Introduction: A New Rulebook for Digital Data
The Digital Personal Data Protection Act, 2023 (DPDP Act), and its operating rules, the Digital Personal Data Protection Rules, 2025 (DPDP Rules), have created India’s first unified, comprehensive law for protecting digital personal data. This framework is built on principles of transparency and accountability, ensuring individuals have control over their information.
The Act was officially enacted in August 2023, and the operational Rules were notified in November 2025. Companies are now required to be fully compliant with the Act and its Rules by the stipulated deadline of May 13, 2027.
The law applies to safe guarding and processing of all digital personal data within India. Critically, it also applies to international organizations that process data outside India if they are providing goods or services to individuals in India, giving the law’s broad global reach.
1. Who’s who in the Data World
The Act defines clear roles to establish accountability:
|
Role/Term |
Simple Definition |
Core Responsibility |
|
Data Principal (DP) |
The individual whose data is being processed (including parents/guardians for children). |
Possesses Rights (e.g., Access, Correction) and also carries enforceable Duties. |
|
Data Fiduciary (DF) |
The company or entity that decides why and how personal data is processed (e.g., a bank, an e-commerce site). |
Bears the primary legal responsibility and liability for data security. |
|
Data Processor (Processor) |
A third-party vendor that processes data on behalf of the Data Fiduciary. |
Works under contract; the DF remains legally liable for the Processor’s actions. |
|
Significant Data Fiduciary (SDF) |
A DF designated by the government for handling high volumes of sensitive data or data tied to national security. |
Faces stronger, mandatory duties like appointing a Data Protection Officer (DPO) and conducting regular audits/ assessments. |
Under this system, accountability is focused on the Data Fiduciary. The DF is responsible for all data protection in its custody, even when they use third-party Processors. Penalties for breaches (up to INR 250 crore) fall solely on the Data Fiduciary, necessitating robust security contracts with all vendors.
2. Lawful Data Processing: Consent and Legitimate Use
A company can process personal data only if it has a stated lawful purpose for acquiring the data and obtains either the individual’s consent or has a legal justification under “certain legitimate uses” (CLU).
While consent of the Data Principal (user) is the “gold standard” and must be free, specific, informed, unconditional, and unambiguous, it also needs to be separate (not “bundled consent”) and clear for each activity. Further, consent given can also be withdrawn and the process to withdraw consent must be just as simple as the process used to grant it.
The DPDP Act also includes a concept called “deemed consent”, which allows a company to process data for the explicit purpose the user willingly shared it for, provided the user has not objected. This differs from global laws like the General Data Protection Regulations (GDPR) in the European Union (EU), which usually require explicit and affirmative consent before any data collection.
It is important to note here that processing data without consent is allowed only for limited public interest functions or necessary legal compliance, known as Certain Legitimate Uses (CLU). Examples of CLU include:
- Processing necessary for an employer-employee relationship (employment),
- Processing required for medical emergencies or health services,
- Processing necessary to comply with a legal or judicial obligation, and
- Processing in the interest of state security or public order.
Unlike many of the global privacy laws, the DPDP Act does not include “contractual necessity” as a separate legal ground for processing.
Whether using consent or CLU, under the current law, Data Fiduciaries must issue a clear, independent privacy notice that clearly details:
- What data is being collected,
- The specific purpose for which it is being used,
- Contact details for the organization's representative, and
- The direct links for the Data Principal to withdraw consent or file a complaint with the Data Protection Board of India (DPBI).
A unique requirement is the need to issue retrospective notices, that is transparency notices for any personal data processed before the DPDP Act and Rules officially came into effect.
3. Rights and Duties of an Individual
The Act gives Data Principals comprehensive rights, but also imposes enforceable duties on them, a distinctive feature of the Indian law.
|
Rights |
Duties |
|
The key rights are as follows:
Fiduciaries must respond to these requests within 90 (ninety) days. |
Individuals must exercise their rights responsibly. They are prohibited from:
A breach of these duties can result in a fine of up to INR 10,000 for the Data Principal. |
4. Protecting Special Data: Children and Consent Managers
- Children’s Personal Data
Processing the data of a child (under 18) requires specific, verifiable consent from a parent or lawful guardian. The law strictly prohibits tracking or behavioural monitoring of children and targeted advertising directed at children. However, the exact, universally accepted, and effective technical method for age and parental verification is still a significant practical challenge for the industry.
Displaying its seriousness of intent to protect children’s data, the law specifies that violating obligations related to children’s data could invite a maximum penalty of up to INR 200 crore.
- The Role of Consent Managers
The Act introduces the Consent Manager, in the form of a new entity to be registered with the Data Protection Board of India (DPBI) set up under the Act. This entity acts as a central platform and is an independent authority established to enforce the Act and adjudicate non-compliance in order to provide an accessible and transparent way for individuals to manage the entire lifecycle of their consent, including granting, reviewing, and withdrawing permissions across different companies.
5. Cross Border Data Transfer
Cross-border data transfers are generally permitted, but the Central Government may restrict transfers to specific countries through notification, though the criteria for such restrictions are not defined in the Act. Sectoral regulators may also impose additional conditions or localisation requirements based on industry needs—for example, the Reserve Bank of India mandates that end-to-end transaction data and payment-related information be stored in India under the Payment and Settlement Systems Act, 2007.
Data Fiduciaries must ensure, through contractual arrangements, that even foreign Data Processors process personal data only in accordance with the DPDP Act and under the Data Fiduciary’s instructions. While the Act does not mandate an assessment of the recipient country’s legal framework, the Data Fiduciary remains responsible for ensuring that the foreign Data Processor complies with the obligations imposed under the DPDP Act.
