Understanding India's DPDP Law
On November 13, 2025, the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection (DPDP) Rules, 2025, bringing India's first comprehensive data protection legislation into full operational effect.
The DPDP law represents a paradigm shift in India's approach to data governance. Unlike the earlier patchwork of provisions under the Information Technology Act, 2000, the DPDPA creates a unified, consent-driven, rights-based framework governing the entire lifecycle of digital personal data.
The DPDP Act applies to every entity processing digital personal data within India, regardless of organizational size. It also extends to foreign entities that process personal data of individuals in India in connection with offering goods or services.
The Compliance Timeline: Three Phases
Foundation
Data Protection Board of India (DPBI) becomes operational. Citizens can file complaints through dedicated portal.
Infrastructure
Consent Manager registration framework activates. Organizations must prepare to interface with registered Consent Managers.
Full Compliance
Complete operational compliance mandatory — privacy notices, consent mechanisms, breach reporting (72-hour), security safeguards, rights management.
Core Obligations Under DPDP Law
Privacy Notices (Rule 3)
Standalone notices itemizing every category of personal data, purposes, consent withdrawal mechanisms, and complaint channels. Must be presented before or at time of seeking consent.
Consent Architecture (Rule 4)
Consent must be free, specific, informed, unconditional, and unambiguous. Consent Managers are registered intermediaries for consent management — unique to India.
Security Safeguards (Rule 6)
Encryption, obfuscation, masking, tokenization, and access control. Technical and organizational measures proportionate to risk.
Breach Notification (Rule 7)
72-hour notification to DPBI and affected Data Principals. Must detail breach nature and actionable mitigation steps.
Data Principal Rights (Rule 8)
Rights to access, correct, update, and erase personal data. 90-day response requirement. Nomination rights for post-death data management.
Children's Data (Rules 10-11)
Verifiable parental consent required for under-18 processing. Tracking, behavioral monitoring, and targeted advertising to children restricted.
Penalty Framework
The DPDP Act imposes substantial financial penalties for non-compliance, with the highest penalty reaching ₹250 Crore. Unlike earlier drafts, the final Act does not prescribe criminal penalties — all consequences are monetary.
DPDP Act vs. GDPR Comparison
| Parameter | DPDP Act (India) | GDPR (EU) |
|---|---|---|
| Legal Basis | Primarily consent; legitimate uses defined | Six legal bases including legitimate interest |
| Data Categories | No distinction — all personal data treated uniformly | Separate categories for sensitive/special data |
| Cross-Border Transfers | Negative list (allowed unless restricted) | Adequacy decisions, SCCs, BCRs |
| Consent Managers | Registered intermediaries (unique to India) | No equivalent |
| Maximum Penalty | ₹250 Crore (~$30M) per violation | €20M or 4% global annual turnover |
| Breach Notification | 72 hours to Board + affected individuals | 72 hours to supervisory authority |
Frequently Asked Questions
The Compliance Clock Is Ticking
AMLEGALS' privacy practice delivers end-to-end DPDPA compliance through the proprietary Vibe Data Privacy™ framework. 21+ years of experience. Legal 500 recognized.
Schedule Compliance Advisory →