Data Privacy in India (2025): What Companies Need to know – FAQs

Posted On - 17 November, 2025 • By - Jidesh Kumar

Table of Contents

1. What is “personal data” under the DPDP Act?

“Personal data” is defined in the DPDP Act (Assent: 11 August 2023) as data about an individual who is identifiable by or in relation to such data (Section 2(1)(l)). Identification may be direct (name, email, Aadhaar) or indirect (device logs, cookies, behavioural metadata). The Act applies to “digital personal data” (data in digital form) though non-digital data may fall within scope if later digitised.

Date of assent: 11 August 2023. The accompanying Rules were notified on 13 November 2025. This broad definition means organisations should assume any data that can identify or relate to a person is covered.

2. What kinds of personal data can organisations lawfully collect?

Under Section 4 of the Act, a Data Fiduciary may process personal data only if it satisfies the lawful bases (consent under Section 6, or other grounds under Section 7: employment, legal obligation, public interest). The Rules amplify collection constraints: data must be necessary for the declared purpose and minimal. The Rules also state that collection “just in case” is disallowed.

For high-risk categories (children’s data, biometrics, financial data) special safeguards apply (Rules refer to verifiable consent, DPO obligations, etc.). Organisations must map purpose, categories and lawful basis before collection.

3. What limits apply to collection of personal data?

The Rules impose concrete limits:

  • Purpose limitation: The Data Fiduciary must disclose specific purposes (Rule 3).
  • Proportionality/data minimisation: Collect only what is reasonably necessary for the specific purpose.
  • Transparency: Notices must be in plain language, list categories, sharing practices, retention (Rules emphasise clarity).
  • Children’s protections: Targeting, profiling or behavioural tracking of children is prohibited unless specific exemptions apply (see Rules section on children’s data).
  • No dark patterns: Consent must be freely given; bundling, pre-ticked boxes or manipulative UI are disallowed under Rules.
  • Lawful basis requirement: Processing without valid basis is impermissible.
  • In practice, organisations must document purpose, limit categories, and restructure collection flows accordingly.

4. What are the primary laws and rules governing digital personal data in India?

  • The DPDP Act, 2023 (Assent: 11 August 2023) – the statute setting out obligations, rights, offences and penalties.
  • The DPDP Rules, 2025 (Notified: 13 November 2025) – the operational rules that specify how fiduciaries must comply (consent mechanics, breach timelines, retention/deletion obligations, SDF rules, etc.).
  • Together they form the core legal framework for digital personal data protection in India.

5. When do DPDP provisions come into force?

The Act under Section 1(2) allows the Government to notify different provisions on different dates. According to the media guidance, the Rules were notified on 13 November 2025 and such notification triggers the commencement of many operational obligations. A phased rollout for many obligations spans 12–18 months for full compliance. Therefore, while the Act is on the books, fiduciaries should treat the next 12–18 months as transition windows and plan immediate readiness.

6. What is a Data Fiduciary (DF) and its core duties?

A Data Fiduciary is defined in Section 2(1)(i) of the Act. Core duties include:

  • Issue a privacy notice (Section 5) before collecting data;
  • Obtain valid consent (Section 6) or rely on another lawful basis (Section 7);
  • Implement security safeguards (Section 8(5));
  • Enable Data Principal rights (access under Section 11, correction/erasure under Section 12);
  • Retain/deletion obligations (Section 8(7)-(9));
  • Maintain records and cooperate with the Board.

The Rules flesh out formats and timelines for notices, consent mechanics, logging, audit trails and more.

7. Who is a Data Processor and how does liability operate?

Under Section 2(1)(j), a Data Processor is a person processing data on behalf of a Data Fiduciary. The DF retains primary responsibility, but the Processor must maintain security controls, follow instructions, support deletion, logging and audits. The Act/Rules allow the Board to investigate both DFs and processors. Contracts (DPAs) must now reflect the Rules’ enhanced requirements (consent propagation, cross-border obligations, deletion certifications).

Under Section 6(1), consent must be free, specific, informed, unambiguous, given via a clear affirmative action. The Rules require notices in plain language and consent withdrawal options. For children under 18 or persons with disabilities, verifiable parental/guardian consent is required (Rules specify verification methods). Failure to meet consent standards invalidates reliance on consent basis (Section 6(2)).

Section 6(4) states withdrawal of consent must be as easy as giving consent. The Rules require user-friendly withdrawal flows and immediate cessation of processing for that purpose, unless another lawful basis applies. Organisations must propagate the withdrawal to processors, stop related downstream processing, document the timeline and update logs accordingly.

