India's Digital Personal Data Protection Act (DPDPA 2023) establishes data protection requirements for 1.4 billion people — the world's largest data protection framework by population. The Data Protection Board of India became operational in 2025, marking the beginning of active enforcement. For global organizations serving Indian consumers, processing Indian employee data, or operating with Indian IT service providers, DPDPA compliance is now an active compliance requirement.
DPDPA: Key Framework Overview
Territorial scope: DPDPA applies to processing of digital personal data within India, and to processing outside India for the purpose of offering goods or services to individuals in India. Like GDPR's extraterritorial reach, DPDPA applies to any organization serving Indian consumers regardless of where the processing occurs.
Maximum fines: Up to ₹250 crore (approximately €27 million at current exchange rates) per violation. The Data Protection Board can impose penalties based on severity, duration, and scale.
Legal bases for processing: Consent (voluntary, informed, specific, unambiguous) or legitimate uses defined in the Act (employment, legal obligations, vital interests, public interest functions, research/archiving, national security).
Data principal rights: Right to information about processing, right to correction and erasure, right to grievance redressal, and right to nominate a representative for incapacity situations.
Data fiduciaries (equivalent to GDPR controllers): Organizations processing personal data are "Data Fiduciaries" with obligations for security safeguards, breach notification to the Data Protection Board within 72 hours, and appointment of a Data Protection Officer for significant data fiduciaries.
Aadhaar: The World's Largest Biometric ID System
Aadhaar is India's national biometric identity system — a 12-digit unique identification number linked to each holder's fingerprints and iris scans. Issued to 1.36 billion Indian residents, Aadhaar is used for:
- Government benefit disbursement (PAN welfare schemes)
- Banking and financial services authentication (eKYC)
- Mobile phone number registration (mandatory SIM verification)
- Healthcare service access
- Employment verification
Aadhaar numbers appear throughout Indian financial, healthcare, and administrative documents. The Aadhaar Act 2016 imposes specific restrictions on Aadhaar use — it cannot be used as mandatory identification for private services and cannot be stored in databases beyond specific authorized use cases.
Detection requirements: Aadhaar follows a specific 12-digit format with Verhoeff check digit validation. Unlike simpler national identifiers, Aadhaar uses the Verhoeff algorithm (a complex group-theoretic error detection scheme) for check digit calculation. Generic pattern-matching tools miss Aadhaar in Indian documents, and tools that implement pattern matching without Verhoeff validation generate false positives from any 12-digit number.
Other Indian PII Identifiers
PAN (Permanent Account Number): 10-character alphanumeric tax identifier in format AAAAA9999A (5 letters + 4 digits + 1 letter). The 4th character encodes the type of taxpayer, the 5th character is the first letter of the taxpayer's name. PAN is mandatory for financial transactions over ₹50,000 and appears in virtually all Indian financial documents.
Indian passport: Format X followed by 7 digits. Format-specific to India's passport issuance system.
Indian driving license: State-code based format (DL-0420110149646 for Delhi, for example) — format varies by state of issuance similar to Brazil's RG.
Bank account numbers: No standard format in India — bank account numbers range from 9 to 18 digits depending on the bank, with no national standardization. IFSC codes (11-character bank branch codes) appear alongside account numbers in payment documents.
Mobile numbers: 10-digit format with country code +91. India's mobile penetration (1.2 billion mobile subscribers) means phone numbers are ubiquitous in Indian commercial documents.
DPDPA Technical Requirements
DPDPA's security safeguards requirement is expressed in terms of outcomes rather than specific technical measures (unlike HIPAA's enumerated requirements):
Security safeguards: Data Fiduciaries must implement "reasonable security safeguards" appropriate to the risk. The DPDPA Rules (expected 2025) will specify minimum technical standards.
Breach notification: Within 72 hours to the Data Protection Board for any personal data breach. This timeline is more demanding than GDPR's 72 hours to the DPA — GDPR allows 72 hours for DPA notification and separate timelines for data subject notification. DPDPA requires both in the same 72-hour window for significant breaches.
Data localization (significant data fiduciaries): Significant data fiduciaries — those designated by the Indian government based on volume and sensitivity of processing — may be required to maintain a copy of personal data within India. The specific localization requirements will be defined in Rules, but multinational companies processing large volumes of Indian personal data should prepare for potential localization obligations.
Cross-border transfers: DPDPA restricts transfers of personal data to countries not on a government-approved list. The approved country list has not been finalized as of 2025, creating compliance uncertainty for EU-India data flows. The EU-India transfer position differs from GDPR's EU-US DPF — there is no existing bilateral adequacy arrangement, and organizations are advised to implement contractual safeguards while the regulatory framework develops.
For global organizations with India operations: Aadhaar and PAN detection with validated check digits, Indian passport and driving license format support, and documentation of processing purposes aligned with DPDPA legal bases are the baseline technical requirements for DPDPA compliance.
Sources: