DPDP rules 2025: Why Indian businesses must act now on data compliance

Don't want to miss the best from Business Standard?

In today’s digital landscape, the phrase “I acknowledge that I have read the privacy notice, and I consent to the processing of my personal data” has become a familiar norm. This reflects a growing acceptance among individuals that their personal information will be shared, used and replicated by organisations for various internal and external purposes.

 

The notification of the Digital Personal Data Protection Rules 2025 on November 13, 2025, marks a significant milestone in India’s journey towards a harmonised data privacy regime. These rules operationalise the Digital Personal Data Protection Act 2023 (DPDP Act), aiming to make organisations that collect and store digital data more responsible while providing users with better control over their personal information.

 

The landmark decision by the Supreme Court of India in K.S. Puttaswamy vs Union of India was a catalyst for the establishment of the DPDP Act. Now that it is finally in effect, a call to action is required from all stakeholders involved. To recapitulate, the DPDP Act rests on five key pillars. First, it recognises the rights of Data Principals, granting individuals the ability to access, correct and erase their data and withdraw consent. Second, it defines Data Fiduciaries as organisations that collect and determine the purpose of processing personal information. Third, the Act emphasises the importance of consent, which must be freely given, specific, informed and unambiguous. Fourth, it clarifies what constitutes processing, encompassing all operations performed on digital personal data. Finally, the Act outlines certain legitimate use and provides exemptions for data processed for research, archiving and statistical purposes.

 

The definition of personal information has expanded significantly. It now includes any data that can directly or indirectly identify a person, such as names, addresses and contact details. Notably, the rules stipulate that a ‘user account’ encompasses virtually all forms of a Data Principal’s online presence, meaning that any online account registered with a Data Fiduciary will fall under the purview of the DPDP Act from now on.

 

At the heart of DPDP compliances are the concepts of notices and consent. Organisations must provide clear and itemised notices that state what data will be gathered and the reasons for its collection. These notices should be standalone and include all mandatory elements as prescribed by the rules. Importantly, the Act requires Data Principals to provide voluntary, informed and specific consent for the processing of their personal information, establishing a foundation for lawful data processing moving forward. Businesses have been granted an 18-month window to undertake comprehensive reforms of their data governance ecosystems and strengthen their technical and compliance practices in line with the Act. Failure to act proactively could result in operational bottlenecks, regulatory exposure, reputational damage and cumulative financial penalties which can range to over Rs 500 crore. Fortunately, non-compliance will not attract any criminal proceedings.

 

The DPDP Act finally empowers Data Principals by giving them clear rights over their personal data, shifting control to individuals and making privacy a matter of personal agency. Consequently, Data Fiduciaries are now legally obligated to comply with the obligations under the Act, making responsible data handling not just ethical but mandatory.

 

To ensure compliance, stakeholders must focus on several immediate action points. First, organisations must ensure readiness for personal data breaches. In the event of a breach, the rules require Data Fiduciaries to promptly notify the Data Protection Board and affected Data Principals, submitting a written report within 72 hours. However, the Indian Computer Emergency Response Team (CERT-In) under the Information Technology Act, 2000 mandates breach notifications within six hours, necessitating the need to harmonise breach policies and, till clarified, to undertake dual reporting.

 

Second, strategic investment in building reasonable security safeguards is essential. Organisations must implement robust technical and organisational measures, such as encryption, access control and monitoring of data systems, to protect personal data against unauthorised access or destruction. While these upgrades may incur significant costs, they are critical for maintaining resilience and building trust.

 

Third, the Act mandates that personal data should be deleted once the purpose is served or consent is withdrawn. Organisations must establish dedicated grievance redressal mechanisms to address user concerns promptly, with a specified response time of 90 days. The right to be forgotten or erasure is a very important right conferred under this Act unless retention is necessary for compliance with any law for the time being in force. The enclosed illustration in the rules is worth noting, as it details the need for data retention:

 

X, a Data Principal, purchases an e-book on an e-book platform Y. Once delivery is completed, the specified purpose of processing is served. The platform Y must retain the order details, personal data and logs of the processing (such as order confirmation, payment and delivery events) for at least one year from the date of transaction, even if X deletes her account.

 

Moreover, the Act places a strong emphasis on protecting children’s data. Organisations must validate parental identity and obtain proper consent before processing personal data of children, which will impose significant compliance costs on sectors dealing with large volumes of children’s data.

 

The vast applicability of the DPDP Act means that various sectors will be significantly affected. For instance, telecommunication providers must revamp consent systems for millions of users, while financial services organisations may face increased responsibilities as Data Fiduciaries. E-commerce companies will need to realign their onboarding processes to ensure valid consent for data collection, and IT/ITeS firms must assess and revise their GDPR policies to comply with Indian regulations.

 

While the rules provide much-needed clarity, certain aspects, such as the criteria for classifying Significant Data Fiduciaries and restrictions on transferring personal data outside India, remain to be specified. In a country with millions of digital users and exponentially growing data volumes, it is essential for organisations to embrace these changes. Companies must maintain structured data repositories, implement efficient processes and ensure transparency to make compliance an enabler rather than a burden. Although integrating new requirements into existing systems poses significant challenges, organisational readiness should now be undertaken within the 18-month window given by the government, for which the time is NOW. 

 

The author is National Leader, Policy Advisory and Specialty Services, EY India. Prateek Kukreja, director, Tax and Regulatory Services, EY India, also contributed to the article.

 

Disclaimer: These are personal views of the writer. They do not necessarily reflect the opinion of www.business-standard.com or the Business Standard newspaper