10. What are “reasonable security safeguards”?

Section 8(5) obliges fiduciaries to implement appropriate technical and organisational measures. The Rules amplify this with practical controls: encryption (transit & rest), pseudonymisation/masking, role-based access controls, monitoring and incident detection, log retention (minimum one year) as per Rules (Rule 8(3) states logs must be kept at least 1 year). Failure to implement safeguards is a major risk exposure for serious failures the penalty cap is ₹250 crore (see Section 33 Schedule).

11. What must a company do during a personal data breach?

Under Rule 7 of the Rules, the fiduciary must notify both the affected Data Principals and the Board. Specifically:

  • Notification to the Board: within 72 hours of becoming aware of the breach.
  • Notification to the Data Principals: “without undue delay”, detailing nature of breach, categories/volumes of data, timing, mitigation steps and contact details.
  • Organisations must preserve forensic logs, have incident-response playbooks, conduct root-cause analysis, and be prepared to furnish periodic updates. The Rules reinforce that the Board may require further details or audit.

12. What penalties and actions can regulators impose?

The Act’s Section 33 sets out penalty-factors and the Schedule gives ceiling amounts:

  • Up to ₹250 crore for serious breaches (failure to implement safeguards).
  • Up to ₹200 crore for failure to issue breach notification or children’s data violations.
  • Up to ₹150 crore for SDF-obligation breaches.
  • Up to ₹50 crore for other violations.
  • Up to ₹10 000 for certain minor duties (Section 15).

Beyond monetary penalties, the Board may audit, direct corrective steps, and in severe cases block services.

13. How does the law treat children’s data?

The Rules mandate verifiable parental consent for processing the personal data of children (under 18). They prohibit any behavioural monitoring, profiling or targeted advertising to children except as permitted. The timeline for allowable processing is tightly regulated, and fiduciaries must provide parental dashboards or guardian oversight functions. Non-compliance carries highest penalties (up to ₹200 crore).

14. What is a Significant Data Fiduciary (SDF)?

Section 10 & Rules define SDFs. The Government will notify criteria (volume, sensitivity, impact). Once designated, SDFs must:

  • Appoint a Data Protection Officer in India;
  • Conduct DPIAs annually;
  • Undertake independent data audits;
  • Provide algorithmic transparency reports.
  • Failure to comply may attract penalties up to ₹150 crore plus remedial directions.

15. How should companies prepare for SDF designation?

Companies likely to qualify (by data volumes or sensitivity) should start now: map data flows, run DPIAs, appoint DPO, build logging & audit mechanisms, implement algorithmic oversight and internal audit pipelines. Early alignment avoids large remediation bursts post designation.

16. Are cross-border data transfers permitted?

Yes, under Section 16, data transfers are permitted unless the Government issues a notification restricting transfers to certain territories/entities/categories. The Rules emphasise that fiduciaries must maintain flexibility and have contractual and architectural arrangements ready for migration or deletion of overseas data if a restriction emerges.

17. What contractual protections are needed for cross-border transfers?

Contracts should: include obligations for migration/deletion if destinations become restricted; require proof of deletion or certification from overseas processors; audit rights and cooperation for foreign-law enforcement access; require that processors support 72-hour breach notification; include sub-processor restrictions and geo-fencing clauses; ensure encryption when transferring across borders. These protections are part of the Rules’ compliance expectations.

The Rules (Rule 4) provide for a Consent Manager – an entity where Data Principals can give, view and withdraw consent across fiduciaries. DFs must integrate with CM APIs, validate CM-consent tokens, synchronise flows and respect withdrawal events. Organisations must plan backend architecture and UX changes to track CM-issued consents, integrate audit logging and support revocation.

19. What are the retention and deletion obligations under DPDP?

Under Rule 8(3) of the Rules: fiduciaries must retain personal data, associated traffic and logs for at least one year after purpose fulfilment or withdrawal unless a longer period is mandated by law.

Additionally, prior to erasure in “specific scenarios” (e.g., where a Data Principal has not interacted for a defined period), fiduciaries must provide a 48-hour prior notice to the principal before deletion (as summarised in commentary). Organisations need automated pipelines to trigger notices, deletion workflows, receipt-tracking and logs of completion.

