Data Protection Compliance under India’s DPDP Act: Managing Risk in the Digital Era

Data protection compliance under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) has become a critical regulatory priority for organizations operating in the digital economy. In the realm of data protection and privacy, the DPDP Act and the DPDP Rules establish clear obligations for how personal data is collected, processed, stored, and protected, particularly for entities offering goods or services in India.

India’s Regulatory Landscape

The regulatory framework in India for personal data is undergoing considerable change. In August 2023, the Digital Personal Data Protection Act, 2023 (Act) was enacted by Parliament.

• This law applies to the processing of digital personal data in India and, extraterritorially, to data processed outside India that relates to the offering of goods and services to individuals in India.
• It outlines new obligations for consent, purpose limitation, data minimization and individual rights.
• The rules that will really allow the Act to be made operational are still in draft stage and are planned to be enforced in a phased manner.

On 13th November 2025, the Ministry of Electronics and Information Technology (“MeitY”) released Digital Personal Data Protection Rules, 2025 (“Rules”) to provide operational clarity for entities processing digital personal data in relation to providing goods and services within the territory. By outlining specific compliance requirements, these rules facilitate a smoother transition for businesses aiming to align with the Act.

Why Do Organisations Must Take Data Protection and Privacy Seriously?

• A recent study revealed that only 16% of surveyed individuals in India said they were aware of the recent DPDP Act, while only 9% of organizations indicated a full understanding of this law, exposing a large lack of readiness.
• On a worldwide scale, 48% of customers report that they have stopped purchasing from a company due to privacy policies.
• Industry reports show us that 94% of businesses claim to adhere to responsible data practices, and the responsible uses of consumer data.

Based on this evidence, trust in a brand and whether a business is deemed compliant, and the perceived responsibilities of companies, is being tied together more and more. Bad data practices are now more than just an aspect of a security incident, they are becoming as much a governance issue and competitive disadvantage.

Building a Data Protection Compliance Framework

Map Data Flows and Inventories

Understand what personal data you have such as entities in India and outside India, where do you store it, how is it flowing like app, cloud, and processers, and for what purpose.

Define Governance, Roles and Accountability

Entities should have designate a Data Protection Officer and governance committees with executive oversight of the data protection strategy.

Implement Policy and Procedures

• A data privacy policy, internal processing guidelines, data breach notification protocol, and vendor/data processing management policy must be adopted.
• As per the Act, security measures such as encryption, access logs, backups, and physical access controls are required.
• Vendor contracts should impose obligations on the processor, and deletion policies and retention periods should comply with the law.

Consent and Individual Rights Management

• Where appropriate ensure consent is obtained, is specific, informed and recorded.
• Implement a system to allow the individual to correct, erase or revoke consent, as applicable.
• Be especially cognizant of children’s data and the cross border transfer of personal data.

Risk Assessment and Data Protection Impact Assessments

Complete data protection impact assessment for high risk processing: impact assessments, mitigation measures, retention limits and mitigation of impact assessment.

Incident Response and Breach Management

In the event of a breach, procedures including registering with the applicable authority, contacting affected users, and recording the steps taken to respond must be established. Under the draft regulations, records must be retained for no less than one year.

Training and Culture Change

Ensure all levels of employee are equipped to understand data handling practices, privacy implications, phishing risks and the behavioral components of compliance. Awareness gaps are high risk factors.

Continuous Monitoring and Regulatory Change Management

As legislation and regulations change, establish systems for monitoring regulatory change, measuring the impact of the changes, and amending your policies accordingly. This aspect of regulatory change is particularly important for corporates doing business in multiple jurisdictions.

Global Context and International Standards

As organizations focus on India, they also must synchronize to a global framework.  By establishing global data protection posture, it means:

• Making sure your India provisions align with global systems.
• Build crossborder transfer mechanisms such as adequacy decisions or contractual clauses.
• Recognizing extraterritorial liability may arise, for example, India’s Data Protection Act provides coverage for data processed outside of India if related to Indian individuals.
• Ensuring that local data privacy such as the data protection compliance in India is viewed as an enterprise risk & compliance programme.