The Digital Personal Data Protection Act, 2023 (DPDPA) sat unenforced for two years while its Rules were drafted. That changed on 13 November 2025, when the Ministry of Electronics and Information Technology notified the DPDP Rules 2025 and started a phased compliance clock: the Data Protection Board provisions took effect immediately, consent-manager provisions follow on 13 November 2026, and the full set of substantive compliance obligations becomes enforceable on 13 May 2027. Most businesses that handle Indian customer data are still inside the preparation window — which is exactly when the cost of getting ready is lowest.

If you hold customer data, you're probably a Data Fiduciary

DPDPA calls any entity that determines the purpose and means of processing personal data a "Data Fiduciary" — a broad definition that covers most companies with a customer database, an HR system, or a marketing list, not just tech platforms. Section 8 of the Act sets out what a Data Fiduciary has to do: limit processing to the stated purpose, keep data accurate, secure it against breach, delete it when it's no longer needed, and honor individual rights over their own data. None of that is exotic security practice — but it does mean data handling has to be provable, not just reasonably assumed.

The 72-hour clock changes what "detection" means

On becoming aware of a personal data breach, a Data Fiduciary must notify the Data Protection Board within 72 hours, and separately notify every affected individual in plain language — what happened, what data was involved, the likely impact, and what's being done about it. Meeting that window depends entirely on how fast a breach is actually detected in the first place. Monitoring and incident response that used to be a purely operational concern now sits directly upstream of a statutory deadline.

Consent isn't a cookie banner

DPDPA does allow processing without explicit consent for defined "legitimate uses" — voluntarily provided data for a stated purpose, state functions like benefits delivery, and compliance with legal obligations. Outside those carve-outs, consent has to be specific, informed, and verifiable, with stricter requirements for children's data and data belonging to persons with disabilities. A privacy policy checkbox written to satisfy a marketing team's UX preferences isn't the same thing as consent that would hold up as verifiable under the Act.

The penalties are per instance, not per company

Penalties under DPDPA scale with the gravity of the breach and the sensitivity of the data involved, and can reach up to ₹250 crore for the most serious violations — including a specific ₹200 crore exposure for failing to notify a breach at all. Because penalties apply per instance of violation, a single systemic gap that produces multiple incidents doesn't cap out at one penalty; it stacks.

Where security architecture and compliance overlap

Access controls that enforce purpose limitation, logging that can prove what happened to a specific individual's data on request, and monitoring fast enough to hit a 72-hour notification window aren't new categories of security work — they're the existing discipline of good security architecture, now with a statutory deadline attached. Teams that have already invested in real monitoring and incident response are closer to compliant than they think; teams still running security as an occasional audit have more distance to close before May 2027 than the calendar currently suggests.

This is where our Cyber Security practice does its most useful work right now — assessing where monitoring, access control, and incident response actually stand against DPDPA's obligations, before the enforcement date makes that assessment mandatory instead of optional.