India’s DPDPA 2023 activates with 2025 Rules, revolutionizing data privacy enforcement

Applicability and Sector Specific Implications

The DPDPA applies broadly to the processing of personal data digitally collected or digitized in India, as well as processing activities targeting Indian residents. Whether handling employee information, customer data, supplier contacts, or experimental data in R&D projects, enterprises must recognize that their data fiduciary obligations come under the Act. This is especially relevant for small and medium Mittelstand companies engaging in digital transactions and data-driven operations, who may be newly subject to such detailed regulatory oversight.

Key Compliance requirements for entities collecting and processing personal data

1. Consent Management: Organizations must obtain explicit, informed, and specific consent from individuals (data principals) before processing their data. The consent process mandates transparency about data collection purposes and rights, including clear options to withdraw consent as easily as it was granted. Note: Legacy data collected before the Act’s enforcement similarly requires retroactive notification and consent opportunity.
2. Data Minimization and Processing Purpose: Data collection and processing must be limited to what is necessary for specified, lawful purposes. For instance, manufacturing companies using employee data for HR functions or IT firms processing client data for service delivery must limit data scope accordingly.
3. Reasonable Security Safeguards: All fiduciaries (controllers/ parties who are first point of contact and decides why data should be collected) are mandated to implement robust security measures, including encryption, access control, periodic audits, and breach detection mechanisms. The retention of logs for at least one year is expected to trace and mitigate unauthorized data access.
4. Breach Notification: In case of personal data breaches, organizations must inform affected individuals promptly and report detailed breach information to the Data Protection Board (DPB) within a maximum window of 72 hours.
5. Data Protection Officer (DPO) and Audit Obligations: Entities classified as Significant Data Fiduciaries (SDFs) defined based on the volume, sensitivity of data processed, and potential risk must appoint an Indian resident DPO, conduct periodic data protection impact assessments, independent audits, and ensure compliance with prescribed governance standards. However, provisions related to SDF have not been notified as on date and is expected to come into force on 13 May 2027.
6. Exemptions and Conditional Relief: Smaller organizations, including some startups and MSMEs, may receive relief notifications exempting them from certain obligations such as appointing DPOs or conducting audits. However, basic consent, security, and grievance mechanisms remain mandatory. However, provisions related to startup and MSME have not been notified as on date and is expected to come into force on 13 May 2027.

Rights of Individuals

The Act empowers individuals with new rights, including access to their personal data, correction or erasure requests, withdrawal of consent, and grievance redressal mechanisms. Organizations must implement transparent procedures to facilitate these rights, which directly affect customer service, HR practices, and trading partner engagements.

For R&D operations, the Act allows processing for research and archiving under strict standards, ensuring no decisions are made based solely on the data without appropriate safeguards.

Enforcement Timeline

Phase 1- 13 November 2025 – Commencement of the Act

• The Act officially comes into force.
• Establishment of the Data Protection Board of India (DPB) as the central authority for enforcement.
• Definitions, rule-making powers, and transitional arrangements become effective.
• Organizations should begin preparing governance frameworks, mapping data flows, and reviewing privacy policies to align with the Act.

Phase 2 – 13 November 2026 – Consent Manager Registration Obligations

• Consent Managers must register with the DPB and comply with operational standards.
• Key responsibilities include:
• Maintaining records of consents given, denied, and withdrawn for at least 7 years.
• Ensuring secure handling of personal data and preventing unauthorized access.
• Acting in a fiduciary capacity without conflicts of interest.
• Businesses using third-party consent management platforms must verify compliance and update contracts accordingly.

Phase 3 – 13 May 2027 – Full Compliance Requirements in Force

All operative provisions of the Act become mandatory, including:

• Notice and Consent: Clear, plain-language notices and verifiable consent mechanisms.
• Grounds for Processing: Lawful basis for data collection and usage.
• Obligations of Data Fiduciaries: Security safeguards, breach reporting, retention, and erasure protocols.
• Children’s Data: Verifiable parental consent and age verification.
• Significant Data Fiduciary (SDF) Obligations:
• Appointment of a Data Protection Officer (DPO).
• Annual Data Protection Impact Assessments (DPIA) and independent audits.
• Algorithmic risk verification and restrictions on sensitive data transfers outside India.
• Rights of Data Principals: Access, correction, erasure, consent withdrawal, and grievance redressal.
• Cross-border Data Transfers: Subject to government restrictions and conditions.
• Research Exemptions: Limited exemptions for archiving and statistical purposes under strict standards.

Enforcement and sanctions

The Data Protection Board of India stands as the central enforcement authority, with powers to investigate violations, impose significant penalties (up to ₹250 crore in severe cases), and mandate remediation actions. The Board will also oversee grievance redressal, mediation, and sanction appeals through a digitalized and expedited process.

Our emarks

Companies in manufacturing, trading, IT, services and R&D cannot afford to overlook these enforcement mechanisms. Penalties have severe financial implications and reputational risks, especially medium-sized enterprises expanding digital operations or handling sensitive personal data across borders.