The Digital Personal Data Protection Act, 2023 (DPDP Act), was passed in August 2023. The notification of the Digital Personal Data Protection Rules in November 2025 has made India’s data protection regime operational. Furthermore, the government has also published an enforcement timeline that gives organizations up to 18 months (until May 13, 2027) to achieve full compliance.  

For years, Indian businesses struggled with unclear expectations and weak data protection practices. As a result, customers and businesses faced various risks. With the emergence of the new DPDP Rules 2026, that uncertainty ends.

The EU has GDPR, and Canada has PIPEDA. Likewise, India now brings its own standard through the DPDP rules that guide how businesses handle personal data.

Both the DPDP Act 2023 and the new DPDP Rules 2026 mark a major shift in how India expects businesses to handle personal data. Thereby showing the country’s firm commitment to stronger privacy standards, better security practices, and meaningful protection of user rights. 

It guides businesses on what they can collect (data collection) and  how they must protect it (data protection). Furthermore, it outlines clear protocols to follow when things go wrong (incident response measures).

The timeline is already set. The DPDP Act came into force in 2023, and the Rules arrived in 2026. Accordingly, the government plans a phased rollout that may stretch 12 to 18 months. This process gives your businesses a window to build the right systems, fix weak processes, and avoid last – minute panic. However, businesses need a comprehensive guide to clarify their doubts regarding these rules. Most businesses will start searching for the DPDP full form to learn about India’s new data protection rules.

That’s why CertPro delivers you this DPDP Act 2023 guide. This guide from CertPro is written for compliance leaders, CISOs, privacy officers, product owners, and founders who handle personal data in or from India. It explains what the DPDP Rules 2026 require, how they interact with the DPDP Act 2023, and the practical steps your teams should take now to reduce risk, avoid penalties, and build customer trust. The goal is to help businesses stay compliant, stay confident, and build a business that treats data with the respect it deserves.

Tl; DR:

Concern: Indian businesses operated for years without clear privacy rules, and as a result, they developed weak data controls, higher breach risks, and growing customer distrust. Moreover, this lack of structure created confusion for compliance teams and exposed companies to legal and financial trouble.

Overview: The DPDP Act 2023 and the DPDP Rules 2026 introduce a clear and predictable framework for handling personal data in India. Furthermore, they define how companies must collect data, manage consent, secure systems, report breaches, and protect user rights. Additionally, with a phased rollout, the rules give businesses time to adjust their processes and replace older practices.

Solution: Consider the DPDP Act as a structured roadmap to a solid program for data protection in India. First, begin with data mapping, then conduct a gap analysis, and assign a consent manager in accordance with the framework’s requirements. Thereafter, update your security controls and prepare your teams. With a phased rollout of 12 to 18 months, businesses have enough time to address weak systems and build a stronger privacy program without rushing. Consequently, if you follow the rules early and build clean processes, you can avoid fines, earn customer trust, and reduce long-term risks. Overall, the DPDP framework gives your businesses a clear way to operate safely in a digital world and helps you grow with confidence.

WHAT IS DPDP ACT 2023? A QUICK OVERVIEW

The DPDP Act 2023 stands as India’s modern data privacy law. In particular, two key factors pushed its emergence. They are,

• Businesses collected large amounts of personal data.
• At the same time, people had little control over how others used or shared their information.

As digital services grew, concerns about misuse, leaks, and weak accountability also rose. To add on, this act, supported by the new DPDP Rules 2026, aims to bring order to this complex space. It creates a predictable system that protects individuals while giving businesses a clear set of requirements.

The DPDP Act defines three important terms:

1. A Data Principal is the individual whose data is being collected.
2. A Data Fiduciary is any business or organization that decides how and why it processes that data.
3. A Significant Data Fiduciary is a high – impact entity that handles large volumes of sensitive data and therefore faces stricter requirements. For example, major banks, large tech platforms, or health apps used by millions fall under this category. Additionally, a firm can be classified as a Significant Data Fiduciary (SDF) according to the notifications issued by the central government.

The DPDP Act gives people meaningful rights to give or refuse consent in a clear way. They can ask businesses to delete their data when they no longer need it. They can also access and correct their information. As the DPDP Act and Rules take effect in phases from November 2025 onwards, businesses must focus on collecting only what they need, building safer systems, reporting breaches quickly, and staying transparent.

With this in mind, the next section explains the core provisions of the DPDP Rules 2026.

DPDP RULES 2026: KEY PROVISIONS FOR BUSINESSES

The DPDP ACT sets the core expectations and the following points offer clear guidance for the team to use in daily business practices.

Notice and Consent Requirements

Businesses must give clear, standalone notices written in plain language. The notice must list each data item collected and explain the need and justification for its collection. As a result, the users could understand what they’re agreeing to. Furthermore, the DPDP ACT also places strong weight on consent withdrawal, so businesses must enable consent revocation at any time for the users.

Consent Managers

Consent Managers are independent, registered intermediaries defined under the DPDP Rules. They must be companies incorporated in India and meet minimum financial and technical capacity requirements. To add on, register with the Data Protection Board within 12 months of November 13, 2025. Their duty is to provide a single dashboard where Data Principals can view, give, or withdraw consent across multiple services.

Security Safeguards

Every business must use reasonable security controls such as encryption, access control, and event logging. In this context, the Significant Data Fiduciaries (SDFs) face deeper duties. For instance, they undergo annual audits, DPIAs, and extra due diligence. To sum up, these measures reflect the intent of the DPDP ACT to reduce risk and improve accountability.

