India's own GDPR-equivalent 'Digital Personal Data Protection (DPDP) Rules, 2025' was notified last week. The government says the act and rules are aimed at simplifying the framework for the usage of digital personal data that is citizen-focused and supports innovation.
The DPDP Act was passed in Parliament in August 2023 while draft rules were released for consultation in January. The framework aims to be wholesome for protecting digital personal data, setting out the obligations of entities handling such data (Data Fiduciaries) and the rights and duties of individuals (Data Principals).
It's worth noting that the government has provided an 18-month phased compliance timeline to help organizations prepare for the transition.
"…They (DPDP Rules) also require Data Fiduciaries to issue standalone, clear and simple consent notices that transparently explain the specific purpose for which personal data is being collected and used. Consent Managers—entities that help individuals manage their permissions—must be Indian companies," the government said in a release.
Key things to know about India's DPDP Rules
Consent: India's rules place consent at the centre of the data protection framework, supported by a standardised notice format and an interoperable consent manager ecosystem.
Accountability: Rules also aim to create an environment of accountability wherein entities must show compliance via logs, audits and operational readiness, among other things.
Privacy: The rules bring much needed transparency towards using children's data. For instance, parental consent is now mandatory.
Key things for businesses and individuals
India's data protection rules have been widely considered as a new window of opportunity for companies of all spectrum to double down on data management and consent mechanisms, which in turn could attract privacy-conscious customers.
As mentioned above, consent is one of the key highlights of the rules. The rules say that Data Fiduciaries are mandated to provide a notice of consent to the individual (Data Principal) in a simpler manner.
They are also mandated to implement reasonable security measures such as data masking, encryption, and others to prevent potential data breaches.
Entities suffering from data breaches and attacks are mandated to promptly inform affected individuals and a Data Protection Board (DPB).
Entities must erase personal data after specified usage is no longer needed, unless it has been asked by the authorities to do so. They also have to retain logs for at least twelve months.
You can learn more about the new rules and Act on the official MeitY website.
Potential impact, opportunities, and challenges
Even as the government is focused on a phased approach and giving entities ample time for the transition, new privacy rules are going to have a significant impact on the entire internet economy in India. It's worth noting that a large part of the internet economy is hyperconnected. Data is no longer just inbound but travels within the country as well as globally.
India's end users have embraced internet-first or internet-only companies for their everyday needs, including payments. There are, however, abundant examples of data being misused by companies as well as cyber criminals. Factors such as accountability in case of data breaches have also been missing from the conversations in the industry.
One of the parallels India can draw from is Europe's GDPR. The General Data Protection Regulation, which came into effect way back in 2018, has helped end users gain the ability to access, rectify, and erase their data, whereas organizations are mandated to be more transparent about how they are planning to use users' private data. This has resulted in an environment of increased accountability, better data governance, and several other protection measures.
Industry stakeholders have long demanded rules that govern India's data flowing within and across the borders as well.
"... This legal shift is a positive catalyst for FMCG, ending passive data capture and demanding precise consent linked to clear customer value (loyalty/engagement). By adopting data minimization and purpose limitation, we are compliant and are transforming our reliance on large, retail-driven data pools into high-quality, targeted datasets, driving superior efficiency and building deeper customer trust," Santosh Singh, Senior Vice President, IT, DS Group said in a statement.
Wipro's Chief Privacy and AI Governance Officer Ivana Bartoletti, said in a statement:
"There is no doubt that India has entered a new era of privacy. In the age of AI, trust is crucial. And because AI depends on large volumes of data, strong privacy protections must come first. This development marks an important step in strengthening India's digital ecosystem and aligns closely with the country's recent AI governance guidelines.
Robust data governance – anchored in clear responsibilities, defined structures, consent and privacy by design – enables organisations to grow in a sustainable and accountable way. It is the foundation for the public confidence that citizens and consumers need, as innovation accelerates and technology becomes ever more embedded in daily life."
Impact on small and medium sized firms
One of the biggest concerns has been how a lot of small and medium sized businesses will be able to comply with the newer rules. Industry experts, however, say that this is unlikely to be a big challenge.
"The Rules are designed to be proportionate. SMEs receive an 18 month transition period and are not subject to the enhanced obligations applied to Significant Data Fiduciaries. Most required safeguards, including encryption, access logging and secure hosting, can be fulfilled using standard cloud services and managed security tools. For most SMEs, the requirements are demanding but well within reach," PrivEzi CEO and founder Ibrahim H. Khatri told Entrepreneur India.
Khatri also noted that organisations now know exactly what is expected around consent, retention, breach notifications and governance. The transition will require effort, but the long-term benefit is clear: stronger accountability creates trust and reduces uncertainty for everyone in a digital marketplace.
Sagar Vishnoi of Future Shift Labs also maintained that the compliance is pretty much manageable as encryption, logging, and access control are now basic, scalable, and often automated.
Mishi Choudhary, founder of SFLC.in, however, notes that implementation will require investment. While large companies already have security and compliance teams, it's going to require a lot of restructuring and investments by smaller players.
"The reporting timelines are aggressive and will require external toolings. Forensic disclosures cannot be made within the expected timelines. Rule 23 is a major issue giving Govt broad access to private databases increasing privacy risks substantially. This provision creates surveillance risks and business risks," she said in a statement.
The Rule 23 here governs that the government can seek data from a Data Fiduciary or an intermediary (like an internet service provider or social media platform).
"... this transformation poses a unique challenge for small and medium-sized enterprises (SMEs). Unlike larger organizations with mature data-compliance structures, SMEs often operate with lean teams and limited security frameworks. The DPDP framework compels SMEs to adopt structured consent practices, strengthen data security, and eliminate ad-hoc data handling. Handling personal data goes beyond a legal obligation; it is the foundation of trust. Especially when dealing with sensitive data, like health information, ensuring proper consent and robust security measures is crucial for retaining employee confidence," Anjan Pathak, co-founder of Vantage Fit, told Enterpreneur India.
"Seventy-two hours isn't perfect for BFSI, but it forces institutions to break the culture of silence; early disclosure is the only antidote to the financial fraud chain that follows every major breach. Banking and insurance environments are deeply complex; core banking systems, LOS/LMS, policy administration platforms, RTAs, wealth dashboards, and multiple third-party processors all participate in data flows. When a breach occurs, identifying its scope, root cause, and responsible parties can take far longer than three days. In large corporate settings, short deadlines can also lead to scapegoating, partial or overly cautious disclosures, and inadequate root cause analysis," Amit Das, Founder & CEO at Think360.ai said.
"However, the purpose of the 72-hour rule is not to demand final answers; it is to start transparency early. Institutions are required to report "what is known so far," then continue submitting detailed updates as investigations evolve. In high-risk sectors like financial services, early alerts are crucial: they help protect customers from secondary fraud, phishing, and credential replay attacks that often follow major breaches," Das added.
That said, notification of the DPDP Rules, 2025 marks a pivotal point in India's efforts to govern its users' data with a focus on privacy and accountability. As mentioned above, a phased rollout also gives ample time for organizations, including SMEs, to adapt and integrate new regulations. However, these rules are yet to be tested in the real world. For instance, prompt data breach timelines are going to be tricky if companies don't comply or choose not to comply. Nevertheless, the rules appear to be a right move in the direction of building accountability given the massive size of India's internet economy.