The BGA India team, led by Managing Director Anuj Gupta, wrote an update to clients on India’s Digital Personal Data Protection Rules.

Context

  • The Ministry of Electronics and Information Technology notified the Digital Personal Data Protection (DPDP) Rules, 2025, on November 14, thereby operationalizing the DPDP Act, 2023 — India’s first comprehensive data protection and governance law. These rules mark a turning point in India’s digital governance by laying down detailed obligations for entities processing personal data — called “data fiduciaries” — and codifying rights for individuals, such as consent management, data access, correction and deletion.Indian and foreign companies that collect and process personal data for Indian users are fully covered under these rules, making compliance a critical priority.
  • The framework introduces phased implementation: foundational provisions like definitions and the constitution of the Data Protection Board take effect immediately, while core compliance requirements — such as consent mechanisms and breach notifications — will become mandatory over the next 12-18 months. This staggered rollout aims to balance regulatory rigor with business readiness. Noncompliance can attract steep penalties, making early gap assessments and compliance planning critical for organizations across sectors, from e-commerce and fintech to social media and government services.
  • Businesses in India must now adopt privacy-by-design principles; implement technical safeguards like consent management, encryption and pseudonymization; and ensure the timely erasure of personal data once its purpose is fulfilled. In the near term, experts caution that the rules may pose practical challenges for small and fast-growing firms lacking mature legal or security teams. The countdown to implementation has begun, and the next 18 months will be decisive. Businesses must map data flows, strengthen security layers, modernize consent systems, train staff and implement breach protocols to meet the new compliance regime.

Significance

  • The DPDP Act — enacted August 11, 2023 — establishes a robust framework for processing digital personal data in India, with extraterritorial reach for entities serving Indian residents. It mandates explicit, informed consent, introduces legitimate use exceptions for legal and emergency needs and enforces steep penalties for fiduciary breaches.
  • DPDP rules will be implemented in a phased manner with some rules take effect immediately (Rules 1,2 and 17-21), while consent manager registration (Rule 4) applies after one year. The remaining provisions, including detailed compliance requirements (Rules 3, 5-16 and 23) will be enforced 18 months after publication. Businesses are recommended to prioritize immediate compliance and plan for consent architecture and full readiness within the timelines proposed.
  • Significant data fiduciaries — large platforms or those handling sensitive data — face enhanced obligations, including independent audits and impact assessments. The Indian government will determine who qualifies as such on risk-based assessment rather than a numerical threshold. Such entities must appoint a data protection officer and conduct annual data protection impact assessments, audits and algorithmic fairness checks. Companies must proactively map data flows, assess localization risks and strengthen governance to avoid compliance gaps and operational disruption.

Implications

  • The DPDP rules demand a fundamental redesign of privacy notices, consent architecture, cross-border transfer compliance and significant data fiduciary obligations, backed by steep penalties of up to $30 million. If a data breach occurs, the data fiduciary must notify the user and the Data Protection Board within 72 hours, detailing the breach, its nature, timing, impact, mitigation steps and user safety measures. Compliance cannot be treated as a checklist; businesses must embed privacy and security into systems design, governance frameworks and organizational culture to ensure resilience and avoid enforcement risks.
  • The DPDP rules provide much-needed clarity in India’s data governance framework. However, ambiguity in some definitions and possible overlap in breach notification norms with the Indian Computer Emergency Response Team call for greater policy clarity. These factors, combined with tight timelines and infrastructure demands for encryption and log retention, will likely increase legal, technical and operational costs. Foreign companies must proactively budget for these upgrades, initiate audits and seek regulatory clarity to avoid compliance gaps and enforcement risks.

If you have questions or comments, please contact BGA India Managing Director Anuj Gupta at agupta@bowergroupasia.com.

Best regards,

BGA India Team

A small ginko leaf

Managing Director

Anuj is a distinguished policy leader and strategist who has played a catalytic role across India’s government and private sector, guiding stakeholders through the country’s complex and evolving policy and investment landscape. As BGA’s India practice leader, he helps clients leverage the country’s rapid economic growth to advance their goals and strategies.  Anuj previously led public policy efforts for the Tata Group, India’s largest business conglomerate, where he advised more than 30 group companies on policy affairs strategy. His interventions directly influenced high-stakes outcomes across diverse sectors, including technology, finance and manufacturing.   Anuj spent a decade in the Indian and Abu Dhabi governments, where he ... Read More