ARTICLE
26 November 2025

India's New Data Privacy Regime: How Smart Companies Will Use The Next Eighteen Months

L
Lexplosion Solutions Private Limited

Contributor

Lexplosion Solutions Private Limited logo
Lexplosion Solutions is a leading Legal-Tech company providing legal risk management solutions in areas of compliance management, audits, contract lifecycle management, litigation management and corporate governance. Lexplosion merges disruptive technology with legal domain expertise to create solutions that have increase efficiency and reduce costs.
Explore Firm Details
After a long wait, the Digital Personal Data Protection ("DPDP) Rules, 2025 were finally published on November 13, 2025. With that, India's new privacy regime is now formally in motion.
India Privacy
Dwaipayan Das and Amiya Mukherjee
Dwaipayan Das’s articles from Lexplosion Solutions Private Limited are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in United States
  • with readers working within the Accounting & Consultancy, Banking & Credit and Technology industries

Introduction

After a long wait, the Digital Personal Data Protection ("DPDP) Rules, 20251 were finally published on November 13, 2025. With that, India's new privacy regime is now formally in motion. The DPDP Act2 has been in place since August 2023, but the Rules complete the operational framework that businesses have been waiting for. For the first time, organisations have clarity on what will be expected and by when. The transition window is no longer theoretical. It has started.

The Rules adopt a phased enforcement model. The provisions needed to establish the Data Protection Board take effect immediately. The consent manager framework becomes operational after twelve months. The core compliance obligations, however, apply after eighteen months. This structured rollout recognises that the government needs time to set up the enforcement machinery and that organisations need time to bring their systems and processes in line with the new requirements.

We have been writing about these developments for more than a year and have conducted several webinars explaining the evolution of India's privacy framework. Those who want the complete background can refer to those earlier discussions3. This blog focuses on what matters now. The Rules are notified. The timelines are clear. Every organisation has eighteen months to prepare for a far more comprehensive and rights-based regime.

The Background

Before we explore how that time should be used, it is helpful to understand the shift in the legal landscape.

For nearly two decades, personal data was governed by the Information Technology Act, 20004 and the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules of 20115. That regime was narrow. It applied only to specific categories of sensitive personal data. It required privacy policies, basic consent, and reasonable security practices. It did not create meaningful rights for individuals. It did not specify timelines for breach reporting, grievance handling, deletion or rights requests. Contractual obligations for processors were minimal, and enforcement was limited.

The DPDP Act changes the framework entirely. Its obligations apply to all digital personal data. Consent must be free, specific, informed and unambiguous. Notices must explain the purpose of processing and the rights available. Data can be processed only for lawful purposes and only to the extent necessary for the specified purpose. Individuals have the right to access, correction, erasure and grievance redressal. Data fiduciaries must implement reasonable security safeguards, report breaches, erase data when the purpose is no longer served. There are strict conditions for processing children's data, including verifiable parental consent and restrictions on tracking, monitoring or targeted advertising. Significant data fiduciaries, a category which is yet to be clearly defined, will have additional responsibilities, such as appointing a data protection officer based in India and undergoing periodic audits or assessments.

The consequences of breach can be severe. The DPDP Act contains a detailed penalty framework in its Schedule. The Data Protection Board can impose financial penalties for a range of violations, and these are linked to the nature of the non-compliance. These include:

  • Up to Rs. 250 crores for failure to take reasonable security safeguards to prevent a personal data breach;
  • Up to Rs. 200 crores for failure to notify the Board and affected individuals of a personal data breach;
  • Up to Rs. 250 crores for non-fulfilment of obligations relating to children's data, and;
  • Up to Rs. 150 crores for failure to act in accordance with the obligations of a significant data fiduciary.

Needless to say, these penalties are not automatic. The Board is required to consider the nature and gravity of the breach, the duration, the type of personal data involved, the likelihood of harm, whether the fiduciary has gained any benefit from the violation, and whether reasonable efforts were made to prevent the incident. Even so, the ceiling amounts reflect the seriousness with which the new regime views compliance.

This brings us to the practical question. How should smart companies use the time they have?

The next eighteen months: A guidance note for smart companies

The suggestions below are an indicative set of steps meant to give businesses a sense of how to structure the transition. They are not exhaustive and will need to be adapted to each organisation's specific context. They also focus only on areas that fall within the natural scope of lawyers, compliance teams and governance professionals. We are not touching on IT infrastructure or security architecture, which require their own specialised expertise.

Quarter 1 (Months 1 to 3): Foundation, Scoping and Discovery

Objective: Understand what you have, how it flows and where it violates the Act

This quarter is about establishing the baseline. Without a clear view of what you collect and how you use it, compliance work cannot move forward in any meaningful way.

  • Map all personal data collected, the source of that data and where it is stored across the organisation.
  • Understand who has access to personal data and whether that access is justified.
  • Review existing privacy notices to identify gaps against the DPDP requirements.
  • Review consent processes to check whether they meet DPDP standards.
  • Assess readiness for breach reporting and grievance timelines.
  • Review how data subject rights are currently handled and where immediate improvements are needed.

