HealthAtoms
Compliance, Privacy & Ethicsarticle · 5 min · updated Jun 30, 2026

India's DPDP Act

By Rajendra Sharma, RN, CPC, CPBReviewed by Rajendra Sharma, RN, CPC, CPB · Jun 29, 2026

India's Digital Personal Data Protection Act 2023 — consent, the data fiduciary's duties, and what it means for health data and ABDM.

DPDP Act 2023

In one line

The Digital Personal Data Protection Act, 2023 (DPDP) is India's general data-protection law. It is built on consent: a data fiduciary (whoever decides why and how personal data is processed) may use a data principal's (the individual's) data only for a clear, notified purpose they agreed to.

data principalthe individual consent data fiduciarystated purpose only DPBenforces
DPDP's spine: the principal consents, the fiduciary processes only for the notified purpose, and the Data Protection Board enforces.

What it requires

  • Notice & consent — a clear, itemised notice (available in English and Indian languages) and free, specific, informed, revocable consent. Consent managers can broker this — the same idea ABDM uses for health records.
  • Purpose limitation & minimisation — collect only what the stated purpose needs; delete when it's served.
  • Principal's rights — access, correction, erasure, grievance redressal, and nomination.
  • Fiduciary duties — security safeguards, breach notification to the Data Protection Board (DPB) and affected principals; extra obligations for Significant Data Fiduciaries (audits, DPIAs, a Data Protection Officer).
  • Children — verifiable parental consent under 18; no tracking or targeted ads.

Health & ABDM context

Health data is sensitive in practice and central to ABDM, which is built around consent-managed health-record sharing — DPDP gives that model its legal backbone. Penalties run up to ₹250 crore per instance, so this is board-level risk, not a checkbox.

DPDP vs HIPAA — the mental model

HIPAA is sectoral (US health-specific); DPDP is general (all digital personal data, every sector). HIPAA leans on "covered entities and minimum necessary"; DPDP leans on "consent and purpose." Build for both: notified, consented, minimised, secured, erasable.

What it means for builders

Practically, a health app under DPDP needs: a clear, multilingual consent notice at collection; a purpose recorded against each use; an erasure/correction path; security safeguards and a breach-notification route to the DPB; and, for a Significant Data Fiduciary, a DPO and DPIAs. Build consent as a first-class object — the same shape ABDM's consent manager already uses — not a tick-box buried in terms of service.

Key takeaways

  • DPDP is India's general data-protection law, built on consent + purpose limitation.
  • Roles: data principal (individual), data fiduciary (decides processing), DPB (enforcer).
  • Health data is central to ABDM, which is consent-managed by design; penalties reach ₹250 crore.
  • HIPAA is sectoral, DPDP is general — build for both: notified, consented, minimised, secured, erasable.

Check your recall

0 of 2 recalled

Active recall beats re-reading — try to answer, then reveal.

  1. What are the three key roles under India's DPDP Act?

  2. How do HIPAA and DPDP differ in scope?

Review due cards across all entries

References

  1. MeitY — Digital Personal Data Protection Act, 2023

Related entries

ABDM & ABHA — India's health stackAI ethics & governance in healthDe-identification of health dataHIPAA essentials