Top 10 operational impacts of India’s DPDPA
This article series serves as a walkthrough of the most important components of India's Digital Personal Data Protection Act.
Published: 21 Sept. 2023
Last updated: 20 Jan. 2026
This article series serves as a walkthrough of the most important components of India's Digital Personal Data Protection Act.
On 12 Aug. 2023, President Droupadi Murmu signed the Digital Personal Data Protection Act into law, covering all India-based organizations and extending to certain international entities. Two years later, on 13 Nov. 2025, the Ministry of Electronics and Information Technology published the Digital Personal Data Protection Rules, 2025, which clarify certain provisions of the DPDPA. Given that India is now the world's most populated country with 1.4 billion people and considering its significant role in highly globalized industries such as financial services and health care, the law and its companion rules will undoubtedly have a broad impact on organizations and individuals worldwide.
Reflecting the importance of this new data privacy law, the IAPP has launched a 10-part series: the "Top 10 operational impacts of India’s DPDPA." Jointly written by leading Indian privacy law experts, the series serves as a walkthrough of the most important components of the DPDPA and the added nuance introduced by the 2025 rules. Its goal is to provide a view of this landmark legislation in actionable terms and ways that foster a baseline understanding of its salient features.
Articles in series
This article explains who the DPDPA applies to, including its extraterritorial reach, and clarifies core concepts such as personal data, data fiduciaries, and data principals. It emphasizes the law’s purpose‑limitation approach, lawful bases for processing, and how organizations must reassess data mapping and processing justifications under the new framework.
This article focuses on newly codified data principal rights, including access, correction, erasure, grievance redressal, and the right to nominate another person to exercise rights on one’s behalf. It highlights how organizations must build operational workflows and response mechanisms to handle rights requests efficiently.
This article details baseline obligations for all data fiduciaries, such as implementing reasonable security safeguards, ensuring staff training, addressing grievances, and maintaining accuracy. It stresses the shift from theoretical compliance to demonstrable, operational accountability, particularly around internal controls and vendor oversight.
This article analyzes the Data Protection Board of India, including its investigative powers, adjudicatory role, and penalty framework. It explains how the DPDPA favors a regulatory enforcement model focused on monetary penalties and remedial directions, requiring organizations to prepare for audits, inquiries, and potential sanctions.
This article examines India’s approach to cross‑border transfers, which departs from an adequacy‑based method. Instead, transfers are permitted unless the government designates restricted jurisdictions. The article highlights the operational impacts this creates and the need for companies to monitor government notifications and adjust global data‑flow architectures accordingly.
This article compares the DPDPA with the GDPR and other global privacy laws, showing where India aligns and diverges.
This article focuses on the DPDPA’s consent‑first architecture, including purpose‑specific consent and the introduction of licensed consent managers. It explains the operational need to redesign consent interfaces, dashboards, and withdrawal processes, especially for digital platforms and consumer‑facing services.
This article explains the concept of significant data fiduciaries and their enhanced obligations, including audits, compliance reporting, and governance measures, and provides insight on advanced preparation for designation and the need to embed privacy governance into enterprise‑risk structures.
This article outlines expected requirements around DPIAs, even though detailed rules are forthcoming. It explains when DPIAs may be required, how risk assessments should be conducted, and why organizations should start aligning DPIA processes with product development and procurement workflows.
This article addresses data breach obligations, including notification to the Data Protection Board and affected individuals. It highlights the need for updated incident‑response plans, internal escalation procedures, and documentation practices to meet the DPDPA’s accountability expectations.
Articles in the series are focused on the DPDPA's scope, key definitions, and lawful processing of data; individual rights; obligations of data processing entities; data transfers; and enforcement. They also cover comparative analysis with the GDPR and other major data privacy laws, consent management, data audits, data protection impact assessments and data breaches.
The DPDPA has been met with both praise and criticism. While lauded by its makers for being globally competitive and contemporary, others — such as Justice B.N. Srikrishna, the previous chair of the Expert Committee on Data Protection that proposed the original 2018 version of the bill— have commented that the provisions granting exemptions to the government and government bodies in the law "cause great concern."
The DPDPA was introduced in the Lok Sabha, the lower house of Parliament, on 3 Aug. 2023 after the Parliamentary panel on Communications and Information Technology endorsed its passage "without any undue delay." The Rajya Sabha, the upper house of Parliament, passed the legislation on 9 Aug. 2023.
The law has been many years in the making, reaching back to a 2017 decision of the Supreme Court of India that found a constitutional right to privacy. The first draft of a data protection bill followed in 2018, with lawmakers wrestling with a host of different versions before agreeing upon what is now the DPDPA.
Section 40 of the DPDPA gives the central government the authority to make rules to carry out the act's purposes. In January 2025, draft rules were released and subject to public comment. MeitY then finalized the rules, structuring them to take effect in a phased approach.
As of 13 Nov. 2025, rules governing the appointment and functions of a Data Protection Board of India are effective, while rules regarding the registration and obligations of consent managers will take effect 12 months after release. Finally, 18 months after release, the remaining rules become effective, including provisions on children's privacy, security safeguards and heightened obligations for significant data fiduciaries, among others. This phased approach will give regulated entities an extended runway to develop and implement compliance mechanisms.
For privacy professionals, it's essential to understand what the law says, interpret its meaning, anticipate its potential implications and stay informed on trends and developments that might shape how organizations approach compliance. The arrival of the 2025 DPDP Rules adds a new layer of complexity and opportunity to the compliance landscape. The articles in this series serve as a first dip into these unchartered waters.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Top 10 operational impacts of India’s DPDPA
This article series serves as a walkthrough of the most important components of India's Digital Personal Data Protection Act.
