DPDP Act & Rules 2025 – The Moment Data Became a Boardroom Risk in India

A SiteWALL CXO Intelligence Brief on the Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025 — for CEOs, CISOs, CTOs, CDOs and board members navigating India’s most consequential data law.

What Every CXO Needs to Know

• DPDP is already active. The Rules were notified November 2025. Enforcement is phased but live.
• Maximum penalty: ₹250 crore for failure to implement reasonable security safeguards — but fines are rarely the biggest cost.
• The real risk is visibility. Most organisations don’t lack policies. They lack proof — of who accessed data, why, and when it was deleted.
• Compliance requires system-level changes. Not a policy update. Architecture, data flows, monitoring, and governance all need to change.
• Full compliance deadline: May 2027. The window looks long. In practice, it disappears fast. Start with a gap assessment now.

Most regulations arrive quietly. DPDP won’t stay quiet.

The Digital Personal Data Protection Act marks a turning point — not just for compliance teams, but for how every business in India operates at the leadership level.

For years, data lived inside systems: collected, analysed, monetised, largely treated as an internal asset. That is no longer the case.

Data is now a regulated liability. And that makes it a boardroom concern.

This Is Not a Legal Problem. It’s a Leadership Problem.

If you are a CEO, CIO, or CISO, this is not something you can push down the chain.

Because the real risk isn’t just regulatory. It’s what follows a failure:

• Loss of customer trust
• Public exposure and mandatory disclosures
• Operational disruption
• Board-level escalation
• Long-term brand damage that outlasts any fine

Yes — penalties can reach up to ₹250 crore. But that is rarely the biggest cost.

The real loss is trust. And trust is much harder to recover than a fine is to pay.

Earlier, most organisations treated data protection as a checklist: privacy policy, consent checkbox, basic security. Done.

The DPDP Act changes the question entirely:

Can you prove — at any point — that personal data is being handled responsibly?

Not just a policy on paper. Not an assumption that systems are secure. Actual evidence. On demand.

The Three Shifts Every CXO Must Understand

Strip the law to its strategic essentials and three irreversible shifts emerge. Each one reshapes a different part of how your organisation operates.

Shift 1: From Policy to Proof

A privacy policy in a footer is no longer compliance. The Act demands that you can demonstrate — at any point in time — who accessed personal data, why it was collected, where it is stored, and when it has been deleted. This requires systems, not statements.

Shift 2: From IT Ownership to Business Accountability

Data protection now touches product design, marketing campaigns, legal agreements, and operational workflows. This is no longer a siloed IT responsibility. It is an organisational capability that every function must own a piece of.

Shift 3: From Reactive to Continuous Control

The law explicitly requires continuous monitoring, real-time detection, and audit-ready systems. Failure to implement reasonable security safeguards is itself a violation — not a consequence of one. The posture required is ongoing vigilance, not periodic cleanup.

The Hidden Complexity: What Counts as Personal Data

This is where many leadership teams get surprised. Personal data is not just names or phone numbers. The DPDP Act defines it broadly — any information that directly or indirectly identifies an individual:

• Name, email address, phone number
• IP addresses and device identifiers
• Cookies and analytics tokens
• Behavioural and usage data
• Financial and transaction records
• Health and medical information

Even basic website analytics and application logs may fall within scope. Almost every digital interaction becomes part of your compliance exposure.

Since nearly every modern business collects some form of identifiable data, the DPDP Act applies far more broadly than most leadership teams initially assume. A B2B SaaS platform whose clients have Indian end-users is in scope. A foreign company providing digital services to users in India is in scope. Size and geography provide no exemption.

The Clock Is Already Running

One of the most common misconceptions in leadership teams right now: assuming the DPDP Act is still “coming.” It isn’t. The DPDP Rules, 2025 were notified on November 13, 2025 (Gazette G.S.R. 846(E), published/available November 14, 2025), with phased enforcement starting immediately. The framework is live.

The 18-month window looks comfortable. In practice, it disappears quickly once execution begins — system redesigns, vendor decisions, team training, and governance processes all take longer than the calendar suggests.

