Summary of DPDP Act and Rules

Portions of interest from India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) and Rules, 2025, which establish a comprehensive framework for the processing of digital personal data. The regime emphasises lawful, fair, and purpose-specific use, with clear consent requirements, enforceable rights for individuals, and fiduciary responsibilities for organisations.

• The Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) create a comprehensive framework governing the processing of digital personal data in India, including data later converted into digital form, and apply to entities outside India when they offer goods or services to people in India.

• The regime is built on principles of lawful, fair, transparent and purpose-specific processing, requiring organisations to collect only necessary data and retain it only as long as needed.

• Consent must be clear, informed and specific, supported by a notice that explains what data is being collected and why; withdrawal of consent must be easy and accessible.

• Individuals (“Data Principals”) have a set of enforceable rights, including access to their information, correction and erasure, data portability, consent withdrawal, and the ability to nominate another person to exercise these rights on their behalf.

• Consent Managers who are independent Board-registered intermediaries, enable Data Principals to manage, review and withdraw consents seamlessly across different platforms.

• Data Fiduciaries must adopt privacy by design, ensure data accuracy, implement adequate security safeguards, maintain processing records, and notify the regulator and affected individuals of data breaches.

• Organisations that pose higher risks, designated as Significant Data Fiduciaries, must comply with additional obligations such as appointing a Data Protection Officer, conducting regular audits, and carrying out Data Protection Impact Assessments for high-risk processing.

• Special protections apply when processing children’s data, including the requirement for verifiable parental consent and restrictions on profiling, tracking or targeted advertising directed at children.

• Cross-border personal data transfers are permitted but subject to conditions and safeguards set out in the Rules, which may restrict certain categories of data or types of fiduciaries.

• The DPDP Rules specify detailed processes for breach notification, requiring timely and transparent disclosure to both the Data Protection Board and impacted individuals, along with information on risks and remedial measures.

• The Data Protection Board of India is empowered to investigate non-compliance, adjudicate complaints, issue binding directions, and impose monetary penalties, with appeals escalating to the TDSAT.

• The framework recognises limited exemptions for processing relating to national security, public order, and certain state functions, while emphasising proportionality and accountability.

• Penalties can be substantial and scale with the seriousness of the violation, particularly for repeated non-compliance, failure to implement security safeguards, or non-reporting of breaches.

• Implementation is planned in phases, giving organisations time to adapt systems, update privacy notices, operationalise rights-management processes, and align internal governance with the new requirements.