India’s Digital Privacy Law Takes Effect: What You Need to Know
India has officially operationalised its first dedicated data protection law, the Digital Personal Data Protection Act (DPDPA), 2023. The Ministry of Electronics and Information Technology (MeitY) notified the rules on Friday, marking a significant shift in how personal data is handled in the country.
Key Takeaways
- Companies now have 18 months to achieve full compliance with the new data protection rules.
- Organisations must provide clear explanations of what data is collected and how it will be used.
- Users gain the right to easily revoke consent and file complaints with a new Data Protection Board.
The new regulations require social media platforms, online gateways, and all entities handling personal data to provide users with detailed information about the data being collected and its intended purpose.
“There is no doubt that India has entered a new era of privacy. In the age of AI, trust is crucial. And because AI depends on large volumes of data, strong privacy protections must come first. This development marks an important step in strengthening India’s digital ecosystem and aligns closely with the country’s recent AI governance guidelines,” said Ivana Bartoletti, Chief Privacy and AI Governance Officer, Wipro.
Bartoletti emphasized that the rules establish robust data governance anchored in clear responsibilities, defined structures, and privacy by design principles.
Implementation Timeline
While companies have up to 18 months to meet administrative compliance requirements, consent managers—organizations authorized to act on behalf of users—must register with the Data Protection Board within 12 months.
“With the notification of the Rules and the Act, the government has finally put all uncertainty to rest,” said Nikhil Narendran, Partner – TMT [Technology, Media and Telecommunications], Trilegal. “India Inc. now has an 18-month runway to gear up for full compliance. For most organisations, it will be necessary to start with data mapping, redesigns of consent and notice flows, and training programs to ensure compliance, with the help of lawyers, technologists, and privacy professionals. The real focus will also be on the constitution of the new Data Protection Authority and how this regulator interprets these rules, prioritises enforcement, and how early guidance shapes India’s digital industry,” Narendran added.
Building a Culture of Trust
Jaspreet Singh of Grant Thornton Bharat described the DPDPA Rules 2025 as India’s transition from policy intent to operational accountability.
“Compliance under DPDPA is not a checklist; it’s a culture of trust every organisation must now institutionalise. The DPDPA era demands boardroom fluency in privacy governance; executives will now be measured by controls they can evidence, not promises they make,” Singh said. “The 2025 Rules make one thing clear — data fiduciaries must embed privacy by design before regulators force it by default. As DPDPA Rules take effect, the next advantage belongs to organizations that operationalise privacy as a continuous assurance function,” he noted.