20. How should organisations build deletion orchestration?

Implement a central deletion engine with downstream connectors (databases, caches, backups, third-party processors). It must issue and collect deletion receipts; log chains of events; trigger backup sanitisation; and manage legal-hold flags. Contracts must require processors to issue deletion certification within defined timeframes. Regular drills/test restores should verify that deleted data cannot be resurrected.

21. Do boards or executives face liability?

While the Act focuses on organisational liability, the Board’s evaluation of penalty factors under Section 33(2) includes whether appropriate oversight and governance mechanisms were in place. Boards should treat DPDP compliance as enterprise-risk, demand remediation reports, allocate budgets and maintain minutes. Weak governance may increase exposure and penalties.

22. How does DPDP interact with sectoral laws (RBI, SEBI, Aadhaar, healthcare)?

DPDP is not a standalone override. Where sectoral law (e.g., Aadhaar Act, 2016, banking regulation) demands localisation or stricter retention, that rule must be followed in parallel. Organisations should map overlay of DPDP + sectoral laws and reconcile obligations – e.g., where sectoral law mandates immediate disclosure or compulsory retention, that applies even if DPDP offers more flexibility.

23. What must a breach notification include?

Rule 7 requires the notification to the Board to include: description of breach (nature, extent, timing, location), categories of personal data, volume of principals affected, likely consequences, measures taken, contact details of DPO/liaison, and mitigation steps. Notifications to Data Principals must include clear, plain-language description, guidance on protective steps, and contact for queries. The 72-hour Board-notification timeline applies.

24. What operational capabilities are essential for DPDP readiness?

Essential capabilities:

  • Data-flow/inventory map (systems, categories, processors)
  • Consent UX + ingestion of Consent Manager tokens
  • Encryption at rest & in transit, pseudonymisation, RBAC
  • SIEM/SOC for 24/7 monitoring, alerting, forensic readiness
  • Automated retention/deletion workflows with deletion logs
  • Rights-request portal (authentication, workflow, proof-trail)
  • Vendor governance: DPAs conforming to Rules, deletion/migration triggers, audit rights
  • DPIA registry & audit pipeline (especially SDF readiness)
  • Board-level reporting and DPO function
  • Incident-response playbook tied to 72-hour breach notification
  • Focus on high-risk elements first (children’s data, financial data, profiling) to accelerate compliance.

25. How should companies handle rights requests (access, correction, erasure)?

The Rules (Rule 14) require fiduciaries and Consent Managers to publish the method for making requests and commit to a resolution timeline of maximum 90 days.

Organisationally, build a portal or API that authenticates the requestor, verifies authority (especially for minors/guardians), triggers workflows (access/correction/deletion), logs every action, and issues confirmation. Although the Act does not specify each timetable, the 90-day cap gives a clear external requirement.

26. What authentication methods may be used for rights requests?

Organisations should adopt risk-based authentication: multi-factor, verified email/phone, government ID, Digital Locker credentials, or Aadhaar where legally permissible. For rights exercised by or on behalf of minors/disabled persons, extra verification of guardian consent is required (as per Rules). Authentication flows must be documented and logs retained for regulatory proof.

For children (under 18), the Rules require “verifiable parental or guardian consent”. Acceptable mechanisms include Digital Locker verification, government-issued ID, verified parent account, or other authentication as may be prescribed. The consent must be auditable (timestamp, IP/device info, guardian identity). Platforms should also provide parental dashboards enabling oversight and withdrawal. Any profiling or targeted advertising of children remains heavily regulated and restricted.

28. What is a DPIA and when is it mandatory?

The Rules require SDFs to carry out DPIAs and independent audits annually (Rule on SDF obligations). For high-risk processing (profiling, children’s data, biometrics, large-scale sensitive data), organisations should treat DPIA as mandatory. A DPIA should document purpose, risk to rights of Data Principals, mitigation steps, monitoring and review schedule, and sign-off by DPO. Regulators will expect DPIAs retained as evidence of compliance.

29. How should AI/algorithmic systems be governed under DPDP?

For SDFs, the Rules require enhanced governance of algorithmic decision-making: documentation of model training, fairness/bias mitigation, human-in-loop for impactful decisions, transparency to Data Principals, and independent audit of high-impact models. Even non-SDF fiduciaries using profiling or automated decisions should apply similar controls to reduce enforcement risk.

30. What logging and retention practices are required?

Under Rule 8(3), a fiduciary must retain personal data, and associated traffic, access, modification and deletion logs for at least one year after the purpose is complete unless a longer period is required by law. Logs must be immutable, tamper-proof, securely stored and accessible for audit. Organisations should implement log-archive and integrity-check processes to meet this requirement.

