DPDPA: India’s Journey to Protect Personal Information
Bill Schaumann
In 2023, India developed the Digital Personal Data Protection Act (DPDP Act), which was the nation’s first comprehensive data protection law. Modeled after the EU’s GDPR, the DPDP seeks to provide protection for the processing of personal information. The updated DPDP framework represents a defining shift toward stricter data collection limits, especially for digital companies such as gaming platforms, advertising networks, social media services, and data-intensive apps.
The Act covers personal data of any individual who is in India at the time the data is processed by a data fiduciary. A data fiduciary is any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. This is a similar concept to the controller as defined in the GDPR. In November of 2025, India took the next step in making the DPDP enforceable law when the Digital Personal Data Protection Rules, 2025 were released. This release formally notified the full effect of the Digital Personal Data Protection Act of 2023.
These new rules form the detailed regulatory framework that operationalizes the DPDP Act and sets out practical obligations for data fiduciaries and the rights of data subjects in India. Implementation of the DPDP Act will now be enforced and aligned to specific phases and dates starting in late 2025. The Act sets out clear requirements on how digital personal data must be collected, handled, stored, and protected, and it introduces individual rights, consent rules, obligations for data fiduciaries, and penalties for non-compliance.
The new DPDP Rules of 2025 clarify procedural and compliance details left open in the original publication regarding how the requirements should be operationalized. Key elements include:
- Verifiable consent requirements for processing personal data, including detailed notice and transparency obligations;
- A Consent Manager framework, outlining how third-party consent management services must register and operate;
- Breach notification timelines, including a mandate to notify both the Data Protection Board and affected individuals promptly (generally within 72 hours);
- Data retention limits tied to categories of data and fiduciary classes, ensuring data is not held indefinitely without purpose.
Implementation Timeline
The DPDP framework is not fully applied all at once. Instead, the Act and Rules provide a phased rollout approach. Some sections such as the establishment of the Data Protection Board of India and institutional definitions came into force immediately with the Rules, while the remainder of the tasks, including consent management and operational obligations for data fiduciaries, will become enforceable over the next 18-month phased period, typically ending in mid-2027.
Enforcement
The Act also enabled the Data Protection Board of India as the adjudicatory authority. The Board is responsible for enforcing compliance with its Rules; inquiring into complaints and data breaches; determining non-compliance; and imposing financial penalties. The Board will encourage organizations to prepare for stricter requirements, including audits, training, and enhancements to consent technologies, through the introduction of new financial penalties.
Although the DPDP was originally modeled after the GDPR, it is not a carbon copy. There are some significant differences. Most noteworthy is that the GDPR traditionally requires a process-heavy response, while the DPDP focuses less on documenting processes and more on consent management. If companies are already GDPR-compliant, DPDP usually requires simplification, not expansion. Some differences are in the following table.
Key Operational Differences GDPR-DPDP
| Operational Area | GDPR (EU) | DPDP Act (India) |
| Data Covered | All personal data (digital & non-digital) | Digital personal data only |
| Lawful Basis for Processing | Multiple bases (consent, contract, legal obligation, legitimate interest, etc.) | Primarily consent + limited “legitimate uses” |
| Consent Management | Complex consent logic (varies by lawful basis) | Consent-first model; simpler but stricter |
| User Rights Handling | Broad set of rights (access, delete, restrict, object, portability) | Fewer rights (access, correction, deletion, grievance) |
| Data Portability | Required | Not required |
| Children’s Data Operations | Parental consent under 13–16 (country dependent) | Parental consent under 18 (higher operational burden) |
| Automated Decisioning | Requires safeguards, explainability, opt-outs | No explicit operational requirements |
| Cross-Border Transfers | Allowed with safeguards (SCCs, adequacy, etc.) | Allowed unless specifically restricted by government |
| Breach Response | Notify regulator within 72 hours | Notify regulator and users; timeline TBD |
| Regulatory Engagement | Multiple EU regulators; possible lead authority | Single centralized authority |
| Documentation & Assessments | DPIAs, RoPA, extensive documentation | Lighter documentation burden |
| Enforcement Risk Model | Frequent audits, complaints-driven | Penalty-driven, regulator-led |
| Penalty Exposure | Percentage of global revenue | Fixed monetary caps |
How Lightbeam Can Help
Lightbeam’s technologies will help organizations meet DPDP Rules by providing continuous visibility into where personal data resides, how it flows, and how it is used across systems. Through automated data discovery, classification, records of processing, consent and rights management, and privacy risk assessments, Lightbeam will enable India’s data fiduciaries to operationalize DPDP obligations by embedding privacy governance into day-to-day data operations and creating documented and demonstrable compliance while reducing manual effort and regulatory risk.
Conclusion
The DPDP marks a major shift in how organizations operating in India must manage digital personal data, with a clear emphasis on consent, transparency, and accountable data practices. As enforcement accelerates, success will depend on the ability to understand where personal data exists, how it is used, and whether it aligns with stated purposes. Lightbeam enables organizations to meet these requirements by embedding privacy governance directly into data operations—providing continuous visibility, automated controls, and demonstrable compliance while reducing manual effort and regulatory risk.
