28 Jan From Law to Practice: Implementing India’s Digital Personal Data Protection Framework

Authors: Shilpa Margaret Kurian, Carmine Perri, Giulio Monga

Executive Summary

India’s data protection regime has entered an operational phase on 13 November 2025, following the notification of the Digital Personal Data Protection Rules, 2025[1] under the Digital Personal Data Protection Act, 2023.[2] This article examines the current data protection landscape in India, highlighting key compliance obligations for organisations, including consent-based processing, enhanced obligations for Significant Data Fiduciaries, cross-border data transfer considerations, and enforcement mechanisms. It also provides practical guidance to help businesses navigate the framework in a structured, practical, and business-oriented manner. The article further outlines the phased implementation timeline, enabling organisations to plan and meet compliance obligations effectively.

Background and Regulatory Context

India’s journey toward a dedicated data protection regime began in 2010 and culminated in the enactment of the Digital Personal Data Protection Act, 2023. The operationalisation of the Act depended on the issuance of subordinate legislation. On 13 November 2025, the Ministry of Electronics & Information Technology[3] notified the Digital Personal Data Protection Rules, 2025, formally bringing the framework into force.

This notification represents a significant milestone in India’s digital governance agenda. While the DPDP Act establishes the core principles and obligations, the DPDP Rules provide the procedural clarity required for practical implementation. Together, they define the responsibilities of organisations handling personal data, particularly Data Fiduciaries, and create an enforceable compliance framework for businesses.

India’s Approach to Personal Data Protection: A Consent-centric Model with Extraterritorial Scope

India’s framework adopts a consent-centric model, emphasising lawful, limited, and purpose-specific processing of personal data. The DPDP Act applies to the processing of digital personal data in India, as well as to processing conducted outside India when it is connected with offering goods or services to individuals in India.

At its core, the framework places accountability on organisations that determine the purpose (“why”) and means (“how”) of personal data processing, referred to as Data Fiduciaries. Data Fiduciaries (an equivalent of Data Controllers under the GDPR) must also ensure that Data Processors (which process personal data on their behalf) comply with security, retention, and deletion obligations. This is typically achieved through robust contractual arrangements, periodic audits, and proper documentation of processes.

Key Compliance Obligations Under the DPDP Act and DPDP Rules

Lawful and Limited Processing: The DPDP Act requires that personal data be processed only for lawful, specific, and necessary purposes. Organisations are recommended to document all processing activities (similar to the obligation of keeping a Record of Processing Activities [ROPA] under Art. 30 GDPR), periodically review and minimise data collection, and maintain records of any statutory exceptions relied upon.

Consent Management: Consent must be informed, specific, unambiguous, and withdrawable at any time. Privacy notices should be clear, regularly updated, and designed for ease of user interaction. Organisations should maintain accurate consent records, including timestamps and withdrawal logs, and ensure onboarding of reliable Consent Managers.

Consent Managers: The framework introduces a new class of entities responsible for providing an accessible, transparent, and interoperable platform for managing consent preferences, acting as a single point of contact for Data Principals. These entities are required to be registered with the Data Protection Board and must meet prescribed requirements under the framework, including minimum net worth and local presence.

Processing Data of Vulnerable Groups: Processing the personal data of minors or persons with disabilities requires verifiable parental or guardian consent. The DPDP Rules also impose restrictions on tracking, behavioural monitoring, and targeted advertising, except in specific cases permitted by law. Organisations should integrate verification mechanisms into consent workflows, maintain detailed consent and verification logs, and regularly review applicable exemptions for compliance.

Security and Data Retention: Organisations are required to implement technical and organisational safeguards, such as encryption, access controls, and logging, proportionate to the sensitivity of the data. Personal data should be retained only as long as necessary, and automated deletion mechanisms are recommended where feasible. Clear documentation of retention and deletion procedures, staff training, and monitoring of safeguards are essential for accountability.