The window is not an invitation to delay. It’s time to build — and that building needs to start now.

What needs to change is not a policy update. It’s architecture, data flows, monitoring systems, and governance processes. This is not a sprint. It is an organisational transformation.

The Numbers That Should Get Board Attention

The DPDP Act sets maximum penalty caps. The Data Protection Board of India (DPBI) determines actual fines after investigation — considering the seriousness of the violation, sensitivity of the data, whether it was intentional or repeated, and what remediation steps were taken. The ceilings are:

Beyond fines, consider the collateral damage: mandatory public disclosures, operational disruption, regulatory scrutiny that follows an organisation for years, and the one cost no table can quantify — the erosion of customer trust.

What Global Enforcement Looks Like: A GDPR Reference Point

India’s DPDP Act is modelled closely on GDPR — the EU’s data protection regulation, now in active enforcement since 2018. The global record shows what real enforcement looks like when regulators have both legal authority and intent to use it.

British Airways (2019): Fined £20 million after a breach exposed data of approximately 400,000 customers. The ICO found the airline had poor security arrangements. The fine came alongside sustained reputational damage and years of regulatory scrutiny.

Meta (2023): Fined €1.2 billion by Ireland’s DPC for unlawful transfer of EU user data to the US — the largest GDPR fine to date. The violation was structural, not accidental.

DPDP enforcement is not live at this scale yet. But the legal framework is identical in intent, and the DPBI has been given the same investigative authority. The question is not whether India will enforce — it is when, and who will be the first examples.

The DPBI also considers whether the organisation took genuine preventive and mitigation steps. This matters: organisations that have invested in real security infrastructure will fare very differently from those that treated compliance as a paperwork exercise.

The Five Obligations That Will Shape Your Operations

The Act creates five operational obligations that will require genuine changes to how your teams work — not just what your policies say.

1. Consent — the end of ‘you agreed by using our service’

Consent must be a clear, affirmative, specific action. Pre-ticked boxes, bundled permissions buried in terms of service, and implied consent are no longer valid. Users must be told precisely what data is collected, why, and for how long — and must be able to withdraw consent at any time without friction. Your systems must log every consent event in a verifiable, auditable way.

2. Privacy notices — plain language, front and centre

Notices must be simple, accessible, and ideally available in multiple Indian languages. They cannot live in a hard-to-find footer. They must explain what you collect, why, how long you keep it, who you share it with, and how users can exercise their rights. This is as much a product and design challenge as it is a legal one.

3. Data Principal rights — real entitlements, not policy text

Individuals — the law calls them Data Principals — now have rights to access their data, correct inaccuracies, and request deletion. You must be operationally ready to honour these requests. That means knowing where your data sits across every system, API, log, backup, and cloud environment. If you cannot answer that question today, you have your first priority.

4. Breach reporting — fast, documented, and transparent

You must detect breaches and report them to the DPBI and affected individuals without delay when there is a realistic risk of harm. The speed of detection directly affects your compliance standing. Having an incident response workflow in place before an incident occurs is non-negotiable.

5. Data retention and deletion — lifecycle management becomes mandatory

All consent logs and data processing records must be retained for at least one year. Personal data must be securely deleted once the business purpose is fulfilled, unless there is a legal basis for longer retention. This forces a fundamental rethink of how you manage storage, cloud environments, and data lifecycle policies.

The 5 Compliance Pillars at a Glance

The Real Risk Is Not the Law. It Is Visibility.

When organisations start preparing seriously, a pattern emerges. They do not lack policies. They lack visibility.

Questions start surfacing that nobody had clean answers to before:

• Where exactly is our personal data — across applications, APIs, logs, backups, and cloud environments?
• Who is accessing it, and why?
• Can we track data flows across systems in real time?
• Can we delete it reliably when required?
• If a system is compromised, can we demonstrate that personal data was protected?

This is where the DPDP Act becomes uncomfortable. It exposes operational blind spots that have been present for years — but never mattered enough to fix. Now they do.

