The Digital Personal Data Protection Act, 2023 ("DPDP Act") is India's first comprehensive data protection law. If your product processes personal data of people in India — and most SaaS products do — DPDP Act applies to you. The introduction of AI features does not change whether the Act applies. It only widens the surface of how you can fail it.
Who is a Data Fiduciary
Section 2(i) defines a Data Fiduciary as "any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data." In plain English: if you decide what to do with user data and how, you are a Data Fiduciary.
If your app collects an email and stores it in a database — you are a Data Fiduciary. If your app sends user messages to OpenAI for summarisation — you are a Data Fiduciary, and OpenAI is your Data Processor. If your app fine-tunes a model on user content — you are a Data Fiduciary with elevated risk, because training data is much harder to delete.
The core obligations
Consent must be free, specific, informed, unconditional, and unambiguous, with a clear notice that names the personal data being collected and the purpose. Consent for "using AI" is not sufficient; the notice must name the categories of data and the specific processing.
Erasure: a Data Principal can ask you to delete their data. For AI systems, this is the hard part. Embeddings, fine-tuned weights, and retrieval indices all have to be in scope of your deletion process — and you must be able to prove the deletion.
Breach notification: notify the Data Protection Board and affected Data Principals "in such form and manner" as prescribed. Treat this as a 72-hour clock and prepare templates in advance.
Where AI specifically changes your exposure
Cross-border transfers: many AI providers process data outside India. The Act requires the Central Government to notify restricted countries; until that list stabilises, document the provider, the destination, the data categories, and the lawful basis.
Significant Data Fiduciary (SDF): if you are designated an SDF by the Government — based on volume, sensitivity, or risk — you incur additional obligations including a Data Protection Officer, DPIAs for high-risk processing, and periodic audits. AI processing on a meaningful scale will pull you into this bucket faster than non-AI processing.
Children's data (under 18): you cannot process children's data without verifiable parental consent, and you cannot do behavioural monitoring or targeted advertising at all. If your AI personalises in any way, age-gating is not optional.
The ₹250 crore number
The headline penalty cap is ₹250 crore per breach. The Board can also order remedial measures and impose lower penalties for specific failures. The point is not that ₹250 crore is the typical outcome — the point is that the cap is high enough that procurement teams at any reasonable enterprise will demand to see a serious compliance posture before signing.
Treat DPDP as a procurement gating item, not just a regulatory one. The cost of building it correctly is less than the cost of explaining why you have not.
Minimum viable compliance for an AI startup
Privacy notice that names the AI providers and the data categories sent to each. Consent capture that maps to that notice. A Data Subject Rights process that covers retrieval indices and embeddings, not just SQL tables. Sub-processor inventory. A breach response runbook. A DPIA for the AI feature.
That is the baseline. Our compliance program builds it for you against DPDP Act and aligns it to ISO/IEC 42001 and NIST AI RMF in the same engagement so the same documentation serves both regulators and enterprise buyers.