India Enters a New Data Era: What the DPDP Rules Mean for Data Governance

Notified last week, the rules take effect immediately while phasing in major duties over the next 18 months, giving enterprises time to overhaul their data practices under a more centralized governance model.

Kaumudi Kashikar Gurjar

Topics

  • News

    1. Infosys Charts a New Path for GCCs Built Around AI

    2. Bezos Returns to an Executive Seat With Stealth AI Venture

    3. Bengaluru Tech Summit Opens With Focus on AI, Deep Tech and Startups

    4. CoRover, Intel Roll Out BharatGPT Mini for Fully Offline AI

    5. Perplexity Voted Weakest Bet at AI Conference

    6. Firefox Enters AI Browser Race With New Opt-In Mode

    • India’s long-promised data protection regime is taking shape, not with a dramatic switch but through a phased rollout that begins now and stretches over the next year and a half. 

    The government’s notification of the Digital Personal Data Protection Rules, 2025, last week has brought the two-year-old law to life and set deadlines for companies that will soon have to rethink how they collect and use personal information.

    What takes effect immediately is the enforcement machinery. The government has begun setting up the Data Protection Board (DPB) in New Delhi, a small yet central body that will handle complaints, review data breaches, and impose penalties of up to ₹250 crore (approximately $28 million) for each violation. 

    The Board will be led by a Chairperson and up to three members with experience in fields such as cybersecurity, information technology, law and privacy. It will only step in when a company’s internal complaint process has been exhausted or when a matter is referred by the government or a court.

    Legal expert Jyotsna Jayaram, a partner at the law firm Trilegal, said the Board was designed to play a precise role. 

    “The DPB is a central, specialized enforcement body that steps in only after an organization’s grievance process is exhausted,” she said. “It does not have suo motu powers and cannot issue guidance or policy. Its mandate is limited to adjudicating complaints and imposing penalties for non-compliance.” 

    She said this makes the Board a focused enforcement arm rather than a full-fledged regulator with wider policymaking authority.

    Jayaram said the DPB’s effectiveness will depend on how quickly it can staff up and establish transparent processes. Still, structurally it marks “a significant shift toward more coherent, centralized enforcement” of personal data rights in India. 

    The rules take effect in phases. Some provisions take effect immediately, others in 12 months, and the bulk of the operational requirements become mandatory in 18 months. Jayaram said companies now have “an 18-month runway to comply with most substantive requirements,” while specific responsibilities, such as appointing consent managers, come into effect after 12 months. 

    Consent managers are independent services that help people manage their permissions across digital platforms. 

    Jayaram said that even with the staggered timeline, companies have substantial work ahead of them. They will need to map what data they collect, understand why they collect it and design systems to give people access to, or delete, their information on request. These steps will raise practical questions around how companies seek consent, how long they retain information, and how they verify user requests.

    She said, “The rules also give the government the option to specify categories of data that certain companies must process entirely within India.” She contrasted this with Europe’s system. “Unlike the EU GDPR, the Indian law does not rely on mechanisms like adequacy findings or standard contractual clauses before data can be sent abroad,” she said. “Instead, cross-border transfers are generally allowed unless the government notifies specific territories where transfers will be restricted.” 

    She said such restrictions would likely be based on national security or geopolitical concerns, making India’s approach “more permissive than its EU counterpart in most cases.”

    Jayaram added that while lawmakers initially considered penalties tied to a company’s turnover, the final law uses fixed penalties for specific violations. She said this should encourage companies to build privacy considerations into their systems rather than viewing compliance as a checklist exercise.

    Industry groups, meanwhile, said the notification gives companies the clarity they have been seeking for months. 

    IT industry body Nasscom said the rules offer practical timelines and clear expectations. The Data Security Council of India, a privacy and security body supported by Nasscom, said the final rules stay close to the draft but introduce a predictable phased approach to enforcement. 

    Both Nasscom and DSCI stated that unresolved issues, such as the age at which children can give consent and the requirement to notify all breaches, stem from the Act itself and cannot be addressed through the rules.

    For individuals, the rules expand access rights. People can ask to see, correct or delete their data and can authorize someone else to make these requests for them.

    Companies, referred to in the law as ‘data fiduciaries,’ meaning any entity that collects and uses personal information, will have 90 days to respond to requests from individuals asking to access, correct or delete their data.

    They must also publish contact details for data-related queries, use clear consent notices and erase personal data if the user has not interacted with them for three years, with a 48-hour notice before deletion.

    The new regime also requires stronger security measures such as encryption, data masking and breach-detection tools. Any data breach must be reported to affected users and to the Board. The government keeps wider discretion in cases where personal data is processed for public benefits, including certain exemptions for children’s data.

    Technology leaders said the transition will reshape how companies operate. Sanket Atal, Senior Vice President and Country Head at OpenText India, called the rules “one of the most consequential shifts in India’s data governance framework.” 

    He said they stress “verifiable consent, clear accountability and real-time breach visibility,” and that these expectations “move organizations from passive data collection to active data stewardship.”

    Atal said companies with older systems will feel the strain first. “Today, many Indian enterprises operate with legacy applications sitting alongside multi-cloud deployments, making it difficult to track how personal data is collected, shared, stored and deleted,” he said. 

    To comply, organizations will need accurate data maps, standard retention practices and stronger controls on who can access information. He said this will be important as companies prepare for tighter breach-reporting rules and stricter consent standards.

    He said that sectors such as banking, healthcare, e-commerce and citizen services will have to overhaul deeply rooted data practices. “This is where the real challenge begins,” he said. “Compliance cannot be limited to a documentation exercise anymore. It has to become part of how work happens every day.”

     

    Topics

    About the Author

    Kaumudi Kashikar-Gurjar is an Associate Editor at MIT SMR, India. Based in Pune, Maharashtra, Kaumudi is a resourceful writer and a trained multimedia journalist who covers business, policy and technology. Formerly the bureau chief at Sakal Times and Mid Day, Kaumudi has written extensively on politics and governance over her career spanning 20 years for publications including the Pune Mirror.
    View More

    Tags:

    More Like This

    You must to post a comment.

    First time here? : Comment on articles and get access to many more articles.