Children’s Data: A Strategic Blind Spot

If your platform serves or could be accessed by users under 18 — even indirectly — the DPDP Act carries specific provisions that require material product changes. Organisations must verify user age and obtain verifiable parental consent before processing a child’s personal data. Behavioural tracking, profiling, and targeted advertising directed at children are prohibited.

For edtech platforms, gaming companies, content apps, and social communities, this means redesigning onboarding workflows, building age-verification systems, and auditing product features for compliance. This is not a minor policy update. It requires real engineering and product investment.

Cybersecurity Is No Longer Just Defence

This is a critical shift that many security leaders have not yet internalised. Cybersecurity is no longer only about stopping attacks. Under the DPDP Act, it enables compliance, accountability, and trust — simultaneously.

The requirement for reasonable security safeguards is the provision that attracts the highest penalty in the Act. And it is also the provision most directly tied to your existing cybersecurity posture. The law doesn’t prescribe specific tools. It expects modern cyber hygiene applied consistently across every surface where personal data flows:

• Web application firewalls protecting customer-facing portals
• API security governing data flows between systems and microservices
• Bot mitigation preventing credential stuffing and automated scraping
• Encryption and access controls on cloud workloads
• Continuous monitoring and real-time alerting
• Centralised logging with at least one year of retention
• Incident response workflows that enable timely DPBI reporting

For CISOs: DPDP doesn’t add new security obligations on top of your existing work — it legally codifies what good security practice already looks like. The compliance gap assessment starts with an honest read of where your current controls fall short.

Under DPDP, the question is no longer whether a breach happens.

The question is whether you can prove you were in control when it did.

SiteWALL  ·  DPDP CXO Intelligence Brief  ·  2025–26

Where Most Organisations Get Stuck

This is where most leadership teams pause — not because they do not understand the law, but because translating it into execution is far harder than expected.

Most organisations do not struggle with understanding the law. They struggle with execution. The gap between intent and working controls is where real risk lives.

This is where cybersecurity platforms stop being tools — and become infrastructure for compliance.

This is where strategy meets infrastructure.

Platforms like SiteWALL are built for exactly this challenge. Most security tools generate alerts. SiteWALL generates audit-ready evidence. The Act’s requirement for reasonable security safeguards — the provision carrying the highest penalty of up to ₹250 crore — maps directly to what a modern security platform provides. By combining:

• Web application protection
• API security
• Bot mitigation
• Real-time traffic monitoring
• Centralised logging and audit trails

…organisations can move from:

“We believe we are compliant”

to

“We can demonstrate it at any moment.”

For CXOs, this is not about deploying another security layer. It is about having continuous visibility, audit readiness, and the confidence that your organisation is in control of its data surface — not just on paper, but in practice.

Significant Data Fiduciaries: The Higher-Stakes Category

Some organisations will be designated as Significant Data Fiduciaries (SDFs) — those handling large volumes of sensitive or high-risk personal data. Being classified as an SDF carries additional obligations beyond those of a standard Data Fiduciary:

• Appointing a Data Protection Officer (DPO)
• Conducting annual data protection audits
• Performing Data Protection Impact Assessments (DPIAs) for high-risk processing activities
• Implementing AI governance mechanisms
• Maintaining strict and detailed processing logs

Industries most likely to face SDF designation: BFSI, telecom, healthcare, large e-commerce platforms, and leading digital platforms handling data at scale. If your organisation operates in any of these sectors, prepare for SDF classification now rather than waiting for formal notification.

