Data Protection / Governance

DPDP Rules 2025: A Business Compliance Roadmap

CA Nikhil Gupta·May 2026·3 min readData Protection / Governance

Data protection is now an operating model, not a privacy-policy paragraph. Finance, product, security, HR, marketing and vendor teams all create evidence that can support—or undermine—compliance.

Quick View

Law

DPDP Act, 2023

Rules

DPDP Rules, 2025

Rollout

Phased commencement

Control base

Data inventory

What Matters Now

India’s Digital Personal Data Protection framework regulates the processing of digital personal data. The final rules and commencement architecture require businesses to identify which obligations are already operative and which begin later under the phased timeline. A generic statement that the entire framework applied on one date can be misleading.

The first practical step is a data map: whose data is collected, for what purpose, on which legal basis, through which notice, where it is stored, who receives it, how long it is retained and how rights or grievances are handled.

Cybersecurity duties can overlap with other frameworks. CERT-In’s directions, sector-regulator requirements, contractual security promises and the DPDP framework should be mapped separately rather than compressed into one breach checklist.

How It Works

StageWhat happensControl
CollectionCollect data for a stated and lawful purpose.Match every field to a purpose and notice.
Consent and noticeUse clear, accessible language and record the consent event where relied on.Do not bundle unrelated purposes.
ProcessorsDefine security, use, return and deletion obligations.Maintain a current vendor register.
IncidentsDetect, contain, assess, notify and preserve evidence under applicable rules.Use a cross-functional response plan.

Decision Framework

Start with the exact decision being made. A payment choice, credit facility, investment, policy, remittance or compliance step should not be judged only by convenience or headline return. For DPDP Rules 2025: A Business Compliance Roadmap, the four useful lenses are law: DPDP Act, 2023; rules: DPDP Rules, 2025; rollout: Phased commencement; control base: Data inventory.

Next, identify the downside before considering the expected benefit. Ask how much money can be lost or delayed, which obligation becomes fixed, who controls the data or asset, what happens when the provider fails, and which official complaint or appeal route remains available. This converts a marketing claim into a testable decision.

Finally, define the review trigger. A rule change, missed payment, benefit revision, sharp market move, data incident, unresolved reconciliation or change in personal cash flow should reopen the decision. Evidence should be collected when the transaction occurs, not reconstructed after a dispute.

  • Collection: Match every field to a purpose and notice.
  • Consent and notice: Do not bundle unrelated purposes.
  • Processors: Maintain a current vendor register.
  • Incidents: Use a cross-functional response plan.

Who Bears the Risk

ParticipantPrimary responsibilityFailure to avoid
User or customerRead the terms, authorise deliberately, preserve records and act within personal cash-flow or risk limits.Collecting data without a documented purpose.
Provider or intermediaryMake accurate disclosures, operate the agreed process, protect data or assets and maintain a usable grievance route.A privacy notice that does not match product behaviour.
Adviser or finance teamApply the current rule to the actual facts, separate assumptions from evidence and explain material downside clearly.Former vendors retaining live customer data.

Regulation can allocate duties, but it cannot remove commercial or market risk. The safest operating approach is to know which participant owns each step and to escalate an exception before money, data or legal rights become difficult to recover.

Practical Example

A fintech collects contacts, location, salary documents and device data during onboarding. The company should not justify every field as “fraud prevention” without evidence. It must separate necessary onboarding data from optional analytics, align notices and consent, restrict vendor use and document retention and deletion.

Action Checklist

  • Create a system-level personal-data inventory.
  • Map notices, consent and alternative legal grounds.
  • Classify vendors and cross-border data flows.
  • Define retention and deletion schedules.
  • Run an incident-response simulation.
  • Track each commencement date and sector rule.

Evidence to Keep

  • Data inventory and processing register.
  • Versioned notices and consent logs.
  • Vendor contracts and security reviews.
  • Access logs and retention records.
  • Incident assessment and response timeline.

Warning Signs

  • Collecting data without a documented purpose.
  • A privacy notice that does not match product behaviour.
  • Former vendors retaining live customer data.
  • No owner for deletion or grievance requests.
  • Treating phased commencement as permission to delay preparation.

Frequently Asked Questions

Does the DPDP framework affect only technology companies? â–Ľ
No. Any covered organisation processing digital personal data can be affected, including employers, retailers and professional firms.
Is consent always the only basis? â–Ľ
The Act contains its own framework, including consent and specified legitimate uses. The correct basis depends on the processing.
Can compliance be delegated to a vendor? â–Ľ
Operational tasks may be outsourced, but governance and contractual accountability cannot simply disappear.
Why track commencement dates? â–Ľ
Different provisions can begin at different times. The control plan should reflect the official notification and rules.