Personal Data Breach Management: In the event of a personal data breach, organisations must notify affected individuals and the Data Protection Board within 72 hours of becoming aware. Detailed reporting to the Board is also required. Organisations are advised to implement a robust data breach response plan, assign responsibilities clearly, and conduct periodic simulations to ensure readiness.

Data Principal Rights & Duties: The DPDP framework recognises the rights of individuals, referred to as Data Principals (the equivalents of Data Subjects under the GDPR), while also vesting upon them certain responsibilities. Organisations must respond to requests – such as access, correction, erasure, or nomination – within 90 days. Clear procedures should be published, and systems implemented to track and fulfil requests in a timely manner.

Contact Persons: Data Fiduciaries must appoint a contact person to address queries regarding personal data processing. Significant Data Fiduciaries (SDFs)must fulfil this role through a Data Protection Officer (DPO), the contact details of whom should be clearly communicated to individuals.

Research Exemption: Processing for research, statistics, or archiving purposes may be exempt if appropriate safeguards are applied. Where relevant, organisations should document exempt processing and regularly review safeguards to ensure ongoing compliance.

Government Requests: Requests from the Government for personal data – for national security or other public-interest purposes – must be handled lawfully and may include non-disclosure obligations. Organisations should establish clear protocols to manage such requests cautiously.

Significant Data Fiduciaries (SDFs) and Compliance Obligations: The framework introduces SDFs to adopt a risk-based regulatory approach. SDFs are designated based on criteria including the volume and sensitivity of personal data processed, risks to individual rights, and potential impacts on national security or public order. SDFs are subject to enhanced obligations such as annual data protection impact assessments, independent audits, algorithmic and software risk assessments, data localisation requirements, and the appointment of an India-based Data Protection Officer. Although formal notifications of SDF designations are pending, organisations with large-scale or sensitive processing operations are advised to prepare proactively.

Rules on Cross-Border Transfers of Personal Data: The DPDP framework permits cross-border transfers, subject to conditions or restrictions notified by the Central Government. Organisations should review contractual arrangements and internal processes, as well as monitor regulatory updates to ensure compliance with the applicable rules.

Regulatory Oversight and Enforcement Mechanisms: Enforcement of the framework is entrusted to the Data Protection Board of India, a digital office with the authority to conduct inquiries and impose penalties up to INR 250 crore (~ USD 28.8 million). The Appellate Tribunal, also a digital office, provides a mechanism to challenge Board decisions.

Phased Implementation and Key Compliance Milestones

The implementation of the DPDP regime follows a phased approach, allowing organisations time to prepare for compliance:

• From November 2025, provisions relating to the establishment and functioning of the Data Protection Board have taken effect.
• From November 2026, obligations relating to Consent Managers will become effective, allowing individuals to centrally manage, review, and withdraw their consent through registered platforms.
• By May 2027, full operational and substantive compliance obligations for Data Fiduciaries and Data Processors will apply. Until then, existing requirements under the Information Technology Act, 2000 and its associated rules will continue to operate.

This phased rollout gives organisations a defined transition period to align internal processes, governance structures, technology systems, and contractual arrangements with the new data protection framework, while preparing for full compliance ahead of enforcement.

Conclusion

The notification of the DPDP Rules marks a key step in establishing an enforceable data protection framework in India. Businesses should proactively review their data processing activities, strengthen consent and security practices, and monitor regulatory developments, particularly around Significant Data Fiduciary designations and cross-border data transfer conditions. Early alignment with the DPDP Act and DPDP Rules will be essential to manage regulatory risk and support sustainable compliance in one of the world’s largest digital markets.

[1] Digital Personal Data Protection Rules, 2025, Ministry Of Electronics and Information Technology Notification (13 November 2025), available at: https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf.

[2] Digital Personal Data Protection Act, 2023, Ministry of Law and Justice (Legislative Department) (11 August 2023), available at: https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf.

[3] DPDP Rules, 2025 Notified, A Citizen-Centric Framework for Privacy Protection and Responsible Data Use, Press Information Bureau Government of India (17 November 2025), available at: https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/nov/doc20251117695301.pdf.