India's Data Protection Law Enters The Enforcement Phase: What The 18-Month Compliance Window Means For Indian And Global Businesses?

I. Introduction

For years, India's data protection regime was perceived as a future inevitability. That phase is now over.

With the notification of the Digital Personal Data Protection Act, 2023 (the "DPDPA"), followed by the Digital Personal Data Protection Rules, 2025 (the "Rules") and the formal establishment of the Data Protection Board of India (the "DPB"), India has moved decisively from legislative intent to regulatory enforcement. Indian and Global Business, focusing on India market/operations, now have a finite 18-month window to move from high-level policy discussions to demonstrable and operational compliance.

The DPDPA is the culmination of a lengthy and complex law-making process, which was triggered in 2017 with the 'Right to Privacy' judgment [Justice K.S. Puttaswamy & Anr. vs. Union of India & Ors. (2017), followed by five diverse versions of the draft data privacy law bills and multiple policy debates.

The DPDPA is India's dedicated law to regulate the processing of digital personal data and will replace the existing Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under the Information Technology Act, 2000.

The DPDPA marks a significant shift in India's digital legal landscape. It introduces clear statutory obligations, enforced through a powerful regulator with the authority to levy substantial punitive fines for non-compliance. While inspired by the EU's General Data Protection Regulation (the GDPR), the DPDPA uniquely localises India's data privacy and protection regime.

For businesses that continue to treat data protection as a documentation exercise, the DPDPA arrives as an unpleasant shock, and this shift marks the end of theoretical compliance planning and the beginning of active implementation for the businesses.

II. The 18‑Month Implementation Timeline

The phased implementation of the DPDPA is structured around clearly defined milestones:

• 11 August 2023, Enactment: The DPDPA was enacted by notification in the Official Gazette.
• 13 November 2025, Initial Operationalisation: The Rules were notified, phased enforcement commenced, and the DPB was formally established.
• 13 November 2026 (12 Months): Core institutional and procedural mechanisms (including the DPB and consent manager) are expected to be operational.
• 13 May 2027 (18 Months): Full enforcement is anticipated, along with real penalty exposure for non‑

These dates are not aspirational but clear regulatory markers against which the preparedness of an organisation for the DPDPA will be judged.

III. Understanding Key Roles: Data Fiduciaries, Data Processors, and Data Principals

Most organisations underestimate their role under the DPDPA. A recurring misconception that only technology companies or consumer-facing platforms are materially impacted by the DPDPA is incorrect, and thus, we must understand the role of each stakeholder under the DPDPA framework carefully.

• Data Fiduciaries are entities that determine the purpose and means of processing personal data, essentially making decisions about why and how data is used. In practice, this means almost every employer, service recipient, group company and enterprise operating in India could be a Data Fiduciary depending upon the role it plays.
• Data Processors handle personal data on behalf of Data Fiduciaries according to their instructions, and thus service providers, third-party vendors, cloud, and managed service providers will typically fall under this category.
• Data Principals are the individuals whose personal data is being processed.

Illustration: An employee provides personal data such as name, address, and bank details to their employer. The employer becomes the Data Fiduciary, while the employee is the Data Principal. If the employer uses a third-party HR management system to process payroll, that system acts as the Data Processor. Organisations can play multiple roles depending on the processing activity, but at a minimum, all employers are Data Fiduciaries to their employees.

Ignoring these classifications early in the compliance journey could lead to structural gaps that are difficult to fix later.

IV. Key Features of the DPDPA

1. Extra-Territorial Applicability (why DPDPA cannot be treated as a "Local Law" by Global Businesses): Many foreign multinationals still assume that India's new data protection law is primarily a domestic compliance issue. That assumption is increasingly risky. For multinational organisations, the DPDPA effectively operates as India's version of a GDPR-style regime, albeit one that reflects local regulatory priorities and enforcement design.

The DPDPA applies to entities based in India that process/handle digital personal data of individuals. The law also applies to entities based outside India that process digital personal data of individuals located in India in connection with providing goods and services.

This captures a wide range of foreign business models, including:

• Global SaaS platforms with Indian users,
• Overseas manufacturers using India-linked apps, telemetry or IoT systems,
• Foreign employers processing Indian employee or contractor data, or
• Group companies centralising HR, CRM or analytics functions outside India

In short, if India is a market, data source or talent base, the DPDPA is likely to be engaged.

