As India prepares to roll out its first national data privacy law, businesses are gearing up for significant changes in how personal data is collected, managed, and used.
The Digital Personal Data Protection Act (DPDPA) applies to all entities processing digital personal data in India, including global capability centres handling IT, finance, HR, and R&D operations. It also covers companies operating outside India if they offer goods or services to individuals in the country.
The law was operationalised with rules notified in November 2025. Implementation will happen in phases, with initial requirements coming into effect in November 2026 and full enforcement expected by May 13, 2027.
Key obligations include clearer privacy notices, stricter consent requirements, and stronger data governance. Companies must provide simple, transparent information on how data is collected and used, along with options for users to withdraw consent.
The law introduces new user rights such as access, correction, and deletion of personal data. It also requires organisations to implement purpose-based data retention and ensure timely deletion of data when no longer needed.
For minors under 18, companies must verify age and obtain parental consent before processing data. Certain organisations classified as significant data fiduciaries will need to conduct annual audits and report findings to the Data Protection Board of India.
In case of data breaches, companies must notify authorities and affected individuals without delay and submit a detailed report within 72 hours. They must also maintain logs and records for at least 1 year where required.
The law defines key roles such as data fiduciary, data principal, data processor, and introduces a unique concept of a consent manager, which allows users to manage and withdraw consent through a unified platform.
Experts say organisations must take a cross-functional approach involving compliance, IT, legal, marketing, and risk teams. Businesses should also align DPDPA requirements with global regulations like GDPR and CCPA.
For marketers, the law will require more transparent and flexible consent systems, potentially impacting how data is used for targeting and measurement. Companies are advised to assess readiness, upgrade systems, and build stronger governance frameworks ahead of the 2027 deadline.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.