India's New Data Privacy Regime Set To Be Implemented In 2027 – What To Expect, And How To Comply

After many months of promising to do so, the Government of India has finally published the Digital Personal Data Protection Rules (‘Rules'), the subordinate legislation to India's much vaunted new privacy law- The Digital Personal Data Protection Act 2023 (‘Act').

The publication of the Rules is highly significant as it provides concrete timelines within which the Act will be brought into effect and be made enforceable.

As expected, there is a prep period of 18 months before the law is enforced, allowing businesses to take compliance measures by bringing their houses in order. Businesses however can no longer kick the can down the road in the hope that the law will remain a paper tiger. Compliance by 13 May 2027 shall be mandatory, no matter the size of your business, or how much such compliance will cost!

When does the DPDPA go into effect?

• Most provisions that should concern data fiduciaries (data controllers) shall become effective on 13 May 2027.
• Procedural provisions that relate to the commencement of the Act, allow the establishment of the regulator, the Data Protection Board of India (‘Board'), and rulemaking powers came into effect immediately upon the notification of the Rules (on 13 November 2025).
• Provisions concerning the registration of Consent Managers with the Board, as well as the power to take action against Consent Managers that have breached their obligations, shall come into effect on 13 November 2026. ‘Consent Managers' are entities that while remaining ‘data blind', act as intermediaries allowing individuals to manage the consent they have provided to multiple parties to process their personal data. These Consent Managers are intended to act as a single point of contact allowing the data principal (data subject) to manage, review or revoke consent.

Why was the law brought into effect and why must you comply?

The framework under the Act and Rules is meant to operationalise the Supreme Court's recommendation following the landmark decision in Justice K.S. Puttaswamy (Retd.) v. Union of India in 2017 (which recognized the right to privacy as a fundamental right under the Indian constitution) for the establishment of a robust data protection regime and creation of clear, enforceable standards on how organisations handle personal data. The framework applies across sectors and sizes, with very limited relaxations, and is backed by a suitably stringent penalty regime that makes the consequences of non‑compliance a real deterrent.

The Act and accompanying Rules now provide the benchmark framework for the regulation of digital personal data. The previous, lighter regime subject to the Information Technology Act 2000 and the Information Technology (Reasonable Security Standards and Procedures and Sensitive Personal Data or Information) Rules 2011 will be supplanted by the Act and Rules.

When does it apply?

In terms of territorial scope, the Act applies to:

• Processing of digital personal data within India, regardless of whether the data principal is in India or abroad.
• Processing of digital personal data outside India if it is in connection with any activity related to the offering of goods or services to individuals within India.

It is important here to note that the Act exempts processing within India of the data of foreign data subjects where this results from a contractual controller-processor relationship with an Indian processor. This provision is analogous to the BPO exemption that existed in the SPDI Rules, the law the Act hopes to replace.

In terms of material scope, the Act and Rules apply to digital personal data (including digitised versions of originally offline data), but not to:

• processing by an individual for purely personal or domestic purposes.
• Personal data deliberately made public by the data principal (data subject), or published pursuant to a legal obligation.

Are small businesses exempt? What must small businesses do?

The Act and Rules do not provide specific exceptions for small or early stage businesses from any core obligations. That said, the Government retains the authority to distinguish which classes of fiduciaries would incur additional obligations and the ability to designate certain fiduciaries as “significant” data fiduciaries with enhanced compliance requirements.

The Act does however permit the Government to notify specific classes of data fiduciaries or certain types of processing that may be exempt from certain obligations, such as for research, statistical or archiving purposes, or for the sake of protecting State interests such as security and public order. The Government has also been empowered to exempt the applicability of some provisions of the Act (including the requirement of providing a consent notice to the data principal prior to processing their personal data and providing data principals with a record of the processing activities that have been carried out on their personal data) for specified data fiduciaries, including startups. This provision appears to be geared towards relieving some of the compliance burdens under the law for smaller businesses, but it remains to be seen how this power is exercised by the Government. Generally speaking, exemptions are narrow, conditional and almost entirely reliant on future Government notifications, and thus should not be seen as a de- facto safe harbour for routine processing of personal data. The obligations under the Act may be summarized as: (1) purpose limited, consent-based processing; (2) rights to be granted to data principals (access, correction, erasure notice, grievance redress); and (3) reasonable security safeguards, breach response and notifications, and governance controls.

Businesses should begin with identifying the sources of personal data processed by them and their current status of compliance with the requirements of the Act and Rules- including an analysis of how the documented level of consent compares with that required under the law and the provision of rights to the data principal as necessitated by the DPDPA. Once the compliance gaps are identified, steps can be taken to address these gaps. Some general steps that business can take include ensuring that privacy notices and consent flows are updated to comply with the new legal requirements and to clearly outline what personal data is being collected and what the purpose is; limiting collection of personal data to what is truly required; putting in place access control mechanisms within the organization such that personal data can only be accessed by the people who have a need for such access; documenting protocols for handling requests from data principals; and having an incident response plan for data breaches.

