Top 10 operational impacts of India’s DPDPA – Obligations of data processing entities

This article is part of a series that explores components of the DPDPA.

India's data privacy law, the Digital Personal Data Protection Act, is unique in that it eschews the EU General Data Protection Regulation's model of data privacy legislation in favor of a simpler, less prescriptive law. In November 2025, the Ministry of Electronics and Information Technology announced the law will largely come into force 13 May 2027. The government finalized the rules under the law, providing additional details.

In the DPDPA, the regulation of data processors is minimal with only a handful of provisions on the topic. The act defines a data processor as anyone who processes personal information on behalf of a data fiduciary, the term used for a data controller under the law. Correspondingly, a data fiduciary is defined as any person who "alone or in conjunction with other persons determines the purpose and means of processing of personal data."

In fact, the law is focused almost entirely on data fiduciaries, including fulfilling the data principals' rights to access, correct and delete personal information. Only data fiduciaries are subject to provisions relating to special protections for children's personal data, procedures for addressing data principals' grievances and several other requirements.