Brief Overview:
The Digital Personal Data Protection (DPDP) Act, 2023 and its accompanying Rules are being rolled out in phases. Key provisions became effective on 13th November 2025, while additional requirements will come into force after 12 months and 18 months from the date of their Gazette notification.
Technical Details:
Key Highlights
1) Security safeguards
Implement reasonable measures to prevent unauthorized access, alteration, or disclosure of personal data.
2) Data breach notification
Notify affected individuals & DPDP Board within 72 hours of a breach, with details and mitigation steps.
3) Retention & Deletion
Purpose-based retention and requires deletion or anonymization of personal data once its intended use is complete, except when required by law/ legal proceedings.
4) Significant Data Fiduciaries (SDFs) i.e. data fiduciary classified on the basis of data volume, sensitivity, etc, is subject to enhanced compliance obligations: independent audits and data protection impact assessments.
5) Cross-border transfers
Permitted unless restricted by the government, in compliance with notified conditions.
6) Consent Manager registration
Consent Managers (i.e. registered entity helping, manage, and withdraw consent for personal data processing) must register with the DPDP Board and meet prescribed obligations (effective after 1 year).
7) Penalties for non-compliance
(a) Up to ₹250 crore for data fiduciary violations.
(b) Up to ₹200 crore for failure to report breaches.
(c) Up to ₹10,000 for data principal duty breaches.
8) Notice & rights enforcement
Obligations on notices, data fiduciary duties, and data principal rights effective within 18 months of notification.
9) DPDP Board
To monitor and oversee personal data usage; investigative powers effective within 1 year.
Takeaways:
The DPDP Act and Rules introduce strict obligations for data fiduciaries, phased over 12–18 months, focusing on consent & rights, security & breach, reporting, governance & accountability. Organisations to initiate actions—map data flows, update consent processes, and prepare for audits.
For further details, please see:
For any queries/clarifications, please feel free to ping us and we will be happy to chat:
