India’s Digital Personal Data Protection Act, 2023 (“DPDPA”), together with the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), marks a major turning point in India’s privacy landscape. With commencement now formally initiated on 13 November 2025, and the remaining obligations set to come into force in clearly defined phases, organisations have a predictable window to upgrade governance, processes and technology.
While public debate tends to focus on penalties or consent, the deeper shift is that India is moving toward a rights-based and accountability-driven model for handling personal data. This document explains what the data protection law is, who it applies to, how the implementation will unfold, and what organisations should begin doing immediately.
- What Is DPDPA and Why It Matters
The law establishes India’s first unified and comprehensive framework governing digital personal data. It replaces fragmented expectations with a clear set of rights for individuals and duties for organisations. Individuals will have the ability to access, correct, delete and raise grievances regarding their personal data. Organisations must provide transparent notices, obtain valid consent, limit how long and for what purpose data is used, adopt security safeguards, report breaches promptly and address grievances within defined timelines.
The regime also introduces a new national authority i.e., the Data Protection Board, which will adjudicate complaints, oversee compliance and impose penalties once fully operational. The shift is toward greater transparency, responsible data use, and stronger accountability for organisations.
- Key Concepts Explained
The law introduces several foundational concepts that guide compliance:
A Data Principal is the individual whose personal data is being processed. A Data Fiduciary is the organisation that determines why and how this personal data will be processed. A Data Processor is an entity that processes personal data on behalf of a Data Fiduciary.
A Consent Manager is a registered third-party service that allows individuals to give, manage, review and withdraw consent through a transparent and interoperable platform. A Significant Data Fiduciary (SDF) is a class of organisations identified by the Government based on factors such as scale of processing, sensitivity of data and potential risks. These entities must meet additional obligations, including appointing a senior responsible officer, conducting periodic risk and impact assessments and undergoing independent audits.
“Digital personal data” refers to any personal data recorded in digital form, including data originally collected offline and later digitised. The law also recognises “deemed consent” in limited situations, such as employment contexts, emergencies or legal compliance wherein, consent may be assumed for specific purposes. Additional safeguards apply to children’s data and to personal data relating to persons with disabilities, including verifiable guardian involvement and restrictions on tracking and profiling.
- Who the Law Applies To
The law applies to any organisation that processes digital personal data within India, as well as organisations located outside India that offer goods or services to individuals in India and processes their data. This covers a broad spectrum, including technology companies, financial institutions, healthcare providers, e-commerce platforms, educational bodies, mobility operators and startups.
Certain activities fall outside its scope. Personal or household use of data is excluded. Specific governmental functions may not be subject to the requirements under the law. Processing for research, archiving or statistical purposes may operate under tailored safeguards. Startups and certain small entities may receive specific compliance relaxations if separately notified.
- Notice and Consent: The Practical Foundation of Compliance
The law requires organisations to communicate clearly with individuals and to collect consent in a meaningful and verifiable manner. Notices must be provided before collecting personal data and must explain what data will be collected, why it is being collected, how long it will be retained, the rights available to individuals and how they may reach the organisation’s grievance mechanism. Notices must be easy to understand and accessible, including in terms of language and format, and must also be provided when data is collected indirectly.
Consent must be free, informed, specific and based on a clear affirmative action. It cannot be inferred from silence or pre-selected options. Withdrawal must be as easy as giving consent, and organisations must maintain a verifiable record of consent. Once operational, Consent Managers will offer individuals a streamlined method to manage permissions across multiple platforms.
- Implementation Timeline: What Happens and When
The DPDP Rules establish a phased implementation aligned to the initial commencement date of 13 November 2025.
Phase 1 – Initial Commencement (13 November 2025): Institutional Setup
From 13 November 2025, core institutional and procedural provisions of the DPDPA come into effect, including those needed for setting up and operationalising the Data Protection Board.
It is recommended that during this phase, organisations should begin the groundwork for compliance—such as mapping personal data flows, revising notices, reviewing vendor contracts, assessing system readiness and strengthening baseline security measures.
Phase 2 – One Year After Initial Commencement: Ecosystem Enablement
One year after 13 November 2025, obligations relating to the registration and functioning of Consent Managers come into force. This phase supports the broader ecosystem, including the development of interoperable consent frameworks, issuance of standardised notice formats and potential designation of SDF.
Phase 3 – Eighteen Months After Initial Commencement: Full Compliance
Eighteen months after 13 November 2025, all remaining obligations under the DPDPA and the DPDP Rules become operational. From this point, organisations must comply fully with requirements relating to notice and consent, rights of individuals, purpose and storage limitation, security safeguards, breach reporting, grievance-redressal timelines, processor obligations, conditions for cross-border transfers, retention requirements, children’s data protections and transparency obligations such as maintaining processing and access logs.
- What Organisations Should Begin Doing Now
Although full compliance becomes mandatory only eighteen months after 13 November 2025, early preparation is essential.
Organisations should begin by mapping personal data flows across systems and vendors;
updating notices to ensure clarity and accessibility;
redesigning consent and withdrawal mechanisms;
amending vendor contracts to include mandated processor obligations; strengthening security measures,
including access controls, encryption and monitoring; implementing retention and deletion policies to ensure data is not retained longer than needed;
defining breach-response procedures; establishing processes for handling individual requests;
assessing the likelihood of being classified as an SDF;
preparing for obligations associated with automated decision-making;
tracking possible startup relaxations; and preparing for interactions with the Data Protection Board, including the use of voluntary undertakings.
Conclusion
With initial commencement beginning on 13 November 2025 and the full operational framework taking effect eighteen months thereafter, India’s new data protection regime gives organisations a clear and time-bound pathway to become compliant. The DPDPA and DPDP Rules move the ecosystem decisively from principles to practice notices must be clearer, consent flows must be more deliberate, retention and deletion must be governed by structured policies, breach reporting will demand rapid multi-stage disclosures, and the handling of children’s data will need heightened safeguards and verification mechanisms.
For organisations likely to be categorised as SDF, the horizon includes annual impact assessments, mandatory audits, and technical scrutiny of systems that process or host personal data. At the same time, consent managers, research-related carve-outs, and startup relaxations indicate that the regulatory ecosystem is expected to evolve alongside industry practice.
Businesses should now move from policy design to implementation for mapping data flows, strengthening security, uplifting consent and notice frameworks, assessing vendor arrangements, preparing breach-response protocols, and evaluating the likelihood of SDF designation. Close monitoring of future government notifications and the approach taken by the Data Protection Board will be essential, as these will shape how the Rules are applied in practice.
India’s data protection regime ultimately sets the foundation for a more transparent, accountable, and rights-respecting digital environment. Early and structured preparation will not only support compliance but also help organisations build and maintain trust in a landscape where responsible data handling is becoming a core expectation for business continuity and customer confidence.