/vnd/media/agency_attachments/bGjnvN2ncYDdhj74yP9p.png)
/vnd/media/media_files/2025/11/14/digital-personal-data-protection1-2025-11-14-17-34-46.jpg)
By- Akshay Garkel, Partner & Leader, Cyber, Grant Thornton Bharat
/filters:format(webp)/vnd/media/media_files/2025/11/14/akshay-garkel-image-2025-11-14-17-33-24.jpg)
The Government of India has formally moved the Digital Personal Data Protection Act, 2023 (DPDP Act) into its operational phase through three key Gazette notifications. Together, these notifications establish the legal, procedural, and institutional framework that will govern the country’s personal data ecosystem over the next 18 months.
Regulatory notifications at a glance
G.S.R. 843(E) – Notifies the phased implementation schedule of the Act, with obligations taking effect immediately, after 12 months, and after 18 months.
G.S.R. 845(E) – Constitutes the Data Protection Board of India with four members, indicating that oversight and adjudication mechanisms are now formally in place.
G.S.R. 846(E) – Issues the final Digital Personal Data Protection Rules, 2025 under section 40, detailing substantive compliance duties and timelines for data fiduciaries.
This development marks more than administrative progress. It represents a structural inflection point: compliance transitions from a theoretical requirement to an enforceable obligation, and the window for industry adaptation is now clearly defined.
Key takeaways for businesses
For businesses, the implications are considerable. Foundational duties relating to notice, consent, and basic governance are already in force, requiring organisations to ensure that essential controls are operational without delay. While the phased schedule offers some preparation time, the countdown has effectively begun for more complex requirements that will apply after 12 and 18 months.
These include independent audits, classification as a “significant data fiduciary”, the introduction of consent-withdrawal mechanisms, the conduct of data protection impact assessments, and the establishment of cross-border data transfer procedures. With the enforcement architecture now formalised, companies must prepare for active oversight, investigations, and potential sanctions rather than relying on guidance-led compliance.
Sectors that handle large volumes of personal data, such as fintech, digital platforms, advertising technology, hospitality, and healthcare, face particular urgency. They must map data flows, evaluate their fiduciary classification, and put in place mechanisms that align with the new regulatory expectations. The operationalisation of the DPDP Act highlights the balance India is attempting to strike between safeguarding individual privacy and enabling the growth of its digital economy. For industry, however, the message is clear: the transition is underway, and substantive compliance action must begin immediately.