India’s Digital Personal Data Protection Act, 2023 (DPDP Act) is finally moving toward activation. In January 2025 the government published the Draft Digital Personal Data Protection Rules, 2025 for public consultation to operationalize the Act. As of late 2025, the Act is enacted but core provisions still await final notification, so a phased rollout remains likely. Translation: you have a short runway to get compliant, and the smart move is to implement the controls the draft rules make inevitable.
The latest DPDP updates you should actually care about
Draft Rules released and widely consulted. MeitY published the draft DPDP Rules on January 3, 2025 and invited public feedback. Subsequent updates noted thousands of submissions. These Rules are the “how” behind the 2023 law.
Timelines and status. Despite multiple public statements about imminent notification, as of August–October 2025 industry trackers still reported that core provisions had not been brought into force. Expect a staged enforcement with a sunrise period once rules are finalized.
Graded obligations. The Rules and guidance emphasize “graded responsibilities.” Startups and MSMEs may see lighter touch for some obligations, while Significant Data Fiduciaries (SDFs) face heavier requirements like DPO appointment, impact assessments and audits. The Act lets the government designate SDFs based on volume/sensitivity of data, risk to individuals, and national-interest factors.
Breach reporting and security. Commentaries on the draft highlight a 72-hour breach-notification expectation to the Data Protection Board of India (DPBI) and to affected individuals, alongside stronger encryption and identity-verification safeguards. Even before notification, the Act’s penalty schedule makes failure to implement “reasonable security safeguards” the costliest risk.
Cross-border transfers. The Act adopts a “negative list” approach: transfers are allowed to all countries unless the government restricts specific destinations. Draft rule discussions also contemplate additional localization constraints for defined categories or SDFs. Keep sectoral rules (for example, payments) in mind on top of DPDP.
Children’s data and consent UX. The Act restricts tracking and targeted ads to children and anticipates consent and notices in English plus any of the 22 Eighth Schedule languages, with Rules clarifying form and mechanics.
Penalties. The schedule caps penalties up to ₹250 crore for the worst failures, especially lack of reasonable security safeguards, with lower caps for other violations. Penalties are imposed by the DPBI after inquiry.
Who the DPDP regime affects
Any entity processing personal data digitally in India. The Act applies to personal data processed in India, and to processing outside India when connected with offering goods or services to people in India. That includes Indian companies, foreign SaaS providers, marketplaces, fintech, health apps, edtech, BPOs and cloud vendors touching Indian users.
Significant Data Fiduciaries. Large platforms, data-rich intermediaries, high-risk profiling services, and entities working with sensitive data can be notified as SDFs. They must appoint an India-based DPO, conduct DPIAs, and undergo periodic audits.
Public bodies and state service providers. The Act and Rules address government processing too, including delivery of subsidies/benefits with safeguards and oversight through a digital-first Data Protection Board for grievance redressal.
Sectors with additional rules. Payments, financial services, telecom, and health carry sectoral obligations that sit on top of DPDP. If you hold payments data, RBI storage norms still apply regardless of DPDP’s negative-list stance on cross-border transfers.
What counts as “personal data” and what the law expects
The Act defines personal data broadly: any data that can identify an individual. DPDP demands that data fiduciaries process data lawfully and for specified purposes; present clear notices; obtain valid consent or rely on another lawful ground; secure data using reasonable safeguards; erase data once the purpose is met; and enable user rights via accessible mechanisms. Draft Rules add operational muscle to these principles and push a “digital by design” approach to rights and grievances.
How to comply: a practical playbook for 2025
1) Lock your scope and map data flows
Inventory every source of personal data: websites, apps, logs, CRM, support tickets, recordings, and third-party feeds. Map how data moves into storage, analytics, LLM/RAG systems, vendors, and backups. Tag flows by purpose, region, sensitivity and retention. This groundwork is required to meet purpose limitation, residency, and deletion duties the Rules operationalize.
2) Make consent and notices work in reality
Update privacy notices to DPDP standards and prepare to support notices and consent in English plus any of the 22 Eighth Schedule languages. Separate core service from optional processing like personalization or model training. Record consent scope, timestamp, and policy version.
