Quick Answer: The Digital Personal Data Protection Act, 2023, backed by the DPDP Rules notified in November 2025, introduces seven significant changes to how personal data is collected, processed, and protected in India. Full compliance is required by May 2027. For businesses operating in India, the question is no longer whether to comply but how quickly to get there.
The Problem With How India Handled Data Before This Law
Think about the last time you signed up for a service online in India. Somewhere buried in a wall of legal text was a consent checkbox, almost certainly pre-ticked, and almost certainly pointing to a privacy policy that ran to twenty pages of language nobody reads. You clicked agree. Your data went somewhere. What happened to it after that was, for most of the last two decades, nobody’s formal responsibility.
That is not an exaggeration. Until 2023, India had no standalone law governing how personal data was collected, processed, or protected. The framework that existed under the Information Technology Act, 2000 was limited, inconsistently enforced, and built for a different era. Cybersecurity incidents in India more than doubled from approximately 1 million in 2022 to 2.27 million in 2024. The gap between how much data was being collected and how little accountability existed for it had become impossible to ignore.
The Digital Personal Data Protection Act, 2023, and the DPDP Rules notified on 13 November 2025, close that gap. The rules are rolling out in three phases, with the Data Protection Board of India already established, Consent Manager registration beginning in November 2026, and full compliance on all substantive obligations required by May 2027.
Here are the seven changes that will matter most to your organisation.
1. Consent Is Now the Starting Point, Not a Formality
Before the DPDP Act, consent in India was largely theatre. Long privacy policies, pre-ticked boxes, and vague references to data sharing with “partners” passed as compliance. The Act ends that.
Consent must now be explicit, informed, and specific to the purpose for which data is being collected. The consent request must be accompanied by a standalone privacy notice written in plain language, not legal boilerplate, explaining precisely what data is being collected and why. Crucially, withdrawing consent must be made exactly as easy as giving it. If a user can opt in with one tap, they must be able to opt out with one tap.
Organisations that have built data collection flows around passive consent mechanisms need to rebuild those flows before the May 2027 deadline. The IBM Institute for Business Value estimates the average cost of a data breach in India at approximately Rs. 22 crore, and that figure does not include regulatory penalties. The cost of rebuilding a consent system now is considerably lower than the cost of a breach or a penalty later.
2. Privacy Notices Must Be Clear, Simple, and Available in 22 Languages
The era of the forty-page privacy policy is over. The DPDP Act requires privacy notices to explain in plain language what data is being collected, the purpose of processing, how individuals can exercise their rights, and how they can raise a complaint with the Data Protection Board.
The notices must be made available in English or any of the 22 languages listed in the Eighth Schedule of the Constitution. For businesses with users across India, this is not a minor update to an existing document. It is a fundamental rethink of how privacy communications are written, structured, and delivered, particularly for companies whose user bases span multiple states and languages.
- Individuals Now Have Real, Enforceable Rights Over Their Data
This is one of the most meaningful shifts the Act introduces for everyday users. Data principals, the individuals whose data is being processed, now have the right to access what data is held about them, correct inaccurate information, request erasure once the purpose has been served, withdraw consent at any time, and raise grievances through a clearly published mechanism.
Organisations must respond to these requests within a reasonable time. Grievances must be addressed within 90 days. These rights are not symbolic. Failure to honour them is a compliance failure that the Data Protection Board has the authority to investigate and act on. For customer-facing businesses, this means that privacy is no longer just a legal team concern. It touches customer service, product design, HR systems, and vendor relationships simultaneously.
4. Children’s Data Requires Verifiable Parental Consent
Any processing of personal data of children under 18 requires verifiable parental consent before collection begins. Age verification must be implemented to establish whether a user is a minor. Targeted advertising directed at children is prohibited entirely, with no exceptions.
For EdTech platforms, gaming companies, social media platforms, health apps, and any other service accessed by younger users, this requires both technical infrastructure and significant operational change. The penalty for non-compliance with children’s data obligations is up to Rs. 200 crore per incident. This is not a provision that can be deferred to the last quarter before the deadline.
5. Data Breaches Must Be Reported Within 72 Hours
Under the old framework, breach reporting was inconsistent and rarely enforced. The DPDP Rules remove all ambiguity. When a personal data breach occurs, the Data Protection Board must be notified and affected individuals must be informed within 72 hours of the breach being discovered. The notification must include a plain-language description of what happened, what data was exposed, what steps the organisation is taking, and contact details for individuals who have questions.
Unlike breach reporting laws in the EU or Australia, which require reporting only where there is a likelihood of serious harm, the DPDP Rules on a strict reading require reporting of any breach regardless of scale or severity. The penalty for failure to notify is up to Rs. 200 crore per incident. Organisations that do not have an incident response system capable of detecting, escalating, and communicating a breach within 72 hours are carrying significant risk right now.
6. Significant Data Fiduciaries Face a Heavier Compliance Burden
Organisations that process particularly large volumes of personal data, or data that carries heightened risk, may be designated by the Central Government as Significant Data Fiduciaries. The designation triggers a separate set of obligations that go well beyond what other organisations are required to do.
Significant Data Fiduciaries must appoint a Data Protection Officer, conduct a Data Protection Impact Assessment every twelve months, commission independent audits, verify that their algorithms do not pose risks to data principal rights, and in some cases comply with restrictions on cross-border data transfers and data localisation requirements. The penalty for breach of these additional obligations is up to Rs. 150 crore.
The criteria for designation have not been fully specified yet, which is itself a compliance risk. Organisations processing high volumes of personal data, running large-scale digital platforms, or handling sensitive categories of information should not wait for a designation notice. They should be preparing now as if designation is coming, because the cost of preparation is far lower than the cost of being designated without systems in place. IndiSec works directly with organisations on this assessment, mapping data flows and identifying where SDF designation risk sits before it becomes a compliance emergency.
7. The Law Reaches Every Company That Serves Indian Users, Regardless of Where It Is Based
This is the change that many foreign-headquartered companies are still not fully accounting for. The DPDP Act applies not only to organisations based in India but to any organisation anywhere in the world that processes the personal data of individuals in India in connection with offering goods or services to them.
The approach mirrors the extraterritorial scope of the GDPR. A software company based in Singapore with Indian customers, a US-headquartered SaaS platform with Indian enterprise clients, a UK-based e-commerce retailer shipping to Indian addresses: all of them are within the Act’s reach. Geographic location of the organisation is not a defence. The test is whether the data belongs to an individual in India and whether the processing is connected to providing goods or services to them.
What Businesses Need to Do Right Now
The three-phase rollout gives organisations time, but not as much as it looks. The Data Protection Board is already operational. Consent Manager registration begins in November 2026. The full compliance deadline for notices, consent, breach reporting, data principal rights, security obligations, and cross-border transfers is May 2027, approximately twelve months away.
Organisations that start with a gap assessment, map their current data flows, identify where their consent mechanisms fall short, and put breach response systems in place now will meet that deadline without a scramble. Those that wait will find that twelve months is not as long as it sounds when you are rebuilding consent infrastructure, retraining teams, and renegotiating vendor contracts at the same time.
IndiSec provides end-to-end DPDP compliance support, from gap assessments and risk mapping to Data Privacy Officer services and ongoing compliance monitoring. The Act is not a problem to manage at the last minute. It is a framework to build into how your organisation handles data going forward, and the organisations that treat it that way will come out of 2027 stronger than the ones that did not.