India’s Data Protection Revolution: Guide to the Digital Personal Data Protection Act

Aimed at safeguarding the personal data of individuals in the digital age, the Digital Personal Data Protection Act (DPDPA) by the government marks a significant milestone. The Act provides a comprehensive framework for processing personal data in a secure and trustworthy digital environment.

This includes data collected online or offline and subsequently digitised. It applies to any organisation or person (Data Fiduciary in the Act’s terminology) that handles personal data of individuals in India. It also extends to organisations based outside of India if they are processing data in connection with offering goods or services to individuals in India.

Understanding the Key Terms under DPDPA

To understand the Act better, it’s important to be familiar with some key terms:

• Data Principal: This is you – the individual whose personal data is being processed.
• Data Fiduciary: Any person or organisation that decides the purpose and means of processing your personal data. This could be a company, government agency, or any other entity handling your data.
• Data Processor: Any person or organisation that processes personal data on behalf of a Data Fiduciary.
• Significant Data Fiduciary: A Data Fiduciary notified by the Central Government based on factors like the volume and sensitivity of data processed. These entities have additional obligations under the Act.
• Consent: Your clear, informed, and freely given agreement for a Data Fiduciary to process your data for a specific purpose.

What are Your Rights as a Data Principal?

The DPDPA empowers individuals with strong data rights, enabling them to take control of their digital footprint:

• Right to Information: You have the right to know what information a Data Fiduciary holds about you and how they are using it.
• Right to Correction and Erasure: You can request the correction, completion, updating, or erasure of your personal data.
• Right to Withdraw Consent: You can withdraw your consent for data processing at any time. The Data Fiduciary must then stop processing your data unless it’s legally required.
• Right to Grievance Redressal: If you have a complaint about how your data is being handled, you have the right to seek redressal from the Data Fiduciary or the Data Protection Board.
• Right to Nominate: You can nominate someone to exercise your data rights in case of your death or incapacity.

If you are running an organisation in India, you need to revisit your data-processing practices soon to comply with DPDPA. Gain more insights with our blog Rights of Data Principals under DPDPA.

What are the Obligations of Data Fiduciaries?

Data Fiduciaries have various responsibilities to ensure the protection of your personal data:

• Obtain Consent: Data Fiduciaries can process your data only for purposes you’ve consented to or for specific, legitimate uses outlined in the Act.
• Provide Clear Notice: Data Fiduciaries must inform you about the data being collected, the purpose of processing, and your rights. This notice should be available in English or any language listed in the Eighth Schedule to the Constitution.
• Ensure Data Security: Data Fiduciaries are responsible for implementing appropriate technical and organisational measures to protect your data from breaches.
• Data Retention Limits: Data Fiduciaries must erase your data when it’s no longer needed for the specified purpose, you withdraw your consent, or it’s reasonable to assume the purpose is no longer being served, unless retention is required by law.
• Appoint a Data Protection Officer: Significant Data Fiduciaries must appoint a Data Protection Officer to oversee data protection compliance within the organisation. They must also undertake data audits and impact assessments.
• Respond to data principal requests quickly: When a data principal exercises their rights – access, correction, or erasure, the Data Fiduciary must respond within 90 days. Failure to respond enables the data principal to escalate directly to the Data Protection Board.

For a detailed understanding of how to prepare your business for compliance, check out our DPDPA Implementation Guide.

Important Provisions of DPDPA

The DPDPA outlines specific legal provisions that govern how personal data should be processed, stored, and protected. These include rules for children’s data, cross-border transfers, exemptions, and penalties for non-compliance.

• Processing of Children’s Data: Data Fiduciaries need verifiable parental consent before processing the data of children (individuals under 18 years old). They cannot engage in activities like tracking, behavioural monitoring, or targeted advertising directed at children.
• Data Transfers Outside India: The Central Government can restrict data transfers to certain countries or territories.
• Exemptions: The Act outlines specific exemptions from certain provisions, for example, for legal proceedings, research, archiving, or in the interest of national security.
• Penalties for Non-Compliance: Organisations that violate the provisions of this Act can face significant penalties. These can reach up to 250 crore rupees depending on the nature and severity of the violation.

What’s New in 2025? Latest Updates to DPDPA

India’s Ministry of Electronics and Information Technology (MeitY) officially notified the Digital Personal Data Protection Rules, 2025 on November 13, 2025 – bringing the country’s data protection regime into formal force after more than two years since the Act’s enactment. These rules are operative, and organisations must now prepare for a confirmed phased enforcement timeline.

Major Highlights

• Detailed Consent Management Guidelines: Including language clarity, consent revocation mechanisms, and user dashboards – requiring fiduciaries to get consent that is free, specific, informed, unconditional, and unambiguous.
• Data Breach Notification Timeline: Fiduciaries must report breaches to the Data Protection Board and notify affected individuals within 72 hours.
• Children’s Data Mechanism: The Rules prescribe age verification tools and dynamic consent formats for parental controls, with verifiable parental consent required before processing data of anyone under 18.
• Third-Party Processor Obligations: Data processors are now directly accountable for specific compliance mandates under contract.
• Log Retention Mandate: Data Fiduciaries must retain system and processing logs for a minimum of one year for security detection, investigation, and remediation purposes.
• Data Principal Request Timeline: Fiduciaries must respond to access, correction, or erasure requests from data principals within 90 days.

