Processing India’s data protection law: understanding the road to implementation

Indiaʼs much-awaited data protection law will soon transform how entities handle the personal data of billions.

On 13 November 2025, the Ministry of Electronics and Information Technology (MeitY) gave the dormant Digital Personal Data Protection Act, 2023 (DPDPA) a much-needed shot in the arm.

It jump-started the DPDPAʼs implementation by: (1) activating some of its provisions (e.g., provisions concerning the Central Governmentʼs rule-making powers); (2) establishing the new four-member data protection authority, the Data Protection Board of India (Board); and (3) notifying the implementing rules, the Digital Personal Data Protection Rules, 2025 (DPDP Rules).

State of play

Most substantive sections of the DPDPA (e.g., notice and consent requirements) and the allied rules will only take effect on 13 May 2027. This 18-month transition timeline could, however, be compressed.

Why this matters

The DPDPA will overhaul Indiaʼs current, leaner regulatory regime, which focuses on protecting sensitive personal data or information.

With its threat of hefty penalties and intricate compliance requirements, it will fundamentally change how data fiduciaries (entities determining how and why personal data is processed) handle personal data — from collection to erasure.

It will, in most cases, revamp how organisations approach privacy and data protection.

We unpack the road to implementation in our update.