3) Minimize and mask before any analytics or AI
Strip direct identifiers at ingestion and generate embeddings or features from sanitized text. Keep tokenization maps in a segregated vault. This minimizes exposure and makes deletion feasible later. It also aligns with the Act’s “reasonable safeguards” expectation that sits behind the highest penalty cap.
4) Engineer cross-border governance
Until the government publishes a restricted list or added localization mandates, treat cross-border transfers as permitted by default unless restricted, and still implement contractual and technical protections. Keep per-region storage for sensitive workloads so you can adapt if localization intensifies for SDFs under the Rules.
5) Prepare breach readiness with 72-hour muscle memory
Stand up incident response that can investigate, contain, and notify within tight windows. Maintain contact rosters, draft templates, and evidence capture. The draft landscape repeatedly points to rapid reporting and encryption/identity safeguards as baseline expectations.
6) Stand up user rights and erasure at scale
Build self-service portals for access, correction, portability and deletion. Draft highlights include data erasure by default after inactivity windows and proactive notices before erasure; your internal architecture should make that easy, not painful. Track request SLAs and prove deletion across raw stores and derived artifacts like vectors and caches.
7) If you’re likely to be an SDF, act like one now
Appoint an India-based DPO, implement DPIAs for new high-risk processing, schedule external audits, and formalize grievance redressal. You do not need the notification in hand to start behaving like an SDF; it shortens your eventual compliance sprint.
8) Vendor and processor management
Amend DPAs to reflect DPDP terms: processing only on documented instructions, security safeguards, breach-notice timelines, retention and deletion SLAs, and cross-border posture. Ask for audit artifacts and SOC/ISO evidence. Document where support staff can view data.
9) Record-keeping and metrics
Maintain a living Record of Processing with purposes, lawful bases, sources, recipients, retention, and security controls. Track operational metrics that an auditor will want to see: breach response times, deletion SLAs, denied cross-border routes, consent revocations, and masking coverage. This is exactly the “evidence over promises” shift the Rules bring.
Sector-by-sector impact
Consumer internet and marketplaces. You likely meet the volume/sensitivity thresholds that make SDF designation plausible. Expect scrutiny on profiling, adtech consent, and children’s protections.
Fintech and payments. DPDP’s negative-list posture on cross-border does not override RBI storage obligations. Keep payments data resident and tighten consent and grievance flows for high-velocity transactions.
Healthcare and healthtech. High-risk PHI and minors’ data require verifiable consent, stronger security, rapid breach response, and clean deletion. The SDF bar is easy to cross here due to sensitivity.
SaaS and global software providers. Extraterritorial scope applies if you serve Indian users. Maintain India-ready notices, consent logs, and a clear cross-border narrative with tech and contracts to match.
Public bodies and gov-tech. Expect digital-first grievance handling through the DPBI and tighter logging and retention boundaries for benefits and subsidy systems.
Common mistakes that will get expensive
- Output-only privacy. If you only scrub data in reports but keep raw identifiers everywhere else, you will fail deletion and breach tests. The Act’s highest penalty ties to weak safeguards, not just breaches that hit the news.
- Treating cross-border as an afterthought. The default is permissive, but sectoral rules and potential SDF-specific limits mean you need routing and residency controls now.
- No plan for children’s data. Ads and behavioral tracking for kids are restricted; build verifiable consent and age-assurance where applicable.
- Waiting for formal notification to start. The substantive work is architectural. By the time the Rules are notified, it will be too late to retrofit.
Final word and next step
DPDP is not a paperwork exercise. It is a set of architectural expectations that will be tested with logs, deletion receipts, and breach-response performance. The 2025 draft rules made the direction clear: graded obligations, rapid notices, negative-list cross-border, digital-first grievances, and strict accountability for SDFs. If you build minimization, consent, cross-border governance, and deletion into your stack now, notification day becomes a non-event.
A dedicated privacy control plane can accelerate compliance by automating data discovery and classification, masking/tokenization at ingestion, policy-aware routing for cross-border and SDF workflows, DSAR-grade deletion across raw stores and embeddings, and audit packaging with breach logs and receipts. In short, it turns DPDP obligations into running code and evidence you can show a regulator.
