DPDP Act 2023 — what changes for AI in Indian enterprises.
India's first comprehensive personal-data law arrived in 2023. The DPDP Rules of 2025 made it operational. Together, they reshape every AI deployment that touches personal data — model training, agent runs, audit logs, the whole pipeline. Here's what the law actually requires, and where Vihaya's primitives line up against each obligation.
What the Act establishes
The Act creates the data fiduciary — the entity that determines the purpose and means of processing personal data. Banks, insurers, hospitals, and telcos are all data fiduciaries for their customers' personal data. Every AI system they deploy that touches that data inherits the fiduciary's obligations.
Those obligations are concrete: process only for the specified purpose; obtain valid consent; maintain reasonable security safeguards; respect the data principal's rights to access, correction, and erasure; notify breaches without delay. Penalties for failure run up to ₹250 crore per instance.
How Vihaya's primitives map to DPDP obligations
| DPDP obligation | Vihaya primitive | How it lands |
|---|---|---|
| Purpose limitation | Audit trail with purpose field | Every action records the declared purpose |
| Consent record-keeping | Compliance package | Consent events linked to data-principal records |
| Reasonable security safeguards | Encryption + audit + RBAC | TLS 1.2+, at-rest via KMS, append-only log, scoped roles |
| Breach notification | Incident-event hooks | Surfaces to your CERT-In reporting workflow inside the 6-hour window |
| Right to erasure | Per-tenant data deletion | Hard-delete primitives with audit trail of the deletion itself |
| Children's data protection | Adaptive guardrails | Pluggable rules block child-data processing without parental consent |
DPDP & AI FAQ
What is the DPDP Act 2023?
The Digital Personal Data Protection Act 2023 is India's federal personal-data-protection law, enacted in August 2023. It establishes the data-fiduciary role (the entity that determines the purpose and means of processing), the data-principal's rights, notice and consent requirements, purpose limitation, breach-notification obligations, and penalties up to ₹250 crore per incident. The DPDP Rules, 2025 operationalised the framework with implementation timelines.
Does DPDP apply to AI systems?
Yes — emphatically. Any AI system processing personal data of individuals in India falls under DPDP. Training data, prompts, model outputs, and audit logs are all in scope when they touch personal data. Cross-border transfer of personal data is restricted by the Act and notified countries list.
What's the breach-notification timeline?
DPDP requires notification to the Data Protection Board of India and to affected data principals 'without delay'. Paired with CERT-In's directions (which require notification within 6 hours of detection for specified cyber incidents), enterprises operate to a 6-hour internal-reporting target.
How does Vihaya help with DPDP compliance?
Vihaya's append-only audit trail records every data-processing action with purpose, actor, resource, and outcome — supporting the demonstration of data-fiduciary obligations. PII redaction in logs is configurable per tenant. Consent + notice surfaces wire into the customer's existing data-principal touchpoints during the engagement. Breach-detection hooks integrate with the customer's CERT-In reporting workflow within the 6-hour window.
What penalties does DPDP impose?
Tiered penalties up to ₹250 crore per instance for failure to take reasonable security safeguards. Up to ₹200 crore for failure to notify a breach. Penalties for non-compliance with children's data protection are up to ₹200 crore. These figures changed the cost of an audit-failure or breach materially — and made audit-grade decisioning a board-level concern.
Want to see this in your environment?
30-minute discovery call. Draft SOW within 5 business days.
Talk to us about a pilot →