India has entered a new phase in its privacy journey with the Digital Personal Data Protection Act (DPDPA), 2023 and its recently notified Rules. Together, they establish a comprehensive regulatory system governing digital personal data and operationalize the fundamental right to privacy enshrined in the Constitution of India.
The government has chosen a staggered rollout for the Act and Rules, with some provisions in force now and more substantive obligations expected to become effective over the next 18 months.
What the DPDPA Covers
The Act applies to personal data collected in digital form, as well as personal data that is digitized after collection. It also extends to processing conducted outside India when it relates to goods or services offered to individuals in India.
Entities that determine the purpose and means of processing (Data Fiduciaries) must comply with obligations that include ensuring that processing is for a lawful purpose, purpose and storage limitation, implementing reasonable security safeguards, and maintaining transparent notice and consent practices. There are also special obligations for Significant Data Fiduciaries whose activities carry heightened risk to individuals, including appointment of a data protection officer (DPO). Cross-border data transfers by Data Fiduciaries are generally allowed unless the government specifically restricts transfers to certain countries.
Individuals, referred to as Data Principals, receive rights of access, correction, and erasure; the ability to file grievances; and the option to appoint a nominee to exercise their rights if they die or become incapacitated.
The DPDPA also creates the Data Protection Board of India, responsible for overseeing compliance, investigating data breaches, and imposing penalties.
What the Rules Add
The Rules clarify how the Act is meant to function in practice. They
- specify mandatory elements of privacy notices;
- outline registration and operational requirements for consent managers;
- elaborate on reasonable security safeguards;
- address data retention and deletion obligations;
- require publishing the details of a point of contact by Data Fiduciaries;
- provide additional safeguards for processing children’s data and data of persons under guardianship; and
- further detail additional obligations of Significant Data Fiduciaries and the exercise of rights by Data Principals.
For data breaches, the Rules require an immediate initial notification to the Board and a detailed report within 72 hours, along with notification to affected individuals without undue delay.
What is Different from the General Data Protection Regulation (GDPR)
Although the structure of the Indian law resembles the GDPR, several major differences stand out. The DPDPA focuses on digital personal data rather than all personal data. Consent plays a more central role because the Act provides fewer alternative legal grounds for processing. India also introduces consent managers, neutral intermediaries that help individuals manage consent permissions across services.
What Organizations Need to Do Now
- Map data-processing flows to understand what personal data you process, how it is used, who it is shared with, and how long it is retained.
- Align global privacy practices with India-specific requirements, including updating privacy notices and ensuring appropriate legal bases for processing.
- Review and update third-party data-sharing arrangements, putting Data Processing Agreements in place where required.
- Implement grievance-handling and rights-request mechanisms to manage Data Principal rights and complaints.
- Strengthen consent management, assess whether a consent manager is needed, and ensure verifiable consent, especially for children.
Next Steps
The Act and Rules mark a significant shift from India’s earlier, fragmented privacy requirements to a unified, enforceable framework. For businesses operating in India, this is not a minor update to global privacy programs but a distinct compliance regime with its own obligations and timelines. Early, proactive preparation will help organizations manage risk, demonstrate accountability, and participate confidently in India’s rapidly expanding digital economy.