If you’re putting AI anywhere near customer or employee data in India, the Digital Personal Data Protection Act 2023 is now part of the project — not a separate legal exercise to do later. Here’s what it requires, what’s still settling, and how to build AI that’s ready for it. (dgm implements osFoundry, a separate company’s platform — dgm is an independent integration partner, not osFoundry, and this is not legal advice.)

What the DPDP Act covers

The Digital Personal Data Protection Act, 2023 governs the processing of digital personal data by virtually any entity offering goods or services in India. The DPDP Rules were notified on 14 November 2025 (IAPP; National Law Review), and obligations phase in over an implementation window rather than all at once.

The Act regulates the data, and AI systems are heavy consumers of data — so any AI that trains on or processes personal data falls within scope.

What it requires of an AI deployment

If your AI touches personal data, you need to be able to demonstrate:

  • A lawful basis — usually consent, captured clearly and revocably (the Rules introduce a consent-manager framework).
  • Notice and purpose limitation — tell people what you collect and why; use it only for that.
  • Data-principal rights — honour requests for access, correction, and erasure.
  • Breach reporting — notify as required when a personal-data breach occurs.
  • Processor controls — ensure vendors and sub-processors handling the data are bound and controlled.

Penalties can reach up to ₹250 crore per breach category (Fisher Phillips), which is why this belongs on the board’s radar, not the bottom of a backlog.

The moving parts: timelines, transfers, and SDFs

Three things are still settling and should be confirmed against the official notification at the time you act:

  • Timeline. Enforcement phases in — the Data Protection Board and consent-manager framework first, core obligations later. Law-firm interpretations of the exact dates differ, so treat published timelines as guidance and prepare now.
  • Cross-border transfers. The framework uses a “negative list” (transfers allowed except to countries the government restricts); that list was not yet notified as of research time (ITIF).
  • Significant Data Fiduciaries (SDFs). Large or sensitive processors may be designated SDFs with extra duties — an India-based Data Protection Officer, audits, impact assessments, and localisation of specified data categories. The SDF list and the localised categories were not yet published.

Building AI that’s ready

The practical controls that map to DPDP: consent capture, granular access management, audit logs, data-residency choices, and deletion/erasure workflows. For data residency specifically, note that osFoundry lists managed regions for the US, EU and Japan — there is no India region — so keeping personal data in India means self-hosting under the BYO Cloud plan in your own India-region cloud account (see AI data residency in India). A model-neutral, self-hostable platform makes this feasible; a US-only SaaS chat tool may not.

How dgm helps

dgm builds the technical controls — consent flows, access boundaries, audit trails, India data residency via self-hosting, and deletion workflows — on osFoundry. One honest boundary: dgm builds the controls; your legal and compliance teams own the regulatory determinations (whether you’re an SDF, your lawful basis, your transfer assessments). dgm states that division rather than overclaiming. Pricing is transparent — $399 assessment, $3,999/month implementation, no per-seat fees (INR approximate; 18% GST for domestic clients). Explore the platform at osFoundry, or talk to dgm about a DPDP-aware build.

This page is general information, not legal advice. The DPDP Act and Rules are evolving — confirm current obligations with qualified counsel before acting.