Top 10 operational impacts of India’s DPDPA – Individual rights

This article is part of a series that explores components of the DPDPA.

India's Digital Personal Data Protection Act, 2023 was passed to strengthen the existing light-touch framework for digital personal data protection and to introduce a modern architecture for individual data rights. However, businesses endured two years of uncertainty while awaiting operational clarity promised in set rules to be issued under the parent law.

For many organizations, the lack of rules during this period meant that internal programs aimed at ensuring data principals' rights remained unimplemented. Much of this confusion arose from operational questions: how timelines would be defined; how to reconcile conflicting obligations, such as retention requirements with erasure requests; and how duties imposed on data principals would interact with their rights. 

With the notification of the Digital Personal Data Protection Rules, 2025 in November, these questions now have partial clarity. For instance, the rules provide guidance on automated response handling but remain silent on conflicting stakeholder claims or on when a data fiduciary may invoke a data principal's statutory duties to refuse a request. 

An important detail is the phased implementation timeline: Operational requirements related to data principal rights will take effect in May 2027, giving businesses time to design workflows, map data, build audit trails, and re-evaluate vendor obligations to ensure these rights are enforced throughout the ecosystem.