DPDP / Foundation

DPDP Act and Rules

CA Nikhil Gupta·May 2026·3 min readDPDP / Foundation

Understand India’s DPDP framework through phased commencement, data-fiduciary duties, user rights, processors, security, breaches and sectoral laws.

India’s privacy framework is now notified, but its provisions do not all become operative on the same date.

Quick View

Decision

Build readiness against the final Act and Rules, while marking which obligations are already in force and which commence later.

First action

Create a data inventory.

Core evidence

DPDP Act and final Rules.

Main warning

Calling every provision fully effective.

Why It Matters

The final Digital Personal Data Protection Rules, 2025 were notified on 14 November 2025 with phased commencement. As of 25 June 2026, organisations should distinguish provisions already commenced from operational duties scheduled for later dates, while continuing to comply with the IT Act, CERT-In directions and sectoral rules already in force.

The Act applies to digital personal data processed in India and, in specified cases, processing outside India connected with offering goods or services to people in India.

A Data Fiduciary determines purpose and means, remains responsible for processors, and must build lawful-purpose, notice, consent, security, retention, grievance and rights controls when the relevant provisions commence.

Control Framework

AreaWhat to establishOperating rule
ScopeDigital personal data, geography and exclusions.Map processing before legal analysis.
RoleFiduciary, processor, principal or consent manager.Assign responsibility.
TimingImmediate, later-phase or sectoral duty.Maintain commencement matrix.
EvidenceNotice, consent, contracts, logs and requests.Design audit trail.

Action Checklist

  1. Create a data inventory.
  2. Build a provision-by-provision commencement matrix.
  3. Identify fiduciary and processor roles.
  4. Map current IT Act and sectoral duties.
  5. Assign privacy and security owners.
  6. Report readiness quarterly.

Practical Example

A startup copies a GDPR privacy policy and assumes it satisfies Indian law. It has not mapped Indian users, processor contracts, consent withdrawal or the phased commencement dates.

Evidence to Keep

  • DPDP Act and final Rules.
  • Commencement notifications.
  • Data-flow map.
  • Processor register.
  • Current privacy notices.
  • Board readiness tracker.

Warning Signs

  • Calling every provision fully effective.
  • Treating a processor as legally independent.
  • Ignoring sectoral duties.
  • No commencement tracker.
  • Copying foreign policies without data mapping.

Detailed Review

Privacy governance should connect the personal data, individual, purpose, collection point, system, owner, recipient, access role, retention trigger and incident dependency. A policy that cannot be traced to this chain is difficult to operate.

Create a dated legal matrix rather than one status label. Record the DPDP provision, commencement date, present readiness action, current IT or sectoral obligation and the evidence owner.

Design controls in the product and system. A written rule cannot stop an SDK from firing, a shared folder from exposing payroll, or a vendor from retaining deleted users unless technology and operations enforce it.

Evidence should be generated during normal work: versioned notices, event logs, access approvals, request tickets, deletion reports, vendor registers, incident chronologies and management decisions.

Use proportionate identity and security checks. Excess verification creates more personal data, while weak verification can expose another person’s records or permit account takeover.

Every product release should trigger a privacy change review covering new fields, vendors, permissions, purposes, regions and retention.

Management reporting should show overdue evidence and control failures, not only the existence of policies.

Control Test

Test the control using a real user journey from collection to deletion. Capture the notice shown, data stored, vendors called, employees with access, retention period and response if the user withdraws or complains.

Run a negative scenario: the vendor is breached, the user is a child, the employee exits, the phone is stolen, the data was inaccurate or the regulator asks for proof. Record which control fails.

Check that system records and public wording agree. Product forms, privacy notice, CRM fields, SDK behaviour, vendor contracts and support scripts should describe the same processing.

Assign a named owner and internal deadline for every gap. A risk register without funded action and closure evidence becomes an archive of known failures.

Retain the rejected alternatives and decision basis. This is especially important where the law is in phased commencement or a proportionate technical method is selected.

Escalation Route

Start with the system owner, privacy or security owner and the documented data flow. Preserve records before making changes, and separate current statutory reporting from future DPDP readiness.

For a breach, financial fraud, rights dispute, children’s-data issue or regulated-sector event, involve qualified legal, cyber, forensic and sector specialists and use the applicable official reporting or grievance channel.

Frequently Asked Questions

Are all DPDP duties fully operative?
No. The Act and Rules use phased commencement.
Does the law cover paper records?
It covers digital personal data, including non-digital data later digitised.
Who remains responsible for processors?
The Data Fiduciary remains responsible for processing carried out on its behalf.
What should SMEs do first?
Map data, roles, purposes, systems, vendors and applicable dates.