Top 10 operational impacts of India’s DPDPA – Enforcement and the Data Protection Board

This article is part of a series that explores components of the DPDPA.

India's Ministry of Electronics and Information Technology has finally issued the long awaited Digital Personal Data Protection Rules, 2025 and has operationalized the Digital Personal Data Protection Act, 2023. While a vast majority of the sections of the DPDPA will go into effect in phases within the next 18 months, the government has already issued an official notification bringing into force the provisions related to the establishment of the Data Protection Board of India and its powers and operations, which were made effective immediately.

While organizations will likely fast track measures to ensure they are DPDPA-compliant within the implementation period, the government faces the even more daunting task of ensuring all necessary measures, checks and balances are put in place immediately to effectuate a smooth rollout.

Implementation challenges

The DPDPA is far more exhaustive than the existing data protection framework covered under the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. As a result, like with the implementation of any new legislation, organizations are likely to face several changes.