dpdpact.info
Menu
Act structure

How the DPDP Act, 2023 is organized (chapter map)

Audience: legal-adjacent operators, privacy program owners, founders · Use alongside the official text · Last reviewed: March 2026

This page is a navigation map, not a substitute for reading the statute. It groups the Act’s architecture in the order most teams use when building a program: scope and language first, fiduciary duties second, data-principal rights next, children and sensitive design questions, the regulator, appeals, and penalties and miscellaneous duties.

Always confirm section numbers, amendments, and notified rules against authoritative sources listed on official resources and the rules & updates index. Use this site for operational translation; use counsel for high-risk interpretation.

Statute spine clusters

Deep dives aligned to how teams staff work—each links onward to checklists and the rules & updates page.

Turn the map into tickets: start with a cross-cutting checklist, then drill into workflows.

Compliance checklist Time-boxed workflows Vendor & processor checklist Rules & regulatory updates

Why a chapter map matters for implementation

Companies rarely fail because nobody read a blog post. They fail because obligations are scattered across teams (product, marketing, HR, support, infra) and nobody connects the law’s structure to tickets, owners, and evidence. A map helps you assign reading homework, run section-aware reviews, and explain to leadership where process gaps usually appear.

High-level structure of the Digital Personal Data Protection Act, 2023

The Act is organized into thematic chapters. Labels below follow the commonly cited outline of the statute; numbering and exact grouping can be verified in the official gazetted version.

Preliminary

Defines the legal frame: key definitions, application, and interpretive anchors. For day-to-day work, this chapter is why teams obsess over definitions (what is in scope as personal data, who is a fiduciary, what is processing).

Obligations of data fiduciaries

This is the operational core for most companies: how collection, notice, consent quality, security practices, breach thinking, and governance duties are expected to work in practice.

Rights and duties of data principals

This chapter is where request handling becomes real: access, correction, erasure, nomination, and grievance expectations from the individual’s side.

Special provisions (children and guardian contexts)

When processing relates to children, additional safeguards and design constraints matter. Product and trust teams often underestimate how many journeys technically touch minors.

Data Protection Board of India

Institutional design: how the Board fits into complaints, inquiries, directions, and the overall regulatory stance. Even if you never interact with the Board directly, your program’s maturity is judged partly against what the Board could reasonably ask to see.

Appeals and dispute resolution

How review layers work in principle. Legal teams usually own this thread; operators should still understand timelines and escalation because customer communication overlaps with legal process.

Miscellaneous (including penalties and duties)

Penalty ranges, duties that cut across the regime, and transitional or cross-cutting provisions often land here. This is where “paper compliance” versus evidence of process shows up under pressure.

From map to program: a practical sequence

  1. Scope session using foundations pages and an initial inventory.
  2. Fiduciary workflow pass using the checklist and notice/consent pages.
  3. Rights drill using request-handling guides and a small tabletop exercise.
  4. Vendor and processor pass using the vendor checklist and DPA review page.
  5. Board-facing readiness using complaint prep, recordkeeping, and penalties context—not fear-based theater, but defensible process proof.

Read next

Rules & regulatory updates Official resources (primary texts) DPDP for enterprises Compliance checklist Compliance portal