6. Data Breach Reporting
The law prescribes graded breach-notification requirements, specifying separate timelines for notifying the DPBI and the affected Data Principals. In the event of a personal data breach, Data Fiduciaries are required to promptly inform affected individuals (Data Principals) in plain language, explaining the nature and possible consequences of the breach, the steps taken to address it and contact details for assistance. Additionally, Data Fiduciaries must submit a detailed incident report, including containment measures, root-cause analyses and post-breach mitigation steps along with further details and information about the breach to the DPBI within a tight window of 72 hours.
While the Rules notified recently requires the affected Data Principals to be informed about a personal data breach “as soon as reasonably practical”, what would constitute acceptable/reasonable delay is still open to interpretation. Adhering to the timeline becomes challenging for smaller businesses or in a complex breach scenario where identifying all the affected Data Principals takes time.
Further, unlike GDPR, the DPDP framework does not specify a threshold to determine whether a breach needs to be reported (e.g., whether a breach must pose a “risk of serious harm” to individuals). This suggests that all personal data breaches must be reported, which can be an operational challenge.
7. Enforcement and Risk: Penalties
The Act imposes severe, tiered penalties on Data Fiduciaries, with the overall cap set at INR 250 crore. The severity of the fine highlights the priority that has been accorded to regulatory compliance of privacy obligations on Data Fiduciaries. A table of penalties under the Act has been set out below:
|
Nature of Breach |
Maximum Penalty (INR Crore) |
Legal Focus |
|
Breach of Children's Obligations |
INR 200 Crore |
Protection of vulnerable persons. |
|
Failure to Notify Data Breach |
INR 200 Crore |
Transparency and accountability after an incident. |
|
Breach of Significant Data Fiduciary (SDF) Obligations |
INR 150 Crore |
Failure of high-risk entities to meet specific standards. |
|
Breach of General Fiduciary Duties |
INR 50 Crore |
Failure to secure data or respond to individual rights. |
Though the Act stipulates the maximum penalties as in the above table, the Act does not prescribe a specific minimum penalty for most violations.
8. DPBI & Grievance Redressal
The DPBI has been formally established under the Act as an adjudicating body responsible for handling unresolved personal data protection complaints, enforcing compliance and imposing penalties under the new DPDP framework. The Act contemplates DPBI’s infrastructure to allow citizens to file complaints online, monitor case status and receive digital communication through a dedicated portal and mobile application. Once the DPBI is operational, the Board will play a key role in ensuring data processing practices align with the core obligations under the Act, many of which reflect principles like consent, lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards and accountability. These principles echo the constitutional right to privacy recognized by the Supreme Court in K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.
9. Compliance Timeline
Further, the Rules provide a structured, phased compliance period, emphasizing that readiness must precede the 18-month deadline for major enforcement.
|
Compliance Deadline |
Action Required |
Legal Significance |
|
13th November 2025 |
Rules Notified - Breach Notification Obligations Commence. Board Structure Operationalised. |
Immediate commencement of the most urgent operational requirement (breach response). |
|
By 13th November 2026 (12 Months) |
Consent Managers Registration and Operational Compliance Deadline Begins. |
Firms relying on CMs must ensure their partners are registered and compliant. |
|
By 13th May 2027 (18 Months) |
Full Enforcement Deadline. All obligations become enforceable. Board begins adjudicating full-scope complaints. |
Legal Risk Escalation. Companies that are not fully compliant face the full range of penalties defined in the Act. |
10. Compliance Roadmap: Preparing for May 2027
To meet the full compliance deadline of May 13, 2027, companies must move beyond the foundational steps and focus on unique Indian requirements, being as follows:
- Data Privacy Assessment: Assess the current Data Privacy position, working practices and documentation in the organisation, against the requirements of DPDP Act and Rules.
- Data Mapping: Conduct a full review to understand what data you process and officially determine if you are a DF or an SDF.
- Data Flow: Document how the personal data is being processed currently, including how it gets transferred to third parties.
- Redesign Consent: Set up consent-capture systems, like cookie banners and privacy notices across all collection points to ensure specific, easily withdrawable consent, and ready your systems for the forthcoming Consent Manager framework.
- Address Legacy Data: Crucially, implement a plan to issue retrospective notices to data subjects whose information was collected before November 2025.
- Privacy Impact Assessment: This must be undertaken to assess the risks to data privacy.
- Third party Risk Mitigation: Review and update all contracts with third-party Data Processors, ensuring they meet the required security standards, as the Data Fiduciary will be held liable for any failures or breaches.
- Technical Safeguards: Deploy the required technical protections to prevent and mitigate personal data breaches.
- Data Protection Office Setup: Establish a data protection office by appointing the appropriate team responsible for driving and overseeing compliance across the organization.
- Strengthen Breach Protocol: Establish a rapid response plan to ensure any data breach is detected and a detailed report is submitted to the DPBI within the critical 72-hour window.
- Monitoring and Sustenance: Implement a periodic monitoring program to assess compliance at various intervals to sustain what has been implemented.
By proactively addressing these legal and operational requirements, organizations can transform compliance into a foundation for building trust in the digital marketplace.
References:
- https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190014
- https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/jan/doc202515481101.pdf
- https://www.pib.gov.in/PressReleasePage.aspx?PRID=2090271
- https://www.pib.gov.in/PressReleasePage.aspx?PRID=2148944
- https://www.pib.gov.in/PressReleasePage.aspx?PRID=2158506
- Inform users about data breaches immediately,
- Towards a Robust Digital Data Protection Regime in India,
- Decoding the Digital Personal Data Protection Act, 2023