Published: 21 Sept. 2023
Last updated: 20 Jan. 2026
Contributors:
Alyanna Bernardo
Privacy and Data Policy Associate, Meta
CIPM
William Simpson
Westin Fellow, IAPP
AIGP, CIPP/US
This article series serves as a walkthrough of the most important components of India's Digital Personal Data Protection Act.
On 12 Aug. 2023, President Droupadi Murmu signed the Digital Personal Data Protection Act into law, covering all India-based organizations and extending to certain international entities. Two years later, on 13 Nov. 2025, the Ministry of Electronics and Information Technology published the Digital Personal Data Protection Rules, 2025, which clarify certain provisions of the DPDPA. Given that India is now the world's most populated country with 1.4 billion people and considering its significant role in highly globalized industries such as financial services and health care, the law and its companion rules will undoubtedly have a broad impact on organizations and individuals worldwide.
Reflecting the importance of this new data privacy law, the IAPP has launched a 10-part series: the "Top 10 operational impacts of India’s DPDPA." Jointly written by leading Indian privacy law experts, the series serves as a walkthrough of the most important components of the DPDPA and the added nuance introduced by the 2025 rules. Its goal is to provide a view of this landmark legislation in actionable terms and ways that foster a baseline understanding of its salient features.
Articles in series
This article explains who the DPDPA applies to, including its extraterritorial reach, and clarifies core concepts such as personal data, data fiduciaries, and data principals. It emphasizes the law’s purpose‑limitation approach, lawful bases for processing, and how organizations must reassess data mapping and processing justifications under the new framework.
This article focuses on newly codified data principal rights, including access, correction, erasure, grievance redressal, and the right to nominate another person to exercise rights on one’s behalf. It highlights how organizations must build operational workflows and response mechanisms to handle rights requests efficiently.
This article details baseline obligations for all data fiduciaries, such as implementing reasonable security safeguards, ensuring staff training, addressing grievances, and maintaining accuracy. It stresses the shift from theoretical compliance to demonstrable, operational accountability, particularly around internal controls and vendor oversight.
This article analyzes the Data Protection Board of India, including its investigative powers, adjudicatory role, and penalty framework. It explains how the DPDPA favors a regulatory enforcement model focused on monetary penalties and remedial directions, requiring organizations to prepare for audits, inquiries, and potential sanctions.
This article examines India’s approach to cross‑border transfers, which departs from an adequacy‑based method. Instead, transfers are permitted unless the government designates restricted jurisdictions. The article highlights the operational impacts this creates and the need for companies to monitor government notifications and adjust global data‑flow architectures accordingly.
This article compares the DPDPA with the GDPR and other global privacy laws, showing where India aligns and diverges.
This article focuses on the DPDPA’s consent‑first architecture, including purpose‑specific consent and the introduction of licensed consent managers. It explains the operational need to redesign consent interfaces, dashboards, and withdrawal processes, especially for digital platforms and consumer‑facing services.
This article explains the concept of significant data fiduciaries and their enhanced obligations, including audits, compliance reporting, and governance measures, and provides insight on advanced preparation for designation and the need to embed privacy governance into enterprise‑risk structures.
This article outlines expected requirements around DPIAs, even though detailed rules are forthcoming. It explains when DPIAs may be required, how risk assessments should be conducted, and why organizations should start aligning DPIA processes with product development and procurement workflows.
This article addresses data breach obligations, including notification to the Data Protection Board and affected individuals. It highlights the need for updated incident‑response plans, internal escalation procedures, and documentation practices to meet the DPDPA’s accountability expectations.
Articles in the series are focused on the DPDPA's scope, key definitions, and lawful processing of data; individual rights; obligations of data processing entities; data transfers; and enforcement. They also cover comparative analysis with the GDPR and other major data privacy laws, consent management, data audits, data protection impact assessments and data breaches.
The DPDPA has been met with both praise and criticism. While lauded by its makers for being globally competitive and contemporary, others — such as Justice B.N. Srikrishna, the previous chair of the Expert Committee on Data Protection that proposed the original 2018 version of the bill— have commented that the provisions granting exemptions to the government and government bodies in the law "cause great concern."
The DPDPA was introduced in the Lok Sabha, the lower house of Parliament, on 3 Aug. 2023 after the Parliamentary panel on Communications and Information Technology endorsed its passage "without any undue delay." The Rajya Sabha, the upper house of Parliament, passed the legislation on 9 Aug. 2023.
The law has been many years in the making, reaching back to a 2017 decision of the Supreme Court of India that found a constitutional right to privacy. The first draft of a data protection bill followed in 2018, with lawmakers wrestling with a host of different versions before agreeing upon what is now the DPDPA.
Section 40 of the DPDPA gives the central government the authority to make rules to carry out the act's purposes. In January 2025, draft rules were released and subject to public comment. MeitY then finalized the rules, structuring them to take effect in a phased approach.
As of 13 Nov. 2025, rules governing the appointment and functions of a Data Protection Board of India are effective, while rules regarding the registration and obligations of consent managers will take effect 12 months after release. Finally, 18 months after release, the remaining rules become effective, including provisions on children's privacy, security safeguards and heightened obligations for significant data fiduciaries, among others. This phased approach will give regulated entities an extended runway to develop and implement compliance mechanisms.
For privacy professionals, it's essential to understand what the law says, interpret its meaning, anticipate its potential implications and stay informed on trends and developments that might shape how organizations approach compliance. The arrival of the 2025 DPDP Rules adds a new layer of complexity and opportunity to the compliance landscape. The articles in this series serve as a first dip into these unchartered waters.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
US State Privacy Legislation Tracker
Data Protection Officer Requirements by Country
EU AI Act Regulatory Directory
Cybersecurity Law Key Terms