Quarter 2 (Months 4 to 6): Design Phase (Notices, Consent, Workflows, Processes)

Objective: Translate legal text into operational processes

With the baseline in place, the next step is designing what compliance will look like in practice.

  • Redesign privacy notices across web, mobile, HR and vendor touchpoints so that individuals understand the purpose, rights and other information mandated by the DPDP Act.
  • Rebuild consent processes, including withdrawal and tracking mechanisms, to meet the new standards.
  • Identify where fresh consent is required because earlier consent was unclear or bundled.
  • Design age verification and parental consent procedures where children's data is involved.
  • Create retention rules and deletion workflows for each department.

Quarter 3 (Months 7 to 9): Technology Build, Remediation and Implementation

Objective: Implement what was designed and fix long-standing issues

This quarter is about execution. The focus is on converting designs into working processes.

  • Clean up data by removing redundant fields, merging duplicates and deleting stale data.
  • Tighten access controls to align with purpose limitation.
  • Automate data subject rights workflows such as access, correction, erasure and nomination.
  • Finalise and roll out updated data processor and vendor contracts to the extent required.

Quarter 4 (Months 10 to 12): Testing, Pilots and Behavioural Change

Objective: Move from documents to real-world behaviour and ensure things work

This is where organisations find out whether their compliance programme works beyond paper.

  • Pilot redesigned processes across key functions to identify real-world gaps.
  • Run breach simulations to test alerting, reporting and evidence capture.
  • Train employees across teams on DPDP responsibilities and everyday good practices.
  • Update audit checklists to include DPDP controls and use them in internal reviews.

Quarter 5 (Months 13 to 15): Full Scale Rollout and Compliance Assurance

Objective: Achieve actual readiness, not checklist readiness

By now, the organisation should be ready for full operational rollout.

  • Deploy DPDP ready systems and processes across all business units.
  • Activate automated deletion routines in line with retention rules.
  • Update all public and employee-facing privacy notices.
  • Verify data processor compliance through targeted audits.

Quarter 6 (Months 16 to 18): Audit, Certification and Continuous Compliance Integration

Objective: Move from readiness to continuous compliance

The last quarter focuses on validation and long-term sustainability.

  • Conduct a full internal DPDP audit across all functions.
  • Validate notices, consents, deletion practices and rights handling end to end.
  • Review breach and grievance handling performance and strengthen gaps.

Conclusion

The DPDP Act and Rules mark a significant shift in how personal data will need to be handled in India. The new regime is broader, clearer and far more rights-driven than the framework that existed under the IT Act and the SPDI Rules. The eighteen month transition window provides businesses with a practical opportunity to prepare, but it is not a long time. Organisations that start early, plan deliberately and build compliance into their everyday operations will be able to meet their obligations with confidence. Those that delay may find themselves struggling to catch up once enforcement begins. The next eighteen months are an opportunity to put the right foundations in place and build a privacy programme that will hold up for the long term. For an independent assessment of your readiness to feel free to reach out to us.

How Komrisk can simplify your Data Privacy compliance journey?

Komrisk, our compliance risk management solution, can play a critical role in your compliance journey. Komrisk functions as a repository of relevant compliance obligations for the DPDP and other legislation in the form of simple actionable tasks. With the ability to upload tangible evidence of compliance, Komrisk validates the completion of compliance tasks by helping organisations streamline compliance tracking, centralise documentation, and generate audit-ready reports when required. By evaluating potential risks associated with pending compliances across all entities, operating units, and departments, Komrisk offers a comprehensive, real-time view of the organisation's compliance landscape, helping to identify gaps and prioritise actions effectively.

Beyond technology, Lexplosion also supports organisations through DPDP preparedness surveys and audits. Our expert-led assessments benchmark your current state against Data Privacy requirements, highlight compliance gaps, and provide a structured action plan tailored to your operations.

If you're looking to simplify your compliance journey, strengthen your data-protection compliance, and prepare early for the DPDP regime—we're here to support you every step of the way.

Get in touch with us for a discussion/demo.

A practical roadmap for companies to achieve data privacy compliance readiness

1709814.jpg

Footnotes

1. Digital Personal Data Protection Rules, 2025: https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf

2. Digital Personal Data Protection Act, 2023: https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

3. Assessing Organisational Readiness for the Upcoming DPDPA Regime Webinar 2025: https://lexplosion.in/knowledge-centre/lexplosion-webinars/assessing-organisational-readiness-for-the-upcoming-dpdpa-regime-strategies-to-ensure-compliance-and-strengthen-data-privacy/

Preparing Businesses for the New Data Protection Regime 2023 Webinar: https://lexplosion.in/knowledge-centre/lexplosion-webinars/preparing-businesses-for-the-new-data-protection-regime-key-compliance-indicators/

https://lexplosion.in/white-paper-on-privacy-and-progress-pillars-of-digital-bharat/

https://lexplosion.in/summary-of-the-digital-personal-data-protection-rules-2025/

4. Information Technology Act, 2000 – https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf

5. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011: https://prsindia.org/files/bills_acts/bills_parliament/2011/IT_Rules_2011.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Dwaipayan Das
Person photo placeholder
Amiya Mukherjee
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More