31. What must DPAs (Data-Processing Agreements) include?

DPAs with processors must reflect the Rules: processor obligations to implement security safeguards, support deletion/migration obligations if cross-border restrictions apply, submit deletion receipts, enable audits, comply with 72-hour breach notification support, update sub-processor lists, and ensure logs are retained for at least one year. Contracts must mirror the Rules’ timelines and governance expectations.

32. How can global companies harmonise DPDP with GDPR, CPRA, PIPL and others?

Use a dual-layer approach:

  • Global baseline: encryption, DPIAs, rights request portal, logging, audit programmes.
  • India-specific overlay: compliance with Indian Rules (72-hour breach notification to Board, 90-day rights request resolution, 48-hour deletion notice, logs for at least one year, SDF obligations, negative-list cross-border model).
  • Architecturally, design geo-segregated data stores, regional compliance playbooks, and vendor contracts aligned with multiple jurisdictions. Monitor jurisdictional conflicts (law-enforcement access, transfer restrictions) and maintain data flow diagrams and playbooks.

33. What should Boards ask during DPDP readiness reviews?

Boards should request:

  • A gap-analysis of Act/Rules obligations plus outstanding implementation timelines (e.g., 12–18-month phased rollout).
  • Remediation roadmap with milestones (breach-notification preparation, consent manager integration, deletion engine, DPIAs, SDF audit readiness).
  • DPIA register, audit status, vendor risk matrix, major vendor DPAs update.
  • Incident-response capability and 72-hour breach notification readiness.
  • Rights-request workflows and 90-day resolution SLAs.
  • Log-retention and deletion engine status (1-year logs, 48-hour deletion notice readiness).
  • Board minutes demonstrating oversight, budget allocation and DPO function status. Given penalties up to ₹250 crore, board-level oversight is non-negotiable.

34. How will the Data Protection Board (DPB) function?

The Rules set out the appointment, composition, procedures (Rules 17-20). The Board has powers under the Act to inquire, summon records, impose penalties under Section 33, direct audits and corrective steps. The Rules emphasise digital-first operations (portal, online filings). Organisations must maintain a repository of compliance artefacts (consent logs, breach records, deletion receipts) ready for DPB review.

35. How should SMEs/startups prioritise compliance?

Startups or SMEs should prioritise high-impact areas with limited budgets:

  • Map key data flows, categorise data (especially children’s, financial).
  • Build simple encryption and access-control measures.
  • Simplify and standardise consent UI and log consent metadata.
  • Implement a basic deletion pipeline (even if manual) and plan for 48-hour notice flows.
  • Update vendor contracts early (even if manual DPAs).
  • Prepare incident-response templates aligned to 72-hour breach notification.
  • Document efforts (board minutes, review logs, remediation steps).

Even if full SDF obligations aren’t immediate, building foundation early reduces future risk.

36. What common pitfalls should organisations avoid?

Pitfalls include:

  • Over-collection of data beyond declared purpose.
  • Vague privacy notices or using pre-ticked boxes.
  • Poor processor governance – missing DPAs, weak deletion clauses.
  • Ineffective deletion propagation – backups/residual systems left unclean.
  • Inadequate breach-response readiness – missing 72-hour timeline, no logs.
  • Rights-request resolution taking longer than 90 days, or no logging of request/response.
  • Weak governance – no board oversight, no DPO, no audit trail.
  • Avoiding these reduces risk of regulatory enforcement and reputational harm.

37. How can companies demonstrate good-faith compliance?

Demonstrate good-faith via documentation and evidence: consent logs, DPIAs, audit reports, deletion receipts, incident-response logs, board minutes, rights-request logs, vendor governance files. Section 33(2) of the Act lists mitigation steps, prior history, and governance as factors in penalty determination strong records reduce exposure and can help the Board find lesser penalties. Proactive cooperation with the DPB and transparent remediation are key.

38. Where can authoritative texts and guidance be found?

Primary sources include:

  • The DPDP Act, 2023 (Gazette of India) – Assent: 11 August 2023.
  • The DPDP Rules, 2025 – Notified: 13 November 2025.
  • Government press releases (e.g., Press Information Bureau, 14 Nov 2025).

Use these as your legal primary references; supplement with credible legal commentary for implementation nuance.

Contributed by – Aurelia Menezes