What Smart CXOs Are Doing Already

The organisations moving early are not waiting for deadlines. Here is a realistic sequencing of priorities:

In the next 90 days

• Commission a DPDP gap assessment — map your data flows and benchmark current controls against the Act’s requirements
• Brief your board — DPDP carries board-level accountability and directors need to understand the exposure
• Assign clear ownership — name an executive sponsor; shared responsibility between legal, IT, and compliance is how gaps persist
• Begin updating privacy notices and consent mechanisms for your highest-traffic customer touchpoints

Over the next 12 months

• Implement or upgrade logging, monitoring, and cloud security controls
• Build and test breach detection and incident response workflows
• Establish API governance across customer-facing and internal services
• Train product and engineering teams on privacy-by-design principles
• If you handle children’s data — begin age-verification and consent system redesign immediately

Before May 2027

• Automate data deletion workflows tied to purpose completion
• Conduct DPIAs for high-risk processing activities
• Prepare for potential SDF designation if you operate in BFSI, telecom, health-tech, or large-scale digital services
• Conduct a full-scale compliance audit and close gaps before enforcement becomes fully active

Your DPDP Readiness Roadmap

From Compliance Burden to Competitive Advantage

Here is the shift in thinking that separates organisations that will struggle with DPDP from those that will benefit from it:

Compliance is not a cost centre. It is a trust signal.

In markets where consumers are becoming more privacy-aware, and enterprise procurement increasingly includes data security assessments, genuine DPDP compliance is a differentiator. It signals to customers that you handle their data responsibly. It signals to enterprise clients that you are a safe partner. It signals to regulators that you operate in good faith.

Organisations that treat DPDP as a minimum-viable-compliance exercise will be back doing this again in two years when enforcement tightens. Those that build privacy and security into their operating model now will have a foundation that scales with them.

The DPDP Act is not designed to slow innovation. It is designed to ensure that India’s digital growth happens with trust at its core.

The One Question That Matters

At the end of the day, everything comes down to this:

If a regulator, customer, or board member asks — “Are we fully in control of the personal data we handle?” — what would your answer be?

If there is any hesitation, that is your starting point.

Final Thought

The DPDP Act is not just a regulation. It is a signal.

India is entering a phase where data responsibility will define business credibility.

The organisations that move early will build trust.

The ones that delay will manage risk.

And in a digital economy, trust compounds faster than any other asset.

The only question is — will you be ready to prove it?

If you’re evaluating how your current security stack aligns with DPDP requirements, the time to act is now — not when the regulator asks. Start with a gap assessment, assign an executive owner, and build from there. The window to May 2027 is workable. But only if you use it.

Frequently Asked Questions

The questions CXOs, legal teams, and product leaders ask most — answered directly.

1.      WHO DOES DPDP Apply To?

Who exactly does the DPDP Act apply to?

The Act applies to any organisation — of any size, sector, or geography — that processes the personal data of individuals located in India. This is intentionally broad. It covers Indian companies, foreign companies, startups, enterprises, B2B platforms, B2C apps, and public-sector institutions alike. If you touch personal data of anyone in India, you are in scope. The Act does carve out a narrow set of exemptions — processing for personal or domestic purposes, certain state security and law enforcement functions, and non-digital personal data that has not been digitised — but these are narrow and unlikely to apply to most businesses.

We are a small startup. Does DPDP really apply to us?

Yes — without exception. The Act makes no distinction based on company size, revenue, or headcount. If you collect even a single piece of personal data — an email address, a phone number, a device ID — you are in scope. The only practical difference is that smaller organisations may have less ground to cover. The obligation is identical.

We are a foreign company with no India office. Why does this apply to us?

Because applicability is determined by where your users are, not where your company is registered or where your servers sit. If you offer products or services to individuals located in India and process their personal data in doing so, the DPDP Act applies to you. This mirrors how GDPR treats EU residents. Geography of the data subject is what matters — not the geography of the business.

Does DPDP apply to B2B companies, or just consumer-facing ones?

Both. If you are a B2B platform whose enterprise clients use your product and their end-users are individuals in India, you are processing personal data within the Act’s scope. SaaS providers, API platforms, data processors, and sub-processors all carry obligations — even if they never interact directly with the end data principal. The chain of accountability extends through the entire data supply chain.

Does the Act apply to employee data as well?

