timelines.
Does DPDP apply to AI systems?
Yes — emphatically. Any AI system processing personal data of individuals in India falls under DPDP. Training data, prompts, model outputs, and audit logs are all in scope when they touch personal data. Cross-border transfer of personal data is restricted by the Act and notified countries list.
What’s the breach-notification timeline?
DPDP requires notification to the Data Protection Board of India and to affected data principals ‘without delay’. Paired with CERT-In’s directions (which require notification within 6 hours of detection for specified cyber incidents), enterprises operate to a 6-hour internal-reporting target.
How does Vihaya help with DPDP compliance?
Vihaya’s append-only audit trail is designed to record every data-processing action with purpose, actor, resource, and outcome — supporting the data fiduciary’s obligations. PII redaction in logs is configurable per tenant. Consent + notice surfaces are designed to wire into the customer’s existing data-principal touchpoints during the engagement. Breach-detection hooks are designed to integrate with the customer’s CERT-In reporting workflow. DPDP compliance is the data fiduciary’s organisational determination; Vihaya provides primitives, not certification.
What penalties does DPDP impose?
Penalties may extend to ₹250 crore for failure to take reasonable security safeguards; up to ₹200 crore for failure to notify a breach; and up to ₹200 crore for non-compliance with children’s data protection. These maximum-penalty figures changed the cost of an audit-failure or breach materially — and made audit-grade decisioning a board-level concern.
Want to see this in your environment?
30-minute discovery call. We follow up with a draft SOW shortly after.
Talk to us about a pilot