DPDP Rules, 2025 Compliance: 2026 FAQs for Indian Companies
The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is no longer just the law of the future. With the DPDP Rules, 2025 (“DPDP Rules”) now notified, Indian organisations have entered the execution phase of data protection compliance. For boards, compliance heads, HR, IT, legal teams, and risk professionals, the questions have shifted from “What is DPDP?” to:
- When does the law actually start biting?
- What must we fix in 2026?
- Where do penalties really arise?
- How exposed are we through vendors and processors?
This FAQ answers exactly those questions, clearly, practically, and with 2026 in mind.
- What is the DPDP Act and who does it apply to in India?
The DPDP Act is India’s comprehensive law governing how digital personal data of individuals is collected, used, stored, and shared. It applies to almost every organisation that processes digital personal data in connection with offering goods or services in India, regardless of size or sector.
Covered entities include private companies, start‑ups and MSMEs, non‑profits, and multinationals operating in India. It also applies to most public sector bodies, although the Central Government can exempt specific state instrumentalities or certain types of processing (for example, national security, law enforcement, or research) from some DPDP obligations.
If your organisation handles personal data in any digital form, DPDP will almost certainly apply to you.
- What is the DPDP implementation timeline for Indian companies up to the end of 2026?
The DPDP Rules were notified on November 14, 2025 and operationalise the DPDP Act by prescribing detailed procedures, timelines, and controls. They turn broad statutory duties into concrete, auditable requirements that regulators can actually test.
Implementation is effectively phased over 18 months from notification of the DPDP Rules, with the early months for build‑out and 2026 for enforcement‑readiness. Wherever you are today, you should be able to place your organisation on this curve.
| Phase | When this should be true | What organisations should have done by then |
| Phase 1 – Governance | Already completed or near completion | Awareness for leadership and key teams; identification of data fiduciary roles, steering committee, and privacy lead; DPDP‑aligned policies and governance drafted and approved; data mapping and records of processing completed; high‑risk processing flagged for deeper assessment. |
| Phase 2 – Operationalisation | In progress now (early–mid 2026) | System changes for notices, consent, logging, and retention underway or live; key vendor/processor contracts updated with DPDP clauses; role‑based training rolled out and logged; consent and preference management operational; rights‑request and grievance workflows functioning in practice. |
| Phase 3 – Enforcement‑readiness | Target for mid–late 2026 | Regular audits planned or initiated; grievance and incident playbooks tested end‑to‑end; breach simulations run; regulatory‑ready documentation (logs, minutes, DPIAs, vendor files, incident registers) maintained; ability to demonstrate live, functioning controls on request. |
By mid‑2026, regulators are likely to expect Phase 3‑level maturity from larger and higher‑risk organisations.
- When does the DPDP Act really start to “bite” for businesses?
The DPDP Act “bites” once its key operational provisions are effective and regulators begin to enforce them against real‑world incidents and grievances. For most mid‑to‑large organisations, this will be during 2026, as consent, rights, breach, and vendor controls become directly enforceable.
Practically, the law starts to hurt when a grievance, breach, or audit lands on your table and you cannot produce evidence of reasonable measures. From that point, “we are working on it” stops being a viable defence.
- What are the first five things our organisation must fix for DPDP Law compliance in 2025–26?
Priority actions that move the needle fastest are:
- Data mapping and records of processing – Know what personal data you hold, why, where it sits, and which vendors touch it.
- Notices and consent journeys – Align privacy notices and consent language across websites, apps, HR forms, and marketing to DPDP standards.
- Consent and withdrawal mechanisms – Implement simple, logged mechanisms to obtain, manage, and withdraw consent, integrated with downstream systems.
- Vendor/processor contracts – Update key contracts with DPDP clauses on purpose limitation, security, sub‑processing, audits, and breach reporting.
- Governance and training – Assign clear ownership (privacy lead or DPO‑equivalent) and train high‑risk teams on concrete dos and don’ts.
These five foundations support almost every other DPDP obligation and are what regulators will naturally test first.
- How should we obtain, record, and manage consent under the DPDP Act?
