DPDP Act 2023
India's data protection law decoded for teams building AI products — what it requires, what it penalizes, and how to comply
Key Takeaways
- 1The DPDP Act creates 6 core obligations: lawful purpose, consent, data minimization, storage limitation, accuracy, and accountability
- 2Every LLM call that processes personal data must have purpose limitation, consent tracking, and audit evidence
- 3Maximum penalty is ₹250 crore per violation — this applies to AI systems that forward unprotected PII to model providers
- 4The Act applies to any entity processing Indian personal data, regardless of where the entity is incorporated
What Is the DPDP Act 2023?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data protection law. It establishes obligations for any entity — called a 'data fiduciary' — that processes personal data of Indian residents. If your AI product touches Indian user data, this law applies to you.
The Act was passed by Parliament in August 2023 and represents India's answer to GDPR. But it's not a copy — it has India-specific provisions around Aadhaar data, children's data, government exemptions, and a consent framework tailored to India's digital ecosystem.
For AI teams specifically, the DPDP Act means that every interaction between your application and an LLM provider is a data processing activity that must comply with the Act's six core obligations. This isn't theoretical — the Data Protection Board has enforcement powers and penalties reach ₹250 crore.
The Six Core Obligations
The DPDP Act establishes six fundamental obligations for data fiduciaries. Each has direct implications for AI systems:
What This Means for AI Products
If your SaaS product uses AI to process customer data, every LLM API call is a data processing activity under the DPDP Act. This means:
You need explicit consent that mentions AI processing — a generic privacy policy isn't enough. Users must know their data will be sent to model providers.
You must implement data minimization — strip personal data from prompts before they reach model providers. If a summarization task only needs the topic, the customer's name and Aadhaar number must be removed.
You need audit evidence — tamper-evident logs proving that governance controls were applied to every AI interaction. When the Data Protection Board asks for proof, 'we have a policy' isn't sufficient. You need timestamped records.
Penalties and Enforcement
The DPDP Act establishes a tiered penalty structure. The maximum penalty of ₹250 crore applies to failures in implementing reasonable security safeguards — which includes forwarding unprotected personal data to external AI providers.
The Data Protection Board of India (DPBI) has the authority to investigate complaints, conduct inquiries, and impose penalties. Unlike GDPR's percentage-of-revenue model, DPDP uses fixed maximum amounts per violation category.
Key penalty triggers for AI systems: failing to implement data minimization (sending full PII to model providers), not obtaining AI-specific consent, failing to notify breaches within 72 hours, and not maintaining adequate audit trails.
Practical Compliance for AI Teams
A step-by-step compliance checklist for engineering teams building AI products:
- ✗Implement PII detection and masking at the gateway level — before data reaches any model provider
- ✗Update consent flows to explicitly mention AI processing and name the model providers
- ✗Add purpose limitation controls — each AI feature needs its own declared purpose
- ✗Implement data retention policies — conversation logs and audit trails need expiry dates
- ✗Deploy tamper-evident audit logging for all AI interactions
- ✗Create a data map showing where personal data flows through your AI pipeline
- ✗Establish a 72-hour breach notification process with pre-drafted templates
- ✗Document your AI governance controls for regulatory inspection
- ✗Test your PII detection against Indian identifier formats (Aadhaar, PAN, UPI, etc.)
- ✗Implement right-to-erasure workflows that cover AI conversation logs and embeddings
DPDP vs. GDPR: Key Differences for AI
Teams already GDPR-compliant often assume DPDP compliance follows automatically. It doesn't. Key differences affect AI implementations:
GDPR Approach
- Legitimate interest can justify processing without consent
- Penalties up to 4% of global revenue
- DPO appointment mandatory for large-scale processing
- Right to explanation for automated decisions
- 72-hour breach notification to supervisory authority
- Cross-border transfers via adequacy decisions or SCCs
DPDP Act Approach
- Consent or 'certain legitimate uses' (narrower than GDPR)
- Fixed penalties up to ₹250 crore per violation
- No mandatory DPO — but accountability obligation exists
- No explicit right to explanation (yet)
- Breach notification to DPBI — timeline TBD in rules
- Cross-border transfers allowed except to notified countries
How CrewCheck Enables DPDP Compliance
CrewCheck's governance platform addresses each DPDP obligation at the AI infrastructure level:
Data Minimization: The LLM gateway automatically detects and masks 12+ Indian PII types before requests reach model providers. No personal data leaves your infrastructure unnecessarily.
Consent Tracking: Integration with your consent management system ensures that AI processing only occurs for users who have given AI-specific consent.
Audit Evidence: Every AI interaction generates tamper-evident audit records with chain-hashed integrity. Export compliance reports for regulatory inspection in one click.
Purpose Limitation: Policy packs enforce that each AI agent only processes data types relevant to its declared purpose. A customer support agent can't access financial data meant for the lending agent.
Breach Detection: Real-time monitoring alerts you immediately if PII bypasses controls, enabling rapid breach assessment and notification within regulatory timelines.
Frequently Asked Questions
Does the DPDP Act apply to AI companies outside India?
Yes. The Act applies to any entity processing personal data of Indian residents, regardless of where the entity is incorporated. If your AI product has Indian users, you must comply.
Is sending data to OpenAI/Anthropic a cross-border transfer?
Yes. When prompts containing personal data are sent to model providers with servers outside India, that constitutes a cross-border data transfer. The DPDP Act allows this unless the destination country is specifically restricted by the government.
Do I need separate consent for each AI feature?
The Act requires purpose-specific consent. If you use AI for customer support AND analytics AND personalization, each purpose needs its own consent. A blanket 'we use AI' consent is likely insufficient.
What counts as 'reasonable security safeguards' for AI?
The Act doesn't define this precisely, but industry standards include: PII detection and masking, encryption in transit and at rest, access controls, audit logging, and regular security assessments. A governance gateway that enforces these controls demonstrates reasonable safeguards.
Continue Reading
Deepen your understanding with related concepts
Related Actions
See DPDP Act 2023 in action
Try CrewCheck's live governance demo — paste any text containing Indian PII and watch real-time detection, masking, and audit logging. No sign-up required.