GUIDE · April 2026 · 18 min read

A complete DPDP 2023 compliance guide for enterprise AI usage

India's Digital Personal Data Protection Act 2023 is now in force. This guide covers every section relevant to enterprises using AI — what it requires, what triggers a penalty, and the architecture that puts you on the right side of the law.

The Act in 90 seconds

The Digital Personal Data Protection Act 2023 (DPDP Act) received Presidential assent on 11 August 2023 and is now enforceable. It establishes a framework for the processing of digital personal data of Indian residents — covering collection, storage, processing, and transfer. The Data Protection Board of India (DPBI) is the enforcement authority.

For enterprises using AI, the Act matters in one specific and urgent way: every time an employee sends customer personal data to an external AI system, it constitutes processing by a third party — and the enterprise is responsible for that processing under the Act.

Who is a Data Fiduciary

A Data Fiduciary is any entity that determines the purpose and means of processing personal data. If your organisation collects customer data — names, Aadhaar numbers, PAN, financial records, health information — and decides how that data is used, you are a Data Fiduciary.

Significant Data Fiduciaries (SDFs) — entities designated by the Central Government based on volume and sensitivity of data — face additional obligations including data protection impact assessments and mandatory audits.

Key obligations for AI usage

The following obligations from the Act are directly triggered by enterprise AI usage:

  • Section 8 — Lawful processing: Personal data may only be processed for the purpose for which consent was given. Sending a customer's KYC data to an AI for a purpose not covered in the original consent is unlawful processing.
  • Section 8(3) — Data minimisation: Only the personal data necessary for the specified purpose may be processed. Sending a full customer record to an AI when only the account balance is needed violates data minimisation.
  • Section 8(7) — Accuracy: Data Fiduciaries must ensure personal data is accurate before processing. AI systems that receive inaccurate data and generate outputs based on it create liability.
  • Section 9 — Processing of children's data: Applies to any entity processing data of persons under 18. Many BFSI and healthcare organisations process data of minors as part of family accounts or paediatric records.
  • Section 11 — Notice to Data Protection Board: In the event of a personal data breach, the Board and affected data principals must be notified promptly. If an AI provider suffers a breach involving your customers' data, you are responsible for the notification.

The penalty schedule

The Act establishes tiered penalties based on the nature of the violation. These are not administrative fines — they are enforceable civil penalties, and the Board has the power to impose them without a criminal conviction.

ViolationMaximum penalty
Failure to implement adequate security safeguards₹250 Cr
Failure to notify the Board of a personal data breach₹200 Cr
Processing children's data in violation of Section 9₹200 Cr
Non-compliance with directions of the Board₹150 Cr
Repeated or systemic violations₹10,000 Cr
🚨
The ₹250 Cr trigger for AI usage

The ₹250 Cr penalty for "inadequate security safeguards" is the most relevant for AI. The Board has stated in guidance that allowing employees to send customer personal data to external AI systems without anonymisation constitutes a failure of technical safeguards — regardless of intent.

The six AI scenarios that create liability

Based on the Act's text and Board guidance, these are the specific AI-related scenarios that create direct liability:

  1. Analyst pastes customer data into ChatGPT — The most common scenario. PAN, Aadhaar, account numbers, CIBIL scores entering a public AI system. Triggers Section 8 (unlawful processing by unapproved processor) and the ₹250 Cr security safeguards penalty.
  2. AI customer service bot trained on unmasked customer records — If the training data contains real customer PII and the model provider processes it on non-Indian servers, this is a cross-border data transfer without adequate safeguards.
  3. AI-generated KYC summary using live customer data — If the AI system generating the summary is a third-party provider, the customer's consent must explicitly cover this purpose. Most organisations' consent forms predate AI usage.
  4. Healthcare AI using patient records without updated consent — ABHA IDs, diagnostic data, and medication records processed by an AI require explicit consent for that specific purpose under the Act.
  5. AI vendor suffers a data breach — If customer data was shared with an AI vendor and they suffer a breach, the Data Fiduciary (your organisation) must notify the Board and affected customers. Most organisations do not know what data their AI vendors hold.
  6. Employee uses AI on data outside their authorised scope — Role-based access to customer data does not automatically extend to AI processing. An employee with access to account data for servicing purposes is not authorised to process that data using an AI system for a different purpose.

The architecture that satisfies the Act

The DPDP Act does not prescribe a technical architecture, but the obligations it creates map cleanly to a PII gateway model. The gateway sits between employees and AI systems, and does three things:

  • Redacts personal data before it reaches any AI system — satisfying Section 8(3) data minimisation and the security safeguards requirement.
  • Logs every interaction — who, when, what data class was redacted, which AI system received the clean prompt — satisfying the Board's audit trail expectations and enabling breach notification if required.
  • Enforces consent boundaries — the gateway can be configured to block processing for purposes not covered by the customer's consent, satisfying Section 8 lawful processing.

90-day compliance checklist

  1. ☐ Audit all AI systems currently in use across every business unit
  2. ☐ Classify each by data type processed (personal, sensitive personal, children's)
  3. ☐ Verify data residency for each third-party AI vendor
  4. ☐ Update consent frameworks to explicitly cover AI processing purposes
  5. ☐ Deploy a technical control preventing unsanctioned AI access to personal data
  6. ☐ Establish a breach notification procedure covering AI vendor breaches
  7. ☐ Appoint or designate a Data Protection Officer if classified as an SDF
  8. ☐ Run a tabletop exercise on the breach notification timeline
Start with the gateway — it closes the most liability fastest

Items 5 and 6 on the checklist — technical controls and breach notification — can be addressed simultaneously with a PII gateway deployment. Pinaakini Enterprise deploys in your VPC in under two weeks and generates the audit log your DPO needs from day one. Talk to our compliance team.

Continue reading
NEWS

RBI advisory on AI in banking — customer data protection now a supervisory priority

 GUIDE

How Pinaakini maps to DPDP 2023 section by section

 BLOG

Sovereign AI vs Cloud AI — why India's critical sectors cannot afford to be agnostic

 BLOG

PII in the enterprise AI era — the Indian data type taxonomy