India’s Digital Personal Data Protection Act, 2023 received presidential assent on 11 August 2023, marking a historic milestone in the country’s privacy journey. Yet, as of August 2025, it remains technically not in force, pending formal notification of the Act’s operational timelines and the Rules governing it.
What’s Holding Things Up?
In January 2025, the government released the draft Digital Personal Data Protection Rules, 2025 for public consultation. These Rules clarify how the Act should be applied—covering aspects like data breach reporting, consent mechanisms, notice requirements, data fiduciary duties, and the establishment of the Data Protection Board of India.
Yet, these Rules have not been formally notified, leaving the law in a state of limbo. The Ministry is expected to finalize and notify them soon, potentially introducing a phased implementation and a two-year transition for businesses.
What’s Inside the Rules—and What It Means for Businesses
1. Data Fiduciary Responsibilities & Transparency
Organizations that determine how personal data is processed (called data fiduciaries) must publish clear, standalone notices. These must list:
- The categories of personal data collected
- The specific purposes tied to each category
- How data subjects can withdraw consent, exercise rights, or file complaints
The notice must be self-contained and easily accessible—not buried in legal jargon or contracts.
2. Consent Management & Consent Managers
India’s Rules introduce the concept of consent managers—entities that help individuals give, review, and withdraw consent. These must be registered and comply with security, transparency, and audit obligations. Data fiduciaries may need to integrate with them too.
3. Data Breach Notifications
In the event of a breach, data fiduciaries must:
- Immediately notify the Data Protection Board of India, and
- Submit a detailed report within 72 hours, including nature, scope, and remediation plans
There is no materiality threshold—even minor breaches must be reported.
4. Security Safeguards
Fiduciaries must implement reasonable technical and organizational measures such as access controls, logging, breach detection, and incident response. While generic, these requirements can be demanding—especially for smaller businesses.
5. Data Retention & Erasure Criteria
Certain classes of companies—e-commerce platforms, social media intermediaries, and online gaming services—must delete personal data if users haven’t engaged within defined timelines. Interpretation may require timestamping systems to track inactivity accurately.
6. Data Protection Board of India
The Data Protection Board will act as the adjudicator under the DPDPA. It will handle breach inquiries, impose penalties, direct mitigations, accept voluntary undertakings, refer matters for alternative dispute resolution, and even recommend blocking repeat offenders.
A Step-by-Step Roadmap: Implementing DPDPA in Your Organization
Here’s a practical, people-friendly roadmap to prepare your organization—even as the law awaits final notification:
Step 1: Audit Your Data Landscape
- Map what personal data you collect, how you use it, and why.
- Identify key legal bases—consent or “legitimate use” (e.g., for employment, legal compliance, state benefits).
Step 2: Build Clear, Independent Notices
- Draft a privacy notice separated from terms of service or employment documents.
- Ensure it’s in plain language—and includes all mandatory disclosures about data usage, contacts, and rights.
Step 3: Consent Infrastructure
- Review consent collection flows—ensure consent is free, specific, informed, unambiguous, with the option to withdraw easily.
- Monitor updates: may soon need integration with registered consent managers.
Step 4: Secure Your Data
- Implement access controls, encryption, logging, and incident response protocols.
- Plan audits and impact assessments—Significant Data Fiduciaries may need formal DPIA and audits within 12 months of designation.
Step 5: Plan for Breaches
- Train your team to recognize and report breaches.
- Ensure you can notify the Board immediately and submit a full report within 72 hours, including root cause and mitigation steps.
Step 6: Engagement Lifecycle & Retention Rules
- Build systems to detect user inactivity and automate data erasures for defined fiduciary categories.
- Clarify legal storage needs vs. retention mandates.
Step 7: Governance & Roles
- For significant fiduciaries, appoint a Data Protection Officer based in India. For others, designate a contact person.
- Register and document governance structures clearly.
Step 8: Educate & Communicate
- Train staff on DPDPA principles, breach protocols, and rights of individuals.
- Keep leadership informed—penalties can be punitive, and reputational damage is real.
Step 9: Stay Informed
- Watch for formal notification of the Rules and phased timelines.
- Engage industry bodies or legal counsel to keep track of updates—including final Rules, guidelines on cross-border transfers, and sector-specific timelines.
Why This Matters—Now
Despite being unsigned into effect, the DPDPA and its Rules signal a transformative shift—from compliance afterthought to data protection as foundational business strategy. The law’s consent-first approach, broad territorial reach, security expectations, and stringent penalties mean even small businesses must prepare, lest they face operational disruptions or regulatory backlash.
By proactively aligning with draft provisions, you build trust, reduce legal risk, and position your organization ahead—as this law becomes operational, you’ll be ready to move from planning to practice smoothly.
