India DPDPA 2023: Technical Compliance for Global Teams
India's Digital Personal Data Protection Act covers 1.4 billion people. It is the world's largest privacy law by population. The Data Protection Board became active in 2025. Enforcement has started. If your firm serves Indian users, holds Indian staff files, or works with Indian IT vendors, this law is now a live duty.
What DPDPA Covers
Territorial scope: The law covers processing inside India. It also covers processing outside India when the aim is selling goods or services to Indian users. Like GDPR, it follows the person — not the server.
Maximum fines: Up to ₹250 crore per breach. That is about €27 million at current rates. Fines depend on how bad the breach was and how long it lasted.
Legal bases: Consent must be free, informed, and clear. Other valid bases include jobs, legal duties, vital needs, public interest, and research.
Individual rights: People can ask how their records are used. They can request correction or erasure. They can raise a complaint. They can name a representative if they lose capacity.
Data Fiduciaries: This is the DPDPA name for controllers. They must protect personal records. They must report breaches to the Board within 72 hours. They must name a Data Protection Officer if they are a Significant Data Fiduciary.
Aadhaar: A Unique Detection Problem
Aadhaar is India's national biometric ID system. Each holder gets a 12-digit number linked to fingerprints and iris scans. About 1.36 billion residents have one. Banks, government agencies, mobile operators, and hospitals all use it.
Aadhaar numbers show up in financial, healthcare, and admin files. The Aadhaar Act 2016 limits its use. Private services cannot require it as mandatory ID. Storage is restricted to specific authorized cases.
Why detection is hard: Aadhaar uses the Verhoeff method for its check digit. A tool that only scans for 12-digit strings will flag any 12-digit number. That creates false hits. Good detection needs Verhoeff check logic. Simple pattern matching is not enough.
Other Indian PII Formats
PAN (Permanent Account Number): A 10-character tax ID. Format: five letters, four digits, one letter. The fourth letter shows the taxpayer type. The fifth is the first letter of the taxpayer's name. PAN is needed for any deal over ₹50,000. It is common in Indian finance files.
Indian passport: The letter X followed by seven digits. This format is unique to India.
Driving licences: Each state has its own format. A Delhi licence may look like DL-0420110149646.
Bank accounts: There is no national standard. Account numbers run from 9 to 18 digits. IFSC codes — 11-character bank branch codes — appear next to account numbers in payment files.
Mobile numbers: Ten digits with country code +91. India has 1.2 billion mobile subscribers. Phone numbers appear often in commercial documents.
See how anonym.legal handles all Indian PII formats at /blog/apac-pii-detection-thai-indonesian-vietnamese-2025.
DPDPA Technical Requirements
Security safeguards: DPDPA asks for "reasonable security safeguards" matched to risk. The Act defines this by outcome. It does not give a fixed list of steps. Minimum technical standards will come in DPDPA Rules. These are expected from 2025 onward.
Breach notification: Report any personal records breach to the Board within 72 hours. Under GDPR, that window covers only the regulator. Under DPDPA, major breaches need Board notice and notice to affected people. Both must happen within 72 hours.
Localization: The government can name companies as Significant Data Fiduciaries. Those companies may need to keep a copy of records inside India. Final rules are not yet set.
Cross-border transfers: The law blocks transfers to countries not on an approved list. That list was not set as of 2025. There is no EU-India adequacy deal. Firms with EU-India flows should put contracts in place now.
For a view of how cross-border rules stack across laws, see /blog/global-pii-compliance-2025-gdpr-lgpd-dpdp-ssn.
Your Baseline Technical Checklist
If you handle Indian personal records, start here:
- Aadhaar detection with Verhoeff check-digit logic.
- PAN detection with taxpayer-type character checks.
- Indian passport and state driving licence support.
- Bank account detection for 9–18 digit lengths with IFSC codes.
- Purpose records that match DPDPA legal bases.
- A breach plan that meets the 72-hour window.
Read how a single preset covers all Indian PII types at /blog/global-privacy-compliance-gdpr-ccpa-pdpa-one-tool-2025.