Compliance Obligations under the Act and Rules

Once an entity falls within the scope of the Act, its obligations are triggered by the fact that it processes digital personal data, irrespective of whether it is a large platform, a traditional business going digital, or a foreign service provider with no physical presence in India.

At a minimum, entities that fall within the scope of the Act and Rules will need to:

• Map data and purposes:  Identify what digital personal data is collected, from whom, where it is stored, who it is shared with, and for which specified purposes.
• Update notices and consent flows: Ensure privacy notices are in clear, plain language; set out the types of personal data collected and the purposes of processing, and provide links or mechanisms for individuals to exercise their rights and contact the Board.
• Enable data principal rights:  Put in place processes to handle access, correction, erasure and grievance requests within the prescribed timelines.
• Implement security and retention controls: Adopt reasonable technical and organisational safeguards (which must at the minimum include those safeguards as set out in the Rules, detailed below).
• Prepare for breach management: Design an incident‑response process that can support timely notification to the Board and affected individuals, and parallel reporting to CERT‑In where a “cyber incident” is involved¹. Industry specific reporting requirements as prescribed by law shall be in addition to the aforementioned reporting requirement.

The Rules also set out specific minimum obligations that data fiduciaries must have in place in relation to the security safeguards to prevent data breaches. These include:

1. Appropriate security measures such as encryption or obfuscation, and appropriate access control mechanisms;
2. Visibility on processing activities by way of access logs which must be maintained for at least one year (unless another law prescribes a longer timeframe), to allow organizations to detect, investigate and remediate unauthorized access; and
3. Measures for continued processing in the event of a personal data breach where the access to personal data is compromised (such as by way of backups).

Engagements with Data Processors

The Act places all compliance obligations squarely on the data fiduciary, and as such, the data fiduciary will be the entity liable for all contraventions even when they are caused as a result of an erroneous act or omission by a data processor who has been engaged to process personal data on behalf of the fiduciary. As such, contracts with such data processors must be strengthened in respect of obligations relating to data processing and must specifically set out the requirements to maintain appropriate security safeguards as required under the Rules (discussed above). Additionally, sufficient contractual protections through indemnity must be implemented in all such agreements.

What are significant data fiduciaries? What incrementally do they need to do?

Significant data fiduciaries are a class of data fiduciaries which may be notified by the Government on the basis of factors such as the volume and sensitivity of personal data being processed, the risk to the data principal's rights, potential impact on electoral democracy or the sovereignty or integrity of India, security of the State and public order. No clarification has been provided in the Rules for what classes of data fiduciaries will be notified as significant data fiduciaries.

Significant data fiduciaries have several additional obligations under the Act and Rules such as the appointment of a Data Protection Officer located in India, and conducting periodic data protection impact assessments (DPIAs) and audits once every twelve months. In addition to these requirements, significant data fiduciaries must ensure that any algorithmic software employed by them to process personal data must not be likely to pose a risk to data principal rights. There is also an additional data localization requirement on significant data fiduciaries under the Rules, which has been discussed in more detail below.

Penalties

The Act prescribes significant monetary penalties of up to INR 2,500,000,000 (over USD 28,200,000) for contraventions, and also lists out the following factors that the Board must take into account while determining the quantum of penalty:

• The nature, gravity, and duration of breach
• The type of personal data affected by the breach
• Repetitive nature of the breach
• Whether the person, as a result of the breach, has realised a gain or evaded a loss
• Whether the person took any action to mitigate the effects of the breach, and if so, the timeliness and effectiveness of the action
• Whether the penalty is proportionate and effective (with regard to the need to deter breach of the Act)
• The likely impact of the penalty on the breaching party

How do the new Rules change anything?

Some of the changes that have been made in the final version of the Rules (from the draft Rules which were published for a public consultation exercise earlier in 2025) are:

1. The Rules now prescribe a specific timeline for data principal grievances to be addressed by data fiduciaries – 90 days from the date of receipt of the grievance.
2. The Rules provide for certain exemptions in connection with the processing of personal data of children, and a new exemption has been added in the final version of the Rules where no parental consent is required for the processing of a child's personal data to determine their real-time location- in the interest of their safety, protection or security. The exemptions for parental consent have been discussed in more detail below.

Issues that remain!

While the Rules have provided some clarity on the obligations that businesses must meet to ensure compliance with the new regime, some issues still remain:

1. Retention requirements and costs for small businesses
   
   Irrespective of their size and the lack of dedicated legal teams, small businesses will need to comply with the provisions of the Act and the Rules. This will mean comprehending data flows, meeting notice and consent requirements, putting in place data minimisation and data retention policies as well as establishing breach reporting procedures.
   
