India's DPDP Rules are notified, time to gap-assess your India programmeSee how we helpEU AI Act obligations are phasing in: the privacy groundwork comes firstAI privacy advisoryTransfer documentation is a top enforcement target: SCCs, IDTA, TIAsTransfer servicesIndia's DPDP Rules are notified, time to gap-assess your India programmeSee how we helpEU AI Act obligations are phasing in: the privacy groundwork comes firstAI privacy advisoryTransfer documentation is a top enforcement target: SCCs, IDTA, TIAsTransfer services
Abhishek Bansiwal
INDigital Personal Data Protection Act, 2023 (India)

India's privacy regime is live. Most companies aren't ready.

The DPDPA and its DPDP Rules bring India's first comprehensive data protection regime, consent-centric, extraterritorial, and carrying penalties that reach ₹250 crore per breach category. We advise on it from Indian legal qualification and an EU practice: the corridor between GDPR and DPDPA is where this practice lives.

At a glance

Who it catches

Processing of digital personal data in India, plus processing abroad connected to offering goods or services to people in India

Maximum penalties

Up to ₹250 crore (~€27m) per category of breach, per the Act's schedule

Key concepts

Data Fiduciaries and Principals, consent managers, Significant Data Fiduciary designation with added duties (DPO, audits, DPIAs)

Status

Act passed 2023; DPDP Rules notified, compliance windows are now running

What it requires

The obligations that matter in practice.

  • Valid, granular consent, or a listed legitimate use, for every processing purpose
  • Notices to Data Principals in plain language, including in scheduled Indian languages
  • Breach notification to the Data Protection Board and affected individuals
  • Rights handling: access, correction, erasure, grievance redressal, and nomination
  • For Significant Data Fiduciaries: an India-based DPO, independent audits, and DPIAs
  • Cross-border transfer compliance as government notifications evolve

How we help

Where our practice comes in.

FAQ

Common DPDPA questions.

Less than starting from zero, but the deltas matter: consent is narrower than GDPR's six lawful bases, notices have language requirements, and Significant Data Fiduciary designation brings India-specific duties. A bridge assessment maps exactly what carries over and what doesn't.

If you process digital personal data in connection with offering goods or services to people in India, yes, the Act reaches you regardless of where you're incorporated.

Start here

Tell us what you're dealing with.

Pick the service that sounds closest, or just describe the situation. You'll get an honest reply within 24 hours: where you stand, what actually needs doing, and whether we're the right fit for it.

Prefer to talk? Book a free 30-min call

Email: abhishek.adv@yahoo.com

LinkedIn: linkedin.com/in/abhishekbansiwal

Working with clients across the EU, UK, US, India, and beyond. See the privacy notice for how enquiries are handled.

Replies within 24 hours. No mailing list, no follow-up sequence.