Illustration: A Germany-based vehicle company sells smart cars to Indian customers through a third-party distributor, collecting names, addresses, and ride statistics through its mobile app telematics device. Even though the company has no physical presence in India, the DPDPA applies because it processes this personal data in connection with products sold in India.

2. Grounds of Processing: The DPDPA identifies only two valid grounds for processing the personal data of individuals (known as Data Principals): (a) Consent and (b) Legitimate Uses.
   1. Consent: Consent must be free, specific, informed, unconditional and unambiguous, provided through a clear affirmative action. Consent requests must be limited to a specific purpose and only for processing personal data necessary for that purpose. Organisations relying on broad, bundled or legacy consent mechanisms will find it difficult to defend them under regulatory scrutiny.
   2. Legitimate Uses: The DPDPA identifies certain legitimate uses as alternative grounds for processing personal data without consent. These scenarios typically involve situations where obtaining consent is impractical or impossible. Legitimate uses include government provision of subsidies, benefits, services, certificates, licenses, and permits; employment purposes and safeguarding employers from loss or liabilities; medical emergencies and health services during epidemics or outbreaks; assistance during disasters or maintenance of public order; and compliance with judicial proceedings. Since they are narrowly defined and purpose-specific, over-reliance on these exceptions is likely to attract regulatory attention.
3. Privacy Notice: Under the DPDPA, privacy notices are not marketing disclosures; they are statutory instruments. Privacy notices must accompany consent requests. The privacy notice must be understandable independently in clear and plain language and must include (a) an itemised description of personal data; (b) the specified purposes and relevance to the availed goods or services; (c) communication link for website/app; (d) consent withdrawal mechanism; (e) privacy rights mechanisms; and (f) information on making complaints to the DPB. Both consent and notices must be in clear, plain language in English or with an option to access any of over 22 regional languages. They must also meaningfully enable Data Principals to exercise their rights. The rights framework, including access, correction, erasure, grievance redressal and nomination available as a right to the Data Principals, will force organisations to rethink internal workflows that were never designed for user-facing accountability.
4. Rights of Data Principal: Data Principals have the right to (a) access information about processing of their personal data, (b) seek correction, completion, updating, or deletion of their personal data, (c) seek redressal for their grievances, and (d) nominate a person to exercise rights on their behalf in case of their death or incapacity.
5. General Obligations of Data Fiduciaries: Data Fiduciaries have certain obligations under the DPDPA such as (a) processing personal data for lawful purposes, (b) ensuring the accuracy of personal, (c) ensuring personal data is used for the purpose it was collected, (d) personal data is retained only till it is necessary, (e) ensure a valid contract is executed with a data processor/third party (f) implement technical and organizational measures, (g) secure personal data from data breach (h) establish an effective mechanism for grievance redressal and (i) obligation to report personal data breaches to the DPB and affected individual.
6. Reasonable Security Safeguards: Data Fiduciaries must protect personal data by implementing reasonable security safeguards such as (a) encryption, obfuscation, masking or tokenization; (b) access controls; (c) data back-ups; (d) log retention; (e) processor contracts for security measures; and (f) technical and organisational measures to ensure effectiveness of security measures.
7. Data Breach Notification: If global enforcement trends are any indication, regulators typically begin with security failures and breach response, and the DPDPA is no exception. On becoming aware of a personal data breach, a Data Fiduciary is under an obligation to notify (a) Data Principals: without delay, describing the incidents, likely consequences, mitigation/safety measures, and dedicated point of contact; and (b) DPB: provide an initial notification, without delay, and within 72 hours provide a detailed report. Organisations without tested incident response frameworks are likely to struggle with this compliance under real-world pressure.
8. Children's personal data and protection: The Data Fiduciaries have an obligation to process the personal data of children or of persons with disabilities only after obtaining consent from their parent or guardian. There are certain prohibitions associated with the processing of children's personal data. The Rules lay down the operational requirements for obtaining verifiable parental consent.
9. Significant Data Fiduciaries: The DPDPA has defined Significant Data Fiduciaries as special categories of Data Fiduciaries that the Government will notify. These Significant Data Fiduciaries have certain additional obligations, including the appointment of a Data Protection Officer and independent auditors, conducting regular audits, and performing periodic data protection impact assessments. They also have additional requirements to conduct due diligence for algorithmic software. For large enterprises, this designation is not hypothetical; it is likely. Planning for these obligations after notification will be operationally disruptive. Planning for them now is significantly practical.
10. International Data Transfers: The DPDPA allows international data transfers subject to a negative list of jurisdictions and additional rules to be framed by the Government.
11. Consent managers: The Rules provide detailed provisions for registration requirements/process, and operational obligations of the new class of consent managers. The consent managers are a 'Digital Public Infrastructure' with a similar mechanism successfully running in the financial sector known as 'Account Aggregators'.
12. Data Protection Board: The Government has established a digital-first regulator in the form of the Data Protection Board with key responsibilities of monitoring compliance, hearing grievances, inquiring into data breaches, levying penalties and issuing directions.
13. Penalties: The DPDPA provides for Penalties for non-compliances which may go up to INR 250 Crores per instance. While these penalties are not likely to be imposed routinely, their existence signals clear regulatory intent. Data protection under the DPDPA is no longer a legal hygiene issue. It is a governance and risk issue that boards will be expected to understand and oversee.

