Imagine a world where your digital footprint is truly yours, where every click, like, and form submission is guarded by law. India’s Digital Personal Data Protection Act (DPDPA) 2023 makes that vision a reality. For the first time under a dedicated law, every individual in India gains strong legal rights over their personal data. At the same time, businesses receive clear rules on how to collect, use, and share information. This law is set to transform India’s digital landscape, balancing citizen rights with innovation and growth.
The Genesis: From Privacy Judgment to a Legal Right
The DPDPA finds its roots in the landmark Justice K.S. Puttaswamy v. Union of India case. In August 2017, India’s Supreme Court ruled unanimously that privacy is a fundamental right under Article 21 of the Constitution.
What began as a challenge to Aadhaar’s mandatory biometric system evolved into a broad recognition that informational privacy, including personal data, devices, and online interactions, is constitutionally protected.
Legislative Journey: From Drafts to Enactment
Following the Puttaswamy verdict, the government launched its legislative process in 2018, releasing draft data protection bills and inviting public feedback. Over five years, experts, industry leaders, and citizens debated multiple versions, refining the law to address emerging privacy challenges. The Digital Personal Data Protection Bill was eventually passed by both houses of Parliament and received presidential assent in 2023, establishing India’s first comprehensive framework for personal data protection under the Digital Personal Data Protection Act, 2023.
Despite the law’s enactment, most Indian organizations are still working toward full compliance. According to the ETCISO Intelligence Cybersecurity Leadership Report 2025, only about 20–25% of organizations report being fully compliant with the DPDP framework, while the majority describe themselves as “work in progress” or “mostly compliant but with gaps.
Core Framework and Provisions
1. Explicit Consent and Purpose Limitation
Organizations must secure informed, specific, verifiable and revocable consent from individuals, called Data Principals, before collecting personal data. Consent forms must plainly state why data is needed, how it will be used, and offer withdrawal options at any time. Data may only be processed for the exact purposes agreed upon.
2. Data Principal Rights
The Digital Personal Data Protection Act grants Data Principals specific rights to control how their personal data is used:
- Right of Access: Data Principals can request and review the personal information an organization holds about them.
- Right to Correction and Erasure: Data Principals can correct inaccurate or outdated information and request deletion of their personal data when it is no longer needed or if they withdraw consent.
- Right to Nominate: A Data Principal can nominate another person to exercise these rights in the event of their death or incapacity.
- Right to Grievance Redressal: Organizations must respond to and resolve grievances raised by Data Principals within defined timelines.
3. Extraterritorial Reach and Cross-Border Rules
Any organisation inside or outside India that processes data of Indian residents must comply with the DPDPA. Cross-border transfers are allowed only to countries on a government-approved whitelist. Transfers to countries outside this list require additional safeguards to ensure the protection of personal data abroad.
4. Special Safeguards for Sensitive and Children’s Data
Sensitive personal data, such as health, financial, or biometric information, is subject to higher protection standards. Processing children’s data requires verifiable parental consent, and companies are prohibited from profiling or targeting advertisements at minors.
5. Enforcement and Penalties
The Data Protection Board of India will enforce the Act. It can investigate violations, issue corrective orders, and impose fines of up to ₹250 crore for serious breaches. This strong enforcement framework ensures that organizations take data protection seriously.
Current Implementation Status and DPDP Rules 2025
Although the DPDPA became law in 2023, it is not yet fully operational. The detailed Data Protection Rules, known as the DPDP Rules 2025, are pending official notification.
Draft rules were released for public consultation, and the government has completed its review. Once notified, the rules will immediately activate the Data Protection Board, and substantive compliance obligations will follow on a phased timeline, giving organizations time to adapt.
What Organizations Must Prepare For Under the DPDP Rules 2025
The proposed DPDP Rules set out core compliance obligations based on the latest official drafts and expected regulatory framework as of September 28 2025. Below is a practical checklist of key duties for organizations:
- Consent and Notice:The rules require that consent be clear, specific, and accessible, and that notices be provided in local languages. The use of “deemed consent” has been significantly tightened, meaning organizations cannot rely on implied or bundled forms of consent except in clearly defined situations.
- Data Principal Rights: Organizations must respond to data principals’ requests for access, correction, erasure, and complaint resolution within fixed timelines i.e., 30 days, Standardized procedures and transparent record-keeping are required for all rights requests.
- Significant Data Fiduciaries: Entities processing high volumes or sensitive data must appoint a DPO in India, conduct Impact Assessments, keep detailed audit trails, and undergo annual audits. All organizations must implement strong data security measures and delete personal data once the processing purpose is complete (unless otherwise required by law).
- Data Breach Notification: Organizations must notify the Data Protection Board and affected individuals within 72 hours of discovering a personal data breach.
- Cross-Border Transfers: Personal data can only be sent to government-whitelisted countries. If a business needs to send personal data to a country that is not on the government’s approved list, it must put in extra safety measures as instructed by the authorities. Right now, the rules do not clearly allow the use of Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for these data transfers.
- Sectoral Integration and Alignment: The rules call for coordination with sector regulators (RBI, IRDAI, TRAI) to promote consistent enforcement and limit duplicative obligations.
Conclusion
India’s Digital Personal Data Protection Act signals a major shift in how organizations handle personal data, paving the way for greater trust, transparency, and accountability in the digital economy. As the proposed DPDP Rules are set to take effect, businesses must adapt to new expectations, strengthen privacy practices, update internal policies, and build greater confidence with their customers. While compliance may appear complex, meeting these requirements is essential for protecting your organization and ensuring long-term success.
At PrivacyPulse, our skilled team supports organizations through every phase of DPDP compliance, from gap assessments and policy development to ongoing staff training and compliance monitoring. If your business is seeking a clear path to compliance, reduced regulatory risk, and strong data protection standards, helping you turn legal requirements into real business value, connect with PrivacyPulse today.