Yes. The DPDP Act does not carve out employee data. HR systems, payroll platforms, performance management tools, recruitment databases, access logs, and internal communications that contain personal information are all in scope. If you process personal data of employees who are individuals in India, the same obligations apply — consent, purpose limitation, retention, and data principal rights included.

Which industries are most affected?

Every industry that processes personal data at scale — which today means almost all of them. The most acutely affected sectors are BFSI, healthcare, telecom, e-commerce, edtech, OTT and content platforms, logistics, gaming, hospitality, and public services. Organisations in these sectors are also most likely to be designated as Significant Data Fiduciaries, which triggers a higher tier of compliance obligations.

2.      WHAT COUNTS AS PERSONAL DATA?

What exactly is considered personal data under this Act?

Any information that directly or indirectly identifies an individual. This includes the obvious — name, phone number, email address — but also IP addresses, device identifiers, cookies, analytics tokens, behavioural and usage data, financial and transaction records, health information, and location data. If a piece of data can be linked to a specific person, it counts. This means almost every digital interaction your platform generates falls within scope.

Do cookies and website analytics fall under the Act?

Yes. Cookies, analytics identifiers, IP addresses, device IDs, and behavioural data are all personal data under the Act — because they can directly or indirectly identify an individual. If your website or app collects any of these, you likely need a lawful basis and, in most cases, explicit consent. Basic traffic analytics are not exempt.

What about data we collect for marketing or remarketing?

Marketing data — email lists, purchase history, browsing behaviour, ad engagement signals — is personal data. Using it for remarketing or personalised advertising requires consent that is specific to that purpose. Bundling marketing consent inside a general terms-of-service acceptance no longer works. Consent must be granular, purpose-specific, and revocable.

3.      Consent & Privacy Notices

Our current privacy policy is already quite detailed. Is that enough?

Probably not — and here’s why. The DPDP Act requires notices to be clear, simple, and accessible in multiple Indian languages where applicable. A detailed legal document buried in a footer does not meet the standard. Notices must be presented before data is collected, explain purpose specifically, and be updated as practices change. Detailed is not the same as compliant.

Can we use consent we collected before the Act came into force?

This depends on whether the prior consent meets the Act’s standard — specific, informed, unambiguous, and revocable. Most existing consent mechanisms — pre-ticked boxes, buried clauses, implied acceptance — will not meet the bar. The safer approach is to treat full compliance as requiring a fresh consent architecture rather than retrofitting old consents.

What happens when a user withdraws consent?

You must stop processing their data for the purpose they withdrew consent for — promptly, and without penalising the user or degrading their service experience. You must also have the systems in place to honour that withdrawal reliably. If your architecture makes it difficult to stop processing in response to a withdrawal, that is an operational gap the Act now makes legally significant.

4.      Breach Reporting & Security

How quickly do we need to report a data breach?

The Act requires notification to both the DPBI and affected individuals without delay — when there is a realistic risk of harm to the data principal. There is no fixed hour window in the current Rules, but ‘without delay’ is interpreted strictly. The practical implication: you need continuous monitoring, real-time alerting, and a breach response workflow that is already tested and ready — not designed the day after an incident.

What exactly counts as ‘reasonable security safeguards’?

The Act deliberately avoids prescribing a checklist. It requires safeguards appropriate to the nature and scale of data being processed — which is assessed contextually. In practice, the DPBI will look at whether you had encryption, access controls, monitoring, logging, API security, incident detection, and response capabilities in place. Organisations that can demonstrate active, continuous security controls will be in a materially better position than those relying on policies and documentation alone.

Does our cloud provider’s compliance certification cover us?

No. Cloud infrastructure compliance (ISO 27001, SOC 2, and so on) covers the provider’s environment — not how you configure, use, or govern data within it. Access controls, encryption key management, data classification, consent management, and processing logs are your responsibility regardless of which cloud you use. Compliance cannot be outsourced to your infrastructure vendor.

5.      RETention & Deletion

How does the one-year retention rule actually work in practice?

