DPDPA 2023 Compliance & Data Privacy AdvisoryData Protection & Privacy in India
India’s Digital Personal Data Protection Act 2023 (DPDPA), with its implementing Rules notified in November 2025, marks a fundamental shift in how businesses must handle personal data in India. Every organisation that processes personal data of individuals in India — whether Indian or foreign, whether processing in India or abroad (only if such persons are Indian in abroad) — is subject to the Act’s requirements. ATB Legal advises on DPDPA compliance, consent framework design, data principal rights implementation, cross-border transfer restrictions, and Data Protection Board proceedings.
India’s data protection law is not a future obligation — compliance timelines are running. Organisations that begin now will be ready before enforcement begins within 18 months from November, 2025. Those that wait will not.
OUR DATA PROTECTION & PRIVACY SERVICES
Data Protection & Privacy in India: DPDPA 2023
The Digital Personal Data Protection Act 2023 and the DPDP Rules 2025 — notified by MeitY on 13 November 2025 — establish India’s first comprehensive data protection regime. The Act applies to any processing of digital personal data within India, and extraterritorially to processing outside India where it is connected to offering goods or services to individuals in India. Core compliance provisions come into force 18 months from the notification date — approximately May 2027. The Data Protection Board of India is being constituted now. Organisations that process personal data of Indian residents should begin their compliance programmes immediately.
Consent Framework and Data Fiduciary Obligations
The DPDPA replaces the Information Technology (SPDI) Rules 2011 as the primary data protection instrument — though the SPDI Rules remain operative during the phased transition. The Act establishes a consent-first framework: personal data may generally be processed only with the free, specific, informed, and unambiguous consent of the Data Principal. Every Data Fiduciary must provide a clear and plain language notice describing the personal data to be collected and the purposes for processing — before or at the time of seeking consent. Consent can be withdrawn at any time, and the withdrawal mechanism must be as easy as the consent mechanism itself. ATB Legal advises on consent architecture, notice design, and the contractual and technical arrangements required to make consent management operationally viable across a business.
Data Principal Rights and Grievance Redressal
Data Principals have defined rights under the DPDPA: the right to access information about their personal data being processed; the right to correction and erasure of inaccurate or incomplete data; the right to nominate a person to exercise their rights in the event of death or incapacity; and the right to raise grievances. Every Data Fiduciary must establish a grievance redressal mechanism within the ambits of DPDP Act, 2023. Consent can be withdrawn at any time. ATB Legal assists organisations in designing and implementing data principal rights frameworks — covering the processes, timelines, and documentation required to respond to rights requests and grievances within the Act’s prescribed timeframes.
Cross-Border Data Transfer Restrictions
The transfer of personal data outside India is restricted under the DPDPA. The Central Government has the power to restrict transfers to specific countries, and to permit transfers only to countries or entities meeting prescribed conditions. The permitted country list has not yet been finalised. For organisations with data flows between India and the UAE, India and the UK, or India and the EU, this restriction is a significant structuring consideration. ATB Legal advises on cross-border data transfer arrangements, the contractual frameworks required for compliant transfers, and the interaction between the DPDPA’s transfer restrictions and the existing requirements under the Information Technology Act 2000 and SPDI Rules.
Data Protection Board, Penalties, and Significant Data Fiduciaries
The Data Protection Board of India is an independent adjudicatory body empowered to receive complaints, conduct inquiries, and impose penalties. Penalties under the Act can reach up to Rs 250 crore for specified breaches including obligations relating to children’s data processing and data breach notification. MeitY may designate certain organisations as Significant Data Fiduciaries — carrying additional obligations including periodic Data Protection Impact Assessments, data audits, and the appointment of a Data Protection Officer and independent data auditor. ATB Legal advises on Data Protection Board obligations, assists with Data Protection Impact Assessments, and provides representation in Board proceedings.
FAQFrequently Asked Questions- Data Protection & Privacy
Does the DPDPA apply to my organisation?
The DPDPA applies to any person processing digital personal data within India, and extraterritorially to any person processing personal data outside India in connection with offering goods or services to Indian residents. Both Indian and foreign organisations are subject to the Act. Exemptions exist for certain government entities, personal or household use, and research purposes.
When do DPDPA compliance obligations come into force?
The DPDP Rules 2025 were notified on 13 November 2025. Core compliance provisions — consent requirements, data principal rights, and data fiduciary obligations — come into force approximately May 2027 (18 months from notification). Data Protection Board establishment provisions are already operative. Organisations should begin compliance programmes now.
What is a Data Fiduciary and what are its obligations?
A Data Fiduciary is any person who determines the purpose and means of processing personal data. Obligations include: providing a clear consent notice before data collection; obtaining free, specific, informed, and unambiguous consent; maintaining security safeguards; erasing data when the purpose is fulfilled or consent is withdrawn; responding to data principal rights requests; and establishing a grievance mechanism. Significant Data Fiduciaries carry additional obligations including impact assessments and audits.
