Excerpt from CSO Online Article, Published on September 25, 2025
The DPDP Act, also known as the Digital Personal Data Protection Act, has put Indian companies on high alert due to its strict provisions on managing digital personal data. Passed in 2023 and currently under phased implementation, the DPDP aims to secure individuals’ data rights and impose clear accountability on businesses.
Under the DPDP Act, organizations processing digital personal data must ensure transparency, lawfulness, and fairness in their data handling practices. The Act mandates clear consent from data principals before data is collected or processed and requires firms to provide transparent privacy notices.
Companies must also appoint Data Protection Officers, maintain adequate security safeguards, and perform regular data protection impact assessments. The Act applies to both Indian entities and foreign firms offering goods and services to individuals in India, thus extending its reach extraterritorially.
The DPDP lays a foundation for a modern data protection regime in India, aligning local standards to global best practices while addressing unique national requirements.
Businesses impacted by the DPDP need to act swiftly to maintain compliance and avoid penalties, ensuring they meet all regulatory demands for data privacy and protection.
To ensure the law’s effective operationalization, the Ministry of Electronics and Information Technology (MeitY) released draft Digital Personal Data Protection Rules in early 2025, inviting public feedback. These rules detail the establishment of the Data Protection Board of India, consent mechanisms, breach notification requirements, and differentiated obligations for startups and major data fiduciaries.
The DPDP’s phased rollout signals India’s commitment to strengthening data privacy culture, protecting personal data, and supporting a trustworthy digital economy.
To delve deeper into this topic, visit the CSO Online article.