Two rules, not one. Compliance records — consent logs, processing records, audit trails — must be kept for at least one year. The personal data itself must be deleted once the business purpose is fulfilled. These obligations run independently and need separate workflows. Most organisations need to redesign their data lifecycle policies to handle both.

We store data in multiple systems and backups. Does deletion apply everywhere?

Yes — and this is where many organisations discover their biggest operational gap. The deletion obligation applies across all environments where personal data resides: production databases, analytics platforms, data warehouses, third-party tools, and backup systems. If you cannot reliably locate and delete a specific individual’s data across your entire stack, you have a gap that needs to be addressed before May 2027.

6.      Special Categories & Sectors

We serve children through our platform. What specifically changes for us?

Significantly more than a policy update. You must verify user age before processing personal data. You must obtain verifiable parental consent — not just a checkbox. You cannot engage in behavioural tracking, profiling, or targeted advertising directed at users under 18. For edtech platforms, gaming companies, content apps, and social communities, this means redesigning onboarding flows, building age-verification systems, and auditing every product feature that involves tracking or personalisation. This is an engineering and product investment, not a legal one.

What makes an organisation a Significant Data Fiduciary — and how do we know if we qualify?

Designation is determined by the Central Government based on data volume, sensitivity, risk to individuals, and national security considerations. No specific thresholds have been published — MeitY retains full discretion. If you operate in BFSI, telecom, healthcare, or large-scale e-commerce, treat SDF designation as a strong probability. The obligations it triggers — DPO appointment, annual audits, DPIAs, AI governance — are substantial. Prepare now, not after formal notification arrives.

Does DPDP affect how we use AI or machine learning on customer data?

Yes, in two ways. First, any AI model trained on or making decisions using personal data of Indian individuals falls within the Act’s scope — purpose limitation, consent, and data minimisation all apply. Second, Significant Data Fiduciaries will be required to implement AI governance mechanisms specifically. If your AI systems profile users, make automated decisions, or use personal data for model training, your DPDP compliance programme needs to explicitly account for this.

We transfer personal data outside India. How does the DPDP Act treat cross-border transfers?

Cross-border data transfers are permitted under the DPDP Act, but not unconditionally. The Central Government retains the authority to restrict or prohibit transfers to specific countries or territories by notification. In practice, the Rules address this in a phased manner — full transfer restrictions and whitelisting mechanisms are expected to be clarified in later regulatory guidance. For now, organisations should not assume that transferring data to overseas processors is unrestricted. The safer approach is to ensure that any cross-border transfer is covered by a contractual arrangement with the receiving party, that the transfer serves a documented and lawful purpose, and that your data mapping identifies every jurisdiction where personal data flows. International organisations operating in India should plan for stricter transfer rules to be introduced as enforcement matures.

7.      Penalties & Enforcement

Are the penalties automatic once we miss a deadline?

No. Penalties are not automatic or fixed. The Data Protection Board of India investigates complaints and violations, and determines penalty amounts only after due process — considering the nature and seriousness of the violation, whether it was intentional or repeated, the sensitivity of data involved, the harm caused, and what remediation steps the organisation took. The ₹250 crore figure is a ceiling, not a default. That said, the DPBI has real investigative powers and penalties are designed to be meaningful — not symbolic.

What should we do right now if we have not started yet?

Three things, in this order. One: commission a DPDP gap assessment — map where your personal data sits, how it flows, and where your current controls fall short. Two: assign an executive owner — not a shared responsibility between legal, IT, and compliance, but a named individual accountable to the board. Three: begin updating your highest-traffic customer touchpoints for consent and notice compliance. Everything else — architecture, monitoring, deletion workflows, DPIAs — builds from that foundation. The window to May 2027 is workable. But it requires starting now, not at the deadline.

Updated as of March 2026 — DPBI operational; no major amendments to the Act or Rules to date.

© 2025–2026  |  DPDP Act & Rules 2025 — SiteWALL CXO Intelligence Brief

Disclaimer: This document is for informational purposes only and does not constitute legal advice. Organisations should consult qualified legal and compliance professionals for guidance specific to their circumstances.