What are the rights of Data Principals under the DPDPA?
Data Principals have the right to access information about their data being processed; the right to correction and erasure of inaccurate or incomplete data; the right to nominate a person to exercise their rights in the event of death or incapacity; and the right to raise grievances. Consent can be withdrawn at any time. Grievances must be addressed by the Data Fiduciary’s mechanism within prescribed timelines, and unresolved grievances can be escalated to the Data Protection Board.
How does the DPDPA restrict cross-border data transfers?
The Central Government has the power to restrict cross-border transfers of personal data to specific countries. Transfers are permitted only to countries meeting conditions to be prescribed — the permitted country list has not yet been finalised. Organisations with data flows between India and the UAE, UK, or EU should structure their data processing arrangements to accommodate this restriction and monitor Central Government notifications.
What penalties can the Data Protection Board impose?
The Data Protection Board can impose financial penalties for non-compliance. Penalties under Section 33 of the DPDPA can reach up to Rs 250 crore for specified breaches including obligations relating to children’s data processing and data breach notification. The penalty framework is tiered based on the nature and severity of the breach. The Board is also empowered to direct Data Fiduciaries to take remedial action.
Uncompromising QualityWhy CHOOSE ATB LEGAL?
- First-Mover Compliance Advantage: Organisations that build DPDPA compliance frameworks before the 18-month deadline operate in the final months with working systems rather than emergency implementations.
- Consent and Notice Architecture: Practical, operationally viable consent and notice frameworks — not theoretical compliance documents that cannot be implemented by a working business.
- Cross-Border Transfer Structuring: Advisory on cross-border data transfer arrangements between India and the UAE, India and Europe, and other corridors — particularly relevant for ATB Legal’s India-UAE client base.
- Data Protection Board Advisory: Representation and advisory for Data Protection Board proceedings — complaints, inquiries, and penalty responses — from advocates with cross-border data protection experience.
- Integrated with Employment and IP: Data protection compliance integrated with employment law data handling obligations and IP ownership arrangements for employee-generated data — from the same team.
Meet The Core Team
Our Team of
Lawyers and Experts
LLB, MBA
George Mathew
CA
Pauls MI
LLB
Hemakshi Prabhu
Micro Case Studies
Representative Experience
Technology Company — DPDPA Compliance Readiness Assessment
Advised an Indian technology company processing personal data across India, the UAE, and the UK on its DPDPA compliance readiness. The mandate covered a data mapping exercise, gap assessment against DPDPA Data Fiduciary obligations, consent notice and mechanism design, data principal rights response framework, cross-border transfer analysis for UAE and UK data flows, and a phased implementation roadmap aligned with the Act's 18-month compliance timeline.
GCC Company — Cross-Border Data Transfer Structuring
Advised a GCC-based company offering digital services to Indian consumers on the applicability of the DPDPA to its India operations. The mandate covered extraterritorial jurisdiction analysis, data processing agreement review, consent architecture design for the India user base, and advisory on the interim arrangements required pending finalisation of the permitted country transfer list.
Manufacturing Group — Employee Data Compliance Framework
Advised an Indian manufacturing group on the implications of the DPDPA for employee personal data — covering consent requirements for employment-related data collection, employee data principal rights, HR system data retention and erasure obligations, the interaction between the DPDPA framework and existing employment contracts, and recommended updates to the group's HR policies and data handling procedures.
Advised an Indian technology company processing personal data across India, the UAE, and the UK on its DPDPA compliance readiness. The mandate covered a data mapping exercise, gap assessment against DPDPA Data Fiduciary obligations, consent notice and mechanism design, data principal rights response framework, cross-border transfer analysis for UAE and UK data flows, and a phased implementation roadmap aligned with the Act's 18-month compliance timeline.
GCC Company — Cross-Border Data Transfer Structuring
Advised a GCC-based company offering digital services to Indian consumers on the applicability of the DPDPA to its India operations. The mandate covered extraterritorial jurisdiction analysis, data processing agreement review, consent architecture design for the India user base, and advisory on the interim arrangements required pending finalisation of the permitted country transfer list.
Manufacturing Group — Employee Data Compliance Framework
Advised an Indian manufacturing group on the implications of the DPDPA for employee personal data — covering consent requirements for employment-related data collection, employee data principal rights, HR system data retention and erasure obligations, the interaction between the DPDPA framework and existing employment contracts, and recommended updates to the group's HR policies and data handling procedures.
Free Legal Consultation
ATB Legal advises organisations on DPDPA 2023 compliance — consent frameworks, data principal rights implementation, cross-border transfer structuring, and Data Protection Board advisory. Speak to the team before your compliance window closes.