Data Breach Protocol

If a breach happens, the company must alert both the affected users and the Data Protection Board within 72 hours. Teams should rehearse this process so they aren’t scrambling during an incident.

Special Protections

Special requirements exist for children’s data, notably verifiable parental consent before any processing. Similarly, safeguards also apply to people with disabilities, where guardians may act on their behalf.

Data Principal Rights

Data principals are given rights including access, correction, erasure, consent withdrawal, and “nomination.” To clarify, the data subjects could appoint someone to manage rights post – mortem or during incapacity. Under the Rules, Data Fiduciaries must respond to rights requests and grievances within a maximum of 90 days. Because delays beyond this can trigger enforcement action and penalties.

Accountability and Governance

The Data Protection Board will handle complaints through an online system. Furthermore, the appeals go to TDSAT (Telecom Disputes Settlement and Appellate Tribunal). Significant Data Fiduciaries must run DPIAs and audits and maintain stronger governance practices.

Cross – Border Transfers

The rules explain how companies can send personal data abroad based on periodic government notifications.

Enforcement and Penalties

Penalties can go up to ₹250 crore for serious failures like repeated breaches or ignoring user rights. Some duties may roll out in phases. Therefore, early assessment and phased rollout are necessary.

STRATEGIC CONSIDERATIONS FOR BUSINESSES

The DPDP Rules 2026 force every business to consider data protection in India in a far more serious way. In particular, the biggest shift is the cost of non – compliance for companies that mishandle personal data. To add on, a single privacy failure can trigger customer backlash, lost deals, and long review cycles from enterprise clients.

The key considerations for businesses include,

• Stronger Risk Assessment: Businesses must calculate the full impact of a breach. This includes the fines, legal disputes, disrupted operations, and the slow rebuilding of trust.
• Operational Changes: Your firm needs a clear governance structure with policies, roles, and responsibilities to take care of data decisions. Additionally, the teams should map the full data lifecycle, from collection to deletion. Some firms might need better tools like DLP, consent platforms, audit logs, and automated deletion workflows.
• SDF Requirements: Significant Data Fiduciaries processing sensitive data at scale face stricter duties. To clarify, they need more frequent audits, risk reviews, and stronger security controls.
• Building Trust with Compliance:  Businesses can use compliance as a catalyst to boost their growth. As a result, when you demonstrate transparent practices, clients feel more comfortable sharing data and closing deals.
• Guidance Partners: Most firms will need help from consent managers, auditors, cybersecurity teams, and legal counsel. Thus helping you reduce your compliance timeline and mistakes.

In the following section, let’s understand the implementation timeline established by the government for DPDP compliance.

DPDP 2023: IMPLEMENTATION TIMELINE AND PHASED COMPLIANCE

The DPDP Rules 2026 introduce a phased timeline that gives businesses room to adjust their systems, clean up old practices, and build a stronger culture for data protection in India. Let’s break them down in detail.

The rollout happens in three stages. They are,

• First, immediate action begins the moment the rules take effect. You need to map your data, identify what personal data you collect, and flag any high – risk activities.
• Next, 12 – month actions must focus on setting up your consent manager. This step takes time because you need to integrate it with your apps, websites, and backend systems. More importantly, if you run a multi – region business, you’ll also need to adhere to GDPR and CCPA requirements.
• Finally, 18 – month actions cover the heavier operational rules, such as notices, breach reporting, security controls, and children’s data handling. These require policy updates, team training, and technical upgrades.

Here is what you need to complete by each deadline during DPDP compliance:

Within 12 months you must

• First build and integrate your consent manager.
• Then test consent capture mechanisms, withdrawal requests, and audit logs.

Within 18 months you must

• First, update privacy notices for clarity and accessibility.
• Next, implement breach reporting workflows.
• Thereafter, solidify your security controls, like access reviews and monitoring.
• Finally, introduce stricter age verification and parental consent checks.

Guidelines for planning a smooth transition to comply with the DPDP Act 2023:

• Initially, set a clear roadmap with monthly milestones.
• In addition, conduct a risk assessment to identify weak points, such as outdated systems or scattered data.
• Moreover, use structured project management so teams stay aligned, especially IT, legal, and product.

A simple compliance checklist for DPDP compliance:

• Short term: Data mapping, gap assessment, and consent manager planning.
• Long term: Technical upgrades, staff training, breach drills, and continuous monitoring.

This phased approach helps you move from reactive to confident compliance without overwhelming your teams.

DPDP ACT 2023 VS GDPR VS PIPEDA — A COMPARISON TABLE

Many global privacy regulations share common goals but differ in scope and obligations. This table highlights key differences between the DPDP Act 2023, GDPR, and PIPEDA for quick business reference.

CONCLUSION

Compliance is the core of every modern business decision because it reduces risk and opens new growth paths. Having said that, the DPDP Act is a well – structured framework that helps businesses in data protection, management, and trust building. Therefore, don’t wait until a breach or cyberattack to assess your security posture.

Begin with a simple gap analysis to understand your current cybersecurity posture. Then, review who owns privacy in your company and appoint a privacy lead, or DPO, if no one is accountable today. Moving forward,  consider engaging a consent manager to facilitate user permissions with greater ease. Also, use data mapping to get a clear picture of your firm’s data.

The DPDP Act, along with the new Rules 2026, sets the foundation, but privacy evolves continuously. So treat compliance as a steady journey. Because with early commitment to compliance, you can stay ahead of risks, avoid emergencies, and build a business that customers trust for years.

FAQ