Under the DPDP Act, consent must be free, specific, informed, unambiguous, and given through a clear affirmative action, based on a valid notice. Individuals must be able to withdraw consent as easily as they gave it, and such withdrawal must be honoured across systems.
Operationally, this means you need:
- standardised consent language;
- UI/UX patterns that clearly separate consent from other terms;
- backend logs of consent and withdrawal events; and
- playbooks to propagate changes to all relevant applications and vendors.
For many organisations, this will require coordinated changes across product, marketing, HR, and IT.
- How do we handle data principal rights requests (access, correction, erasure, grievances) under the DPDP law?
The DPDP framework grants data principals rights to access information about processing, seek correction or erasure of inaccurate or incomplete data, and raise grievances with the data fiduciary.
The DPDP Rules specify timelines and procedural expectations for acknowledging and resolving such requests.
To comply, organisations should establish standard request channels, verification processes, triage and routing rules, and SLA‑based workflows, all supported by system capabilities to search, correct, and delete data where legally permissible. Every step should be logged to demonstrate that requests were handled fairly and on time.
- What are our obligations towards third‑party data processors, SaaS vendors, and group entities under the DPDP law?
If another entity processes personal data on your behalf, you remain responsible as the data fiduciary. This covers outsourced processors, cloud/SaaS tools, group companies, and shared service centres.
Key obligations include:
- putting in place DPDP‑aligned contracts;
- issuing clear written instructions on permitted use;
- ensuring reasonable security safeguards;
- requiring prompt breach reporting; and
- exercising proportionate oversight through assessments or audits.
Vendor risk is now regulatory risk, not just commercial or operational risk.
- What are the penalties under the DPDP Act and what DPDP law compliance evidence will regulators expect in 2026?
The DPDP Act provides for graded monetary penalties up to ₹250 crore per contravention, depending on the type and gravity of violation. Higher penalties apply to failures such as implementing reasonable security safeguards or meeting breach‑notification requirements, with lower caps for other contraventions.
By 2027, regulators and the Data Protection Board of India are likely to look for evidence such as:
- policies and records of processing;
- training logs;
- consent and rights‑request logs;
- DPIAs for high‑risk processing;
- vendor due‑diligence documentation;
- incident and breach registers; and
- minutes or reports showing management oversight.
The emphasis will be on whether your organisation can prove that it took reasonable, proportionate steps.
- How should start‑ups and MSMEs in India right‑size DPDP law compliance without over‑engineering?
Start‑ups and MSMEs are not exempt from DPDP, but compliance can be calibrated to scale and risk. The key is to avoid “policy theatre” and instead focus on a lean, high‑impact baseline.
A right‑sized approach often includes:
- a simple but accurate data map;
- one unified privacy notice;
- clean consent and unsubscribe mechanisms;
- a small set of critical vendor contracts with DPDP clauses;
- basic but enforced security hygiene (access control, encryption, backups, MFA); and
- lightweight rights and grievance handling workflows.
As the business and risk profile grow, this foundation can be expanded rather than rebuilt.
Wrapping Up
DPDP compliance is no longer a legal checkbox. It is a trust framework, a risk-control mechanism, and increasingly, a business differentiator. Organisations that embed DPDP into operations, not just policies, will be the ones that scale confidently in India’s data-driven economy.
Bookmark this FAQ. By mid-2026, you’ll wish you started earlier.
Suggested Reading
- India’s DPDP Act, 2023: How Data Principals and Data Fiduciaries Are Redefining Data Protection, Digital Trust, and Leadership in India’s Digital Economy | Rainmaker
- India’s DPDP Act 2023 & Rules 2025: Cross‑Border Data Transfer Rules, Negative List Risks & Compliance Action Plan for Indian Businesses | Rainmaker
- Significant Data Fiduciary Under India’s DPDP Act: Boardroom Duties, DPO Role, DPIAs and AI Risk Governance | Rainmaker
- Reimagining Consent in India’s Digital Age: What the DPDP Act & Rules 2025 Mean for Data Privacy and Compliance | Rainmaker