2. Breach reporting
   
   The requirement to report personal data breaches under the Rules is agnostic to the nature and severity of the breach – all personal data breaches must be reported to each affected data principal, irrespective of the number of affected data principals. This has the potential to lead to a significant compliance burden on businesses as even the smallest of breaches will need to be reported. For instance, an employee gaining unauthorized access to a single data principal's personal data would need to be reported.
   
3. Cross border transfers
   
   The Rules appear to overreach the cross-border data transfer provisions of the Act (which only allow the Government to blacklist certain countries to which personal data of Indian data principals may not be transferred) by imposing an extra data localization requirement on significant data fiduciaries. Under the Rules, the Government, based on a recommendation by a committee constituted by it, can notify categories of personal data that will not be permitted to be transferred overseas by significant data fiduciaries.
   
   This obligation, at first glance, appears to go beyond the scope of the Act. Whether this issue will be raised in courts and subsequently clarified remains to be seen.
   
4. Lack of clarity on processing for employment
   
   The Act provides that an employee's personal data may be processed by their employer “for the purposes of employment” without the employee's consent. This has been included as one of the 'legitimate purposes' for processing under the Act which does not require consent. However, the ambiguous nature of this statement led to some expectation of clarification of what these "purposes of employment" are to be in the Rules. The Rules unfortunately do not provide guidance as to the scope of what "purposes of employment" would be legitimate purposes for the processing employee personal data without consent.
   
5. Publicly available information not covered
   
   Unlike the GDPR, information that has been put into the public domain by the data subject is not covered by the Act and the Rules. Accordingly, those operating LLMs which require large amounts of data may see this as a green light to unleash their spiders to crawl the internet. There is however a wrinkle here. The publicly available personal information needs to have been put in the public domain either by the data principal, or by law. This means that any personal data processed which doesn't meet these criteria would result potentially in an immediate violation of the Act.
   
6. Restriction only to ‘digital' personal data seems misplaced
   
   The Act and the Rules do not appear to take an effects-based approach in terms of their applicability. It thus seem counterintuitive to restrict the operation of the law only to ‘digitized' information from an ideological point of view. This is particularly true in India, where though there is rapid digitization, there are also large numbers of local businesses that operate by pen and paper.
   
7. Standard of verifiable parental consent
   
   The obligation placed on data fiduciaries to obtain verifiable parental consent for processing children's personal data simply states that they must put in place “appropriate technical and organizational measures” to ensure that verifiable parental consent is being obtained, and must observe due diligence to check that the individual identifying themselves as the parent is an adult who is identifiable under Indian law. The open-ended nature of this requirement essentially places quasi-judicial authority on data fiduciaries, where they have to exercise their judgement to determine whether the parental consent is legitimate, and the exact degree of scrutiny expected from data fiduciaries in this context is unclear.
   
8. Live monitoring of children without parental consent
   
   The Rules allow for an exemption for processing children's personal data without parental consent- including for location tracking (as discussed above). The Rules also allow for tracking and behavioural monitoring of children by educational institutions/creches/daycare centres without parental consent. This exemption from parental consent appears at first blush to be counterintuitive to the strict requirement of obtaining verifiable parental consent for processing of a minor's personal data. As data fiduciaries are required to obtain such verifiable parental consent prior to any processing of a child's personal data, it is not entirely clear why the consent requirement has been dispensed with for the abovementioned processing activities.
   
9. Impact on journalism
   
   The Act and Rules provide no exemption for journalism, and consequently any news that reveals personal information of an individual may conceivably provide a right of action under the law. This is particularly strange because initial drafts of the Act expressly exempted journalistic practices in recognition of the public interest served. It remains to be seen how the privacy statute colliding with the constitutional right to freedom of speech and expression shall be reconciled. The only logical conclusion here would be that the constitutional right shall prevail!
   

Now that the Rules have been notified and definitive timelines for implementation of the new data privacy regime are in place, businesses must begin to take steps to ensure that they are/will be compliant by the deadline of 13 May 2027. While the degree of enforcement actions under the Act remains to be seen, the government has indicated an intent to take strict steps to ensure compliance and penalize contraveners. All businesses, irrespective of size, must prioritize the steps outlined above to be ready and compliant with the sea change in the country's data privacy regime.

Footnote

1. All entities are required to report all “cybersecurity incidents”, which include data breaches and data leaks to the Indian Computer Emergency Response Team (CERT-In) within six hours of becoming aware of the incident. This requirement was put in place by way of directions issued by CERT-In in 2022 under the provisions of the Information Technology Act, and is separate from the breach reporting requirements under the Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.