ARTICLE
2 December 2025

FAQs On The Digital Personal Data Protection Act, 2023 And Rules, 2025

I
CMS INDUSLAW

Contributor

CMS INDUSLAW logo
CMS INDUSLAW is a top-tier full-service law firm and the 7th largest in India* with offices in Bengaluru, Chennai, Delhi, Gurugram, Hyderabad and Mumbai, which give it a pan-India presence. With more than 400 lawyers committed to client service, CMS INDUSLAW advises clients globally on Indian law. CMS INDUSLAW supports its clients’ transactional goals, business strategies and regulatory and dispute resolution needs. The CMS INDUSLAW team collaborates across practice areas, sectors and locations, navigating legal complexities and resolving legal issues efficiently for its clients.
Explore Firm Details
The Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025 reshape fundamental data processing practices as well as nuanced business operations.
India Privacy
Namita Viswanath,Shreya Suri,Tanvi Chaturvedi
+1 Authors
 Your Author LinkedIn Connections
Namita Viswanath’s articles from CMS INDUSLAW are most popular:
  • within Privacy topic(s)
  • with Finance and Tax Executives and Inhouse Counsel
  • in India
  • with readers working within the Banking & Credit and Law Firm industries

1. Introduction

Following years of legislative groundwork and an extensive consultation process, the Digital Personal Data Protection Act, 2023 ("DPDP Act") has finally been enforced (albeit in part). The Central Government has also released the necessary Digital Personal Data Protection Rules ("Rules") under the DPDP Act, providing the operational framework for compliance. This landmark framework, which obligates data fiduciaries to adhere to strict standards when processing the personal data of data principals, is largely considered business-friendly and is expected to meet global data adequacy requirements. Organisations, therefore, need to actively revisit and update their existing information technology policies and processes to ensure full compliance with the new legal requirements laid out in the DPDP Act and its accompanying Rules.

In order to help you and your organisation understand the intricacies of the DPDP Act and the Rules and the obligations that your organisation may have to undertake, we have prepared these FAQs answering pertinent questions on the compliance with the DPDP Act, which could come up frequently. We have prepared a note capturing the key provisions of the DPDP Act and Rules, along with a detailed analysis of the same, which can be accessed here.

2. Implementation

i. When do the provisions of the DPDP Act come into force?

The provisions of the DPDP Act and Rules are being enforced in a phased manner:

  • Effective immediately: The provisions and rules related to the Data Protection Board ("Board") and certain miscellaneous provisions, including the power to make rules.
  • Effective 1 (one) year of the publication of the official gazette notification i.e., November 13, 2026: The provisions and rules relating to the consent manager.
  • Effective 18 (eighteen) months after the publication of the official gazette notification i.e., May 13, 2027: The remaining substantial provisions relating to consent, notice requirements, duties of data fiduciaries and rights of data principals.

ii. Until when does my organisation need to comply with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules")?

The SPDI Rules will remain in force until the last set of provisions are enforced on May 13, 2027 (please refer to FAQ No. 2(i)) i.e., until 18 (eighteen) months after the publication of the official gazette notification. Therefore, until then, all entities handling / processing sensitive personal information must comply with all provisions of the SPDI Rules.

iii. What can my organisation do in preparedness during the transition period?

The substantial provisions under the DPDP Act and Rules relevant for an organisation come into force on May 13, 2027. Hence, the transition period may be utilised to achieve compliance with the DPDP Act and Rules in a phased manner depending on the scale of the organisation and the resources and time required. Your organisation may consider:

  • Assessing the applicability of the DPDP Act and Rules based on:
    • who you are: whether the organisation would be deemed a data fiduciary (data controller) or a data processor;
    • what you process: whether the organisation processes personal data and if yes, for what purposes;
    • where you process: whether the organisation processes personal data within India, or outside India in connection with offering goods or services in India; and
    • how you process: whether the scale and nature of processing personal data is likely to make the organisation a significant data fiduciary;
  • Mapping all categories of personal data being processed and identifying legal bases for processing, consent or otherwise;
  • Implementing reasonable security safeguards;
  • Implementing technical and organisational safeguards, and data integrity and erasure / anonymization processes;
  • Establishing grievance redressal systems and breach notification protocols;
  • Harmonious assessment of the impact of sectoral requirements, especially for regulated entities, along with the requirements under the DPDP Act and Rules;
  • Re-evaluate relationships with your vendors / customers etc., to determine the role of the parties and the obligations of each such party;
  • Train your personnel / employees on the DPDP Act and the Rules; and
  • Assess applicability of enhanced or special obligations that may apply to your organisation and implementing specialised measures to ensure compliance.

To read this article in full, please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Namita Viswanath
Namita Viswanath
Photo of Shreya Suri
Shreya Suri
Photo of Naqeeb Ahmed Kazia
Naqeeb Ahmed Kazia
Photo of Tanvi Chaturvedi
Tanvi Chaturvedi
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More