India operationalises Digital Personal Data Protection Act rules, experts welcome privacy framework
The government notified rules under the Digital Personal Data Protection Act, 2023, operationalising India’s first personal data protection regime. Experts say the rules enforce consent, privacy by design, and accountability, giving organisations 18 months to comply under the new framework.
New Delhi: Industry experts on Saturday welcomed the government’s move to notify Rules under the Digital Personal Data Protection Act (DPDPA), 2023, formally operationalising India’s first dedicated personal-data protection regime.
As per the notification rolled out by the Ministry of Electronics and Information Technology (MeitY) on Friday, social media sites, online gateways, and any other organisations handling personal data are required to give users a detailed explanation of the information being gathered and to make it apparent how it will be used.
“There is no doubt that India has entered a new era of privacy. In the age of AI, trust is crucial. And because AI depends on large volumes of data, strong privacy protections must come first. This development marks an important step in strengthening India’s digital ecosystem and aligns closely with the country’s recent AI governance guidelines,” said Ivana Bartoletti, Chief Privacy and AI Governance Officer, Wipro.
Bartoletti stated that the new rules come with robust data governance — anchored in clear responsibilities, defined structures, consent, and privacy by design.
These will enable organisations to grow in a sustainable and accountable way “as innovation accelerates and technology becomes ever more embedded in daily life,” Bartoletti said
According to the regulations, users must have an easy way to revoke their consent or complain to the Data Protection Board (DPB) about infractions.
While consent managers, which are organisations authorised to act on behalf of users, have 12 months to register with the DPB, companies will have up to 18 months to fulfil the administrative compliance requirements.
“With the notification of the Rules and the Act, the government has finally put all uncertainty to rest,” said Nikhil Narendran, Partner – TMT [Technology, Media and Telecommunications], Trilegal.
“India Inc. now has an 18-month runway to gear up for full compliance. For most organisations, it will be necessary to start with data mapping, redesigns of consent and notice flows, and training programs to ensure compliance, with the help of lawyers, technologists, and privacy professionals. The real focus will also be on the constitution of the new Data Protection Authority and how this regulator interprets these rules, prioritises enforcement, and how early guidance shapes India’s digital industry,” Narendran added.
Jaspreet Singh, Partner and Chief Revenue Officer, Grant Thornton Bharat, said the DPDPA Rules 2025-mark India’s transition from policy intent to operational accountability and privacy.
“Compliance under DPDPA is not a checklist; it’s a culture of trust every organisation must now institutionalise. The DPDPA era demands boardroom fluency in privacy governance; executives will now be measured by controls they can evidence, not promises they make,” Singh said.
“The 2025 Rules make one thing clear — data fiduciaries must embed privacy by design before regulators force it by default. As DPDPA Rules take effect, the next advantage belongs to organizations that operationalise privacy as a continuous assurance function,” he noted.