Using the 18 months Wisely AND What Actually Could Work?

Organisations are most likely to succeed under the DPDPA if they follow a structured, defensible approach:

1. Establishing the vision and mandate: Obtain buy-in from leadership teams and plan the compliance roadmap, ensuring leadership accountability and alignment with business objectives.

(Indicators: Workshops/training, slides, and compliance roadmaps)

2. Data Mapping: Map data flows, conduct data discovery, and maintain a comprehensive inventory of processing activities and personal data, ensuring a thorough understanding and visibility over personal data. (Indicators: Data maps or data inventories)
3. Data Privacy Gap or Preparedness Assessment: Evaluate current practices to identify gaps in governance, people, culture, and policies, setting actionable priorities for remediation. Identify critical areas for immediate attention and lay the groundwork for targeted remediation.

(Indicators: Assessment reports, remediation plans, additional budgets for high risks)

4. Data Privacy Framework: Create a comprehensive framework that addresses identified gaps, aligning policies and controls with DPDPA obligations. Develop a 'data privacy framework' consisting of policies and key persons required for driving privacy compliance across all business functions or departments.

(Indicators: Policy framework such as consent management policy, retention policy, data breach reporting policy, third-party risk management programs, granular process or department-specific processes. Key documentation such as consent, privacy notices, data processing contracts, etc.)

5. Execute remediation plans and implement the data privacy framework: Implement strategies for policy uplift, consent management, data security, and third-party risk management, ensuring systematic compliance. Establish systems for managing consent, data subject rights, and breach notifications, ensuring compliance and strengthening response capabilities. Adoption of technology measures.

(Indicators: Visible changes in public facing website and data collection points, engagement of all employees and stakeholders. Updated contracts with vendors and suppliers.)

6. Internal Audit and Continuous Monitoring: Conduct regular audits and monitoring to ensure continuous compliance and prompt adjustments based on findings.

(Indicators: Dashboards with key performance indicators, internal audit reports with areas for improvement, all personal data is visible and accounted for, evolving documents and policies)

7. Training and Awareness: Training and awareness programs with proof of learning to embed privacy culture across the organisation, reducing risks of non-compliance.

(Indicators: Proof of learning and drills for data breach management)

Way Forward

The DPDPA marks a decisive shift in India's regulatory posture on personal data. The law is enacted, the regulator is operational, and the enforcement clock is running. Organisations must adopt a cautious and proactive approach to comply with the various requirements of DPDPA and incorporate the cost of compliance into their budgets. Organisations that use the transition period to build genuine operational readiness will find compliance manageable. Those that delay, minimise or outsource responsibility entirely will face regulatory, reputational and commercial consequences.

The 18-month implementation period will be critical for organisations to establish compliance baselines.

Finally, with DPDPA prescribing significant fines for personal data security and data breach management, robust and demonstrable information security measures are a prerequisite for compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.