/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
/vnd/media/member_avatars/2025/11/15/2025-11-15t092456700z-akshay-garkel-1-2025-11-15-14-54-56.jpg )
/vnd/media/media_files/2025/11/14/digital-personal-data-protection1-2025-11-14-17-34-46.jpg)
India has taken a decisive step toward enforcing its modern privacy regime, with the Government formally activating the Digital Personal Data Protection Act, 2023 (DPDP Act) through a series of three gazette notifications.
These notifications operationalise the Act by setting out its implementation schedule, constituting the Data Protection Board, and issuing the DPDP Rules 2025 — collectively forming the legal and institutional backbone that will steer the handling of personal data over the next 18 months.
With this move, the country’s Ministry of Electronics and Information Technology (MeitY) has ushered in a new compliance environment that reshapes how organisations collect, process, and govern personal information, extending across social media platforms, digital services, online marketplaces, and every entity that manages personal data.
The shift places greater control in the hands of citizens while signalling to businesses that India’s data protection regime has entered its enforcement phase.
What the Regulatory Notifications Say
G.S.R. 843(E): This notifies the phased implementation schedule of the Act, with obligations taking effect immediately, after 12 months, and after 18 months.
G.S.R. 845(E): It establishes the Data Protection Board of India, comprising four members, indicating that oversight and adjudication mechanisms are now formally in place.
G.S.R. 846(E): This issues the final Digital Personal Data Protection Rules, 2025 under section 40, detailing substantive compliance duties and timelines for data fiduciaries.
This development marks more than administrative progress. It represents a structural inflexion point: compliance transitions from a theoretical requirement to an enforceable obligation, and the window for industry adaptation is now clearly defined.
Key Takeaways for Businesses
For businesses, the implications are considerable. Foundational duties relating to notice, consent, and basic governance are already in force, requiring organisations to ensure that essential controls are operational without delay. While the phased schedule offers some preparation time, the countdown has effectively begun for more complex requirements that will apply after 12 and 18 months.
These include independent audits, classification as a 'significant data fiduciary', the introduction of consent and withdrawal mechanisms, conducting data protection impact assessments, and establishing procedures for cross-border data transfers. With the enforcement architecture now formalised, companies must prepare for active oversight, investigations, and potential sanctions rather than relying on guidance-led compliance.
Sectors that handle large volumes of personal data, such as fintech, digital platforms, advertising technology, hospitality, and healthcare, face particular urgency. They must map data flows, evaluate their fiduciary classification, and implement mechanisms that align with the new regulatory expectations. The operationalisation of the DPDP Act highlights the balance India is attempting to strike between safeguarding individual privacy and enabling the growth of its digital economy. For industry, however, the message is clear: the transition is underway, and substantive compliance action must begin immediately.
/filters:format(webp)/vnd/media/media_files/2025/11/15/akshay-garkel-2-2025-11-15-15-25-53.jpg)
Akshay Garkel is a Partner and Leader for Cyber at Grant Thornton Bharat.