Confirmed compliance timeline

With the DPDP Rules 2025 notified on November 13, 2025, organisations now have a clear and confirmed enforcement roadmap:

• November 13, 2025 (Immediate): Data Protection Board of India established, administrative provisions in force, penalty framework activated.
• November 13, 2026 (12 months): Consent Manager registration opens – only India-incorporated entities meeting minimum net worth requirements may operate as registered Consent Managers.
• May 13, 2027 (18 months): Full compliance mandatory – privacy notices, consent systems, security safeguards, breach protocols, data retention policies, children’s protections and data principal rights infrastructure must all be fully operational.

Significant Data Fiduciary (SDF) designations have not yet been formally notified – the government is expected to identify qualifying entities post-May 2027. Organisations not sure about their SDF status should proactively check their data volumes and risk profile rather than waiting for the official list.

This phased approach gives businesses some time to map data flows, implement consent mechanisms, train teams, and build compliance infrastructure, but the May 2027 deadline is firm and penalties up to ₹250 crore per violation are active.

Focus on cookie consent & digital touch-points

Beyond standard privacy obligations, the DPDPA places increased focus on digital interactions and cookie consent. In today’s online ecosystem, personal data is often gathered through cookies, trackers, and third-party tools. The Act requires organisations to obtain clear, opt-in consent before such data is processed.

For websites targeting Indian users, cookie banners must be transparent, easy to understand, and track consent preferences accurately. Businesses relying on analytics, advertising, or behavioural tracking must review their consent management platforms, vendor agreements, and privacy policies to ensure full alignment with DPDPA requirements.

How can CyberNX help?

Navigating the requirements of the Digital Personal Data Protection Act can be complex. CyberNX can guide your organisation towards compliance:

1. Data Mapping and Gap Analysis: Identifying and analysing your data processing activities to ensure compliance with the Act.
2. Privacy Policy Development: Crafting a comprehensive privacy policy that clearly communicates your data practices to users.
3. Consent Management Systems: Implementing processes for obtaining, managing, and documenting user consent in a transparent and user-friendly manner.
4. Security Assessments and Implementation: Evaluating your organisation’s security posture and implementing robust measures to protect personal data.
5. Data Protection Officer Services: Providing expert Data Protection Officer services to oversee your data protection program.
6. Training and Awareness Programs: Educating your staff on the Act’s requirements and best practices for data protection.
7. Continuous Compliance Maintenance: DPDPA compliance requires ongoing monitoring, annual reviews, and adaptation. CyberNX provides continuous compliance maintenance to keep your organisation audit-ready as the regulatory landscape develops.
8. Periodic Assessments and Gap Analysis: CyberNX conducts regular tests of your current compliance posture, and identifies gaps against DPDPA requirements and DPDP Rules 2025, and providing actionable guidance to close them before regulatory inspections.

Conclusion

The Digital Personal Data Protection Act is landmark legislation that fundamentally changes how organisations in India collect, process, and protect personal data. With the DPDP Rules 2025 now notified and full enforcement mandatory by May 13, 2027, the window to build compliant systems is open – but not unlimited.

CyberNX offers end-to-end DPDPA consulting services designed for the full compliance lifecycle: from data mapping, gap analysis, and privacy policy development to consent management systems, security assessments, DPO services, and continuous compliance maintenance. Our approach is aligned with ISO 27001 and NIST frameworks and structured to keep your organisation audit-ready. Reach out to our experts today for a free consultation on DPDPA compliance.

Digital Personal Data Protection Act FAQs

What are the key highlights of the DPDP Rules 2025?

The Digital Personal Data Protection Rules, 2025 were officially notified by MeitY on November 13, 2025, operationalising the DPDPA 2023.

Key highlights include a 72-hour breach notification deadline to the Data Protection Board and affected individuals, mandatory formats for obtaining consent (free, specific, informed, unconditional, and unambiguous), requirements for age verification when processing children’s data, a framework for the registration and functioning of Consent Managers (effective November 2026), and a minimum one-year log retention requirement for security purposes. Full substantive compliance is mandatory by May 13, 2027.

How will startups and small businesses be impacted by the DPDP Act?

Startups and small businesses may be granted limited exemptions by the government based on the volume and nature of data they process. However, core obligations like lawful consent, user rights, and breach notifications still apply to all entities. Those handling sensitive data or operating in high-risk sectors will need to comply fully, regardless of size.

Does the Digital Personal Data Protection Act require companies to localize or store data within India?

The DPDPA does not enforce mandatory data localization. However, it empowers the Central Government to restrict the transfer of personal data to specific countries via official notification. In the absence of such restrictions, cross-border data transfers are permitted, giving companies flexibility while maintaining regulatory control.

How does the Digital Personal Data Protection Act (DPDPA) with existing sectoral regulations like RBI or IRDAI guidelines?

The Digital Personal Data Protection Act (DPDPA) complements rather than overrides existing sector-specific data regulations. Where sectoral regulators like RBI or IRDAI impose stricter data protection norms, those standards continue to apply. In cases of conflict, the law or regulation offering stronger protection to the individual typically prevails, ensuring regulatory harmony and data security.