India’s DPDPA 2025 is transforming how organisations collect, use, and protect personal data. As digital activity surges, this law establishes a clear rights-based framework for data protection, closely mirroring global standards like GDPR.
Who Does the Law Apply To?
- All organisations processing the personal data of Indian citizens, whether located inside or outside India, must comply.
- Covers both data collected digitally and data digitised later, making it broadly relevant for every sector.
Key Principles
- Role Definitions: Data Principals are individuals whose data is processed. Data Fiduciaries are entities deciding how and why the data is used. Large companies may be classified as Significant Data Fiduciaries and face extra compliance.
- Consent: Individuals must give clear and informed consent for their data to be processed. Withdrawing consent should be just as easy as granting it.
- User Rights: Includes the right to access, correct, erase data, and lodge complaints directly.
Obligations for Companies
- Put in place robust security safeguards: encryption, access controls, limited retention, and data minimisation are a must.
- Significant Data Fiduciaries must run regular impact assessments and privacy audits.
- Special requirements for children’s data and for persons with disabilities—organisations need to collect parental or guardian consent.
- If a breach occurs, notify the Data Protection Board of India and affected users within 72 hours.
Cross-Border Data Transfers
- India allows personal data to be sent overseas, except to countries on a government-restricted “negative list.”
- This system supports international business but keeps regulatory control over high-risk destinations.
Penalties for Non-Compliance
DPDPA introduces strict financial penalties, so organisations need to be vigilant.
- Breach of personal data obligations: up to ₹250 crore
- Failure to protect children’s data: up to ₹200 crore
- Non-fulfilment of data principal rights: up to ₹50 crore
- Not complying with Board orders: up to ₹20 crore
- Lack of notice or user consent: up to ₹200 crore
Actual penalties depend on the severity, duration, recurrence, and steps taken to resolve or reduce risk.
How to Prepare
- Set up a transparent, intuitive consent process.
- Minimise data collection and only keep information as long as necessary (usually three years after last interaction).
- Use encryption and enforce strict access management.
- Assign a Data Protection Officer (DPO) for oversight and for receiving complaints.
- Design a quick, effective breach notification procedure.
Why DPDPA 2025 Matters
DPDPA brings India in line with top international standards. It’s not just legal compliance—companies face steep fines, operational risk, and possible reputational damage without robust data privacy practices. Now’s the time to overhaul data governance and put users at the heart of every decision.
