- within Law Department Performance and Employment and HR topic(s)
As stakeholders across industries have been awaiting the practical implementation of the Digital Personal Data Protection Act, 2023 ("DPDPA"), the Digital Personal Data Protection Rules, 2025 ("DPDP Rules") have finally been released on November 14, 2025. These Rules, intended to operationalise the DPDPA, provide much-needed clarity on how provisions of the Act are expected to practically function. You can access the finalized version of the DPDP Rules here.
This marks a substantial transformation of India's data protection landscape. Considering the steep statutory penalties (not to mention reputational loss) for failure to comply, it is crucial for organizations to start charting out and implementing action plans to ensure data privacy compliance.
Below is a set of FAQs that break down these key elements:
1. When will the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 come into effect and be enforced?
The DPDP Rules contemplate an incremental and gradual implementation. The institutional set up of the Data Protection Board has been enforced as on date of the publication of the DPDP Rules (i.e., November 14, 2025). Consent manager-related provisions are scheduled for implementation 12 months from the notification of the DPDP Rules (i.e., November 14, 2026). The bulk of compliances, including those related to privacy notices, obtaining verifiable consent for minors and persons with disabilities, instituting security safeguards, reporting personal data breaches, etc., will be enforceable 18 months from the date of publication of the DPDP Rules (i.e., May 14, 2027).
This phased-out approach is intended to grant businesses adequate time to align their practices of collecting personal data with the DPDPA.
2. What categories of businesses are expected to comply with the DPDPA?
Compliance with the DPDPA is not contingent on the nature of entities or their types of operations. The sole trigger point is the collection of personal data of individuals. Processing outside India is also covered within its scope, providing this is in connection with the offering of goods or services within India. Regardless of size or scale, every business must prepare for a structural shift in every operational layer, and integrate data protection at every stage of their business.
3. Do businesses who engage in a lot of email marketing have to change their manner of obtaining consent?
Yes, under DPDPA, consent for processing personal data is required to be obtained with clear, affirmative action. The biggest overhaul for businesses under the DPDPA is likely to be the redesigning their 'consent management' systems, from incorporating explicit consent options to implementing tools capable of managing consent throughout the data lifecycle.
The DPDPA mandates consent to be 'free, specific, informed and unambiguous'. The first time a business sends a request for consent (for instance, for marketing emails), a standalone, easy-to-understand and accessible privacy notice must be provided, explaining the personal data proposed to be collected, and its purpose. Additionally, the procedure of withdrawing consent, making a complaint to the DPB and exercising other statutory rights under the DPDPA have to be outlined in this notice. Lastly, the notice should include appropriate links for accessible website or apps the Data Fiduciary may have. Generic or hidden terms, pre-ticked checkboxes with bundled consent for multiple purposes, etc., will not work.
Even entities who had obtained consent prior to the DPDPA's enforcement have to ensure compliance and are required to provide Data Principals with privacy notices.
4. What additional measures should organizations collecting sensitive personal data, such as health-tech or fintech companies, undertake?
The DPDPA does not categorize different types of personal data, and the obligations remain the same. That said, a separate class of data fiduciaries has been identified under the DPDPA, i.e., 'Significant Data Fiduciaries' ("SDFs"). The volume and sensitivity thresholds for SDFs are yet to be defined. However, large businesses operating in consumer facing industries such as banking, e-commerce, health-tech, etc., should be prepared to undertake additional steps, such as, appointing a Data Protection Officer, conducting yearly impact assessments and audits, etc.
5. How should businesses handle personal data breaches? What sorts of data breaches will need to be reported?
The ideal scenario would be to have precautionary measures that prevent any breaches in the first instance. Businesses should establish adequate IT security, access controls, and cyber security safeguards, which could include credentials-based access protocols, data encryption, data-backups, etc.
Indian law does not provide for a 'severity' threshold for reporting of breaches. Occurrence of any kind of security incident, irrespective of impact or nature, has to be intimated to both the Data Protection Board within 72 hours and the affected Data Principal. Since the DPDPA requires prompt notification 'without delay', businesses will need to implement mechanisms to detect breaches, analyse impact, reduce risk, and notify users and the authorities.
6. What should business contracts with third-party data processors or cloud vendors incorporate?
Vendor agreements must be carefully calibrated, since the responsibility of ensuring compliance with the DPDPA by a Data Processor remains on the Data Fiduciary. Agreements should mandate that the vendor establish similar security safeguards for personal data as required of Data Fiduciaries. Organizations must also include clauses requiring Data Processors to assist them with data breach notifications, consent withdrawals, erasure of personal data, etc.
7. How should companies who rely on global shared services and cloud infrastructure comply with the DPDPA?
Currently, and by default, cross-border transfer of personal data is permitted under the DPDPA; there is no 'data localization' requirement as on date. However, the Central Government under the DPDPA is empowered to issue a 'blacklist' of countries where transfer of data would be restricted. Additionally, the government may stipulate restrictions when personal data is made available to foreign states or to persons or entities acting as its agencies and may also specify certain data which SDFs are not permitted to transfer outside India.
Multi-national entities who have operations in India should strategize a long-term data compliance plan. It is advisable to build a flexible architecture in terms of data strategies, possibly establishing data centres locally in India to mitigate any future restrictions, and integrating adaptable contractual clauses to mitigate against a 'change in law' scenario.
8. What obligations are required to be followed by a business if their services are geared towards children and/or persons with disability?
First step is to obtain the verifiable consent of the child's parent or legal guardian; Data Fiduciaries also need to determine the identity of such individuals and confirm their relationship with the minor. Businesses are required to adopt 'appropriate technical and organizational measures' and observe due diligence to confirm the parental consent. Such measures may rely on details of the parents already available with the business or voluntarily provided details of identity and age by way of a mapped virtual token (issued by an authorized entity). Businesses are also prohibited from engaging in tracking or behavioral monitoring of children or targeted advertising directed at children.
The DPDP Rules introduce an obligation which stipulates that verifiable consent for a person with disability may be obtained only from a legal guardian duly appointed by competent authorities under guardianship laws.
9. What are the timelines for retaining of personal data by Data Fiduciaries?
Except where retention is legally required, personal data must be erased either upon consent withdrawal by the Data Principal or fulfillment of the specified purpose. The DPDP Rules mandate distinct retention periods for designated Data Fiduciaries. For instance, e-commerce entities with a minimum of 2 crore Indian users must not retain personal data beyond 3 years, except for certain purposes including permitting users access to their account and/or virtual tokens exchangeable with money, goods and services. Data deletion must be preceded with a 48-hour notice to the Data Principal. Other Data Fiduciaries must retain personal data, associated traffic data and other logs, for one year, if required for the purposes listed in Schedule VII by the State or its instrumentalities.
10. What do businesses have to do if a customer withdraws their consent or requests for erasure of their personal data?
Data Principals can withdraw their data processing consent, or correct or erase their data. Such requests should be addressed within a 'reasonable time'. Practically, this means halting data processing and removing the customer's data from an entity's systems and ensuring that any third-party Data Processors holding such data do the same. An exemption from this obligation is available if retention is required for a specified purpose or under law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
