The enacted law is significant and wide-ranging in its application. It takes inspiration from the EU's GDPR in defining "personal data" and extends coverage to all entities, regardless of their size or private status, that process personal data. ​

The law also has significant extraterritorial application.​

The DPDP imposes strict rules for processing personal data in a digital format, including purpose limitation obligations.​

The Data Protection Board of India (Board) has the power to investigate complaints, issue fines, and provide guidance and regulations.​

The DPDP Act does not contain a mandated transitional period akin to the two-year gap between the 2016 enactment of the GDPR and its entry into force in May 2018. ​

The Act allows the Government to decide when different sections, including those governing the formation of the new Board for law compliance, will become effective.​

The DPDP Act does not currently prohibit the transfer of personal data outside of India. The section assumes that transfers are unrestricted unless the government implements restrictions such as blacklisting certain countries or enacting other forms of restriction (Section 16).​