The launch of the Digital Personal Data Protection Act (DPDPA) in 2023, along with the DPDP Rules in 2025, represents a major shift in governance outlook in India. India has introduced a unified Data Governance Framework aimed at creating a mature and responsible data economy.
The law reinforces the Right to Privacy, which the Supreme Court recognised as a fundamental right in the landmark Puttaswamy judgment.
The “Third Way” of Data Governance
India’s framework can be described as a “Third Way”, representing a strategic middle ground between the rights-focused European GDPR and the market-driven American model.
While the GDPR treats privacy as a fundamental human right with stringent compliance obligations, and the United States continues to rely on a fragmented mix of state and sectoral laws, the DPDPA offers a principle-based federal framework with a more flexible structure.
One of its major shifts is the transition from a “whitelist” to a “blacklist” approach for cross-border data transfers, allowing data to flow to most countries by default unless specifically restricted.
Key Pillars of the Framework
The Act establishes several important roles and institutional mechanisms to govern digital personal data. The “Data Principal” refers to the individual whose data is being collected, while the “Data Fiduciary” is the organisation that determines how and why the data will be processed.
The law also introduces the category of “Significant Data Fiduciary” (SDF), covering organisations involved in large-scale data processing or activities considered high-risk. These entities are required to undertake additional obligations, including independent audits and the appointment of a Data Protection Officer (DPO).
The Data Protection Board of India (DPBI) will function as the main authority responsible for handling complaints and enforcing penalties.
Under the framework, consent must be free, specific, informed and unambiguous.
Individuals are granted important rights, including the ability to access, correct and erase their personal data, commonly referred to as the “right to be forgotten”, along with the right to seek grievance redressal.
Implementation Timelines and Penalties
The government has planned a phased enforcement strategy to allow organisations time to adjust to the new framework.
The initial rules governing the DPBI became effective in late 2025, while the main operational requirements, including rights management systems and security obligations, are expected to be implemented gradually over an 18-month period.
This means the framework is likely to become fully operational by 2027.
The consequences of non-compliance are substantial. The Act permits penalties of up to ₹250 crore for each violation, especially in cases involving security breaches or mishandling of children’s data.
The introduction of such large financial penalties signals the government’s intention to push organisations towards stronger accountability and data governance practices.
Impact Across Sectors and the Compliance Road Ahead
The DPDPA is expected to significantly reshape how individuals, businesses and government institutions operate in the digital ecosystem.
For individuals, the law promises stronger privacy protections, particularly for children, while limiting manipulative “dark-pattern” consent practices and increasing accountability for large digital platforms.
At the same time, MSMEs are likely to face mandatory compliance obligations that could substantially increase operational costs, with estimates suggesting a 25% to 30% rise in spending to meet new standards.
Large corporations, meanwhile, will need to adopt “privacy-by-design” systems, establish company-wide governance structures and strengthen oversight of third-party vendors handling personal data.
Government agencies, although granted certain exemptions linked to national security and public order, will still need to comply with key security and breach-management obligations.
This transition presents serious operational challenges, particularly for institutions lacking strong digital infrastructure.
Organisations across sectors will need to build robust consent logs, automated rights-management workflows and real-time monitoring systems capable of meeting the strict 72-hour data breach reporting deadline mandated under the law.
Another major challenge is the shortage of specialised expertise. Significant Data Fiduciaries are required to appoint qualified Data Protection Officers and conduct independent audits, but the availability of trained professionals in these areas remains limited.
For public sector bodies, aligning DPDPA obligations with existing welfare and identity systems will require significant technical restructuring and administrative coordination.
Recommendations
To manage this transition effectively, corporations and SDFs will need to establish central privacy offices, maintain updated Records of Processing Activities (ROPA) and conduct Data Protection Impact Assessments (DPIAs) for high-risk projects.
MSMEs, on the other hand, may need to focus on building practical data inventories and using affordable cloud-based managed services for encryption and access control instead of investing in expensive customised infrastructure.
Government bodies will need to draft detailed procedures governing data access and sharing while also investing in specialised training for investigators and administrators handling personal data.
Individuals, too, will have a role to play by actively exercising their rights to correct or erase personal data and regularly reviewing permissions granted to digital platforms and applications.
The DPDPA 2023 marks a new era where privacy is essential, not optional. While the journey to compliance is challenging, it provides a realistic plan for data governance. In the end, those who see privacy as a valuable asset rather than just a regulatory burden will be in the best position to thrive in India’s evolving, trust-based digital landscape.
Views expressed are that of the author and do not reflect EastMojo’s stance on this or any other issue. The author is a Certified Data Privacy Professional and Strategic & GeoPolitical Advisor. In addition, his specialised fields includes Intelligence, Insider Threat Management, Financial Crime Investigation and Geopolitical Risk Analysis with experience of two decades in the field.
Also Read: Will the emergence of Zomi National Army reorder power in Myanmar?
You just read a story that took days to report. Help us keep our reporters on the ground in the Northeast.
Ad-free reading, support and keep important stories alive
Support once (any amount)
Scan to pay via UPI