DPDP Act 2023, in one cold reading: what Gujarat businesses must do before the Data Protection Board comes calling

The penalty headline that should reset your priorities

The Digital Personal Data Protection Act 2023 ('DPDP') imposes monetary penalties of up to ₹250 crore per instance of non-compliance — a quantum that converts data protection from an IT housekeeping exercise into a board-level risk. Crucially, liability attaches to the Data Fiduciary (the entity that determines purpose and means), not to the cloud vendor.

The seven things you actually need on file

1. Consent notice in clear, itemised language — one purpose per consent. The era of bundled checkboxes is over.
2. Data Principal rights register — access, correction, erasure, grievance. Response within a reasonable window (we recommend 7 days).
3. Grievance officer publicly identified on your site with a working email.
4. Breach notification protocol to the Data Protection Board, with internal evidence-preservation steps.
5. Cross-border transfer register if any processing occurs outside India.
6. Children's data carve-outs — verifiable parental consent below 18, no behavioural targeting.
7. Significant Data Fiduciary readiness if you process at scale: DPO, DPIA, independent audit.

What the Board is signalling about enforcement priorities

From early guidance and draft Rules, three sectors are receiving disproportionate scrutiny: health and diagnostic platforms, edtech (including tuition apps), and fintech / lending. If you operate in any of these in Gujarat, treat the next 90 days as a compliance sprint, not a roadmap exercise.

Our standing recommendation

Begin with a one-day documented gap audit (not a vendor pitch), close the top three findings, and only then build the long-tail program. Most penalties arise from absence of basic artefacts, not from sophisticated breaches.