India’s DPDP Act 2023 & Rules 2025: Cross‑Border Data Transfer Rules, Negative List Risks & Compliance Action Plan for Indian Businesses

Rainmaker January 2, 2026 Data Protection & Privacy 5 min read
India’s DPDP Act 2023 & Rules 2025: Cross‑Border Data Transfer Rules, Negative List Risks & Compliance Action Plan for Indian Businesses

The digital world feels borderless, until the law reminds you that it isn’t. 

It’s not uncommon to have a growing startup in Mumbai serving users from Singapore to San Francisco, relying on a cloud server in Frankfurt and running analytics pipelines across multiple regions. Everything works seamlessly… until one morning; a government notification quietly places your preferred cloud region on a restricted list. Overnight, what felt like a global playground became a maze of compliance, risk, and hurried architectural decisions.

This is not a hypothetical. This is fast becoming the lived reality businesses must plan for as India transitions into the Digital Personal Data Protection (DPDP) era.

With the DPDP Act, 2023 and the freshly notified DPDP Rules, 2025, India has introduced a cross-border transfer framework that is unlike most global models. It’s highly flexible in design, but arguably more unpredictable in practice. Understanding it is no longer optional; it’s a strategic imperative for leadership teams, boards, and anyone building digital products out of India.

A Law That Arrives in Stages, Not All at Once 

The DPDP Act may have been passed in 2023, but the story truly begins with the notification of the DPDP Rules in November 2025. Importantly, the law doesn’t roar to life in a single day. Instead, its rollout is phased: administrative and foundational pieces first, with most core obligations like consent, data fiduciary duties, security safeguards, breach reporting, and, cross-border transfer requirements taking effect 18 months later after notification.

Between now and that future enforcement date lies something incredibly valuable: a window of preparation. 

For organisations, this is the time to map systems, audit vendors, rationalise cloud regions, rebuild contracts, and rethink how data travels through their infrastructure. Those who treat this period as a runway, and not a buffer, will be the ones who build resilience before the rules tighten.

Cross‑Border Data Transfers under the DPDP Act, 2023 and DPDP Rules, 2025

Unlike the GDPR, which requires adequacy assessments, standard contractual clauses, and binding corporate rules, India has chosen something far simpler in appearance but more nuanced in effect. 

Under Section 16 of the DPDP Act and Rule 15 of the DPDP Rules, personal data may be transferred outside India unless the Central Government, by notification, restricts transfers to specific countries, territories or entities.

On the surface, this feels liberating. Businesses retain the freedom to use global cloud providers, offshore analytics tools, foreign processors, and multinational workflows, unless there are specific restrictions. 

But flexibility comes with a warning label: “Allowed today” can become “restricted tomorrow.”

This model gives India agility to respond to national security concerns, geopolitical shifts, or sectoral risks, but it also creates uncertainty for long-term planning. The government isn’t required to publish criteria for its decisions, nor a timeline for future lists.

For organisations this means one thing: design for unpredictability.

What Remains Uncertain and Risky? 

  • No published criteria for how or why a country may be restricted
  • No clarity on which categories of sensitive data may face localisation
  • Undefined timelines for audits, DPIAs, enforcement
  • Open questions about conflicts between Indian law and foreign jurisdiction laws applied to the same dataset

Uncertainty isn’t always the enemy, but ignoring it is. 

What the Law Actually Requires

Beyond the negative-list design, the DPDP Act and Rules impose obligations that don’t vanish simply because the transfer is allowed:

  • Strict security safeguards
  • Mandatory breach notifications
  • Respect for user rights (access, correction, erasure)
  • Retention and deletion policies
  • Special obligations for Significant Data Fiduciaries (SDFs) including audits, DPIAs,  assessments of high‑risk automated or algorithmic systems, and enhanced security. 

Cross-border data flows will sit at the center of enterprise risk, not the periphery.

What This Means for Different Players

1. Startups, SaaS Companies, Digital Platforms

The current flexibility is a blessing. Global cloud, offshore development, foreign processors, all remain accessible. But agility must be paired with preparedness:

  • Build migration-ready cloud architecture.
  • Maintain fallback India-based storage for sensitive flows.
  • Upgrade vendor contracts with DPDP compliant security clauses. 
  • Include deletion rights, audit rights, and retrieval protocols.

Startups used to optimising for cost and speed must now optimise for resilience.

2. Multinationals, Enterprises, and Regulated Sectors

Here, the stakes multiply and SDF designation is likely.

  • Internal data flows between HQ, regional entities, and India-based teams must be mapped, and may need restructuring.
  • Data governance must evolve beyond checklists; cross-border transfer risk becomes a board-level topic.

This is not merely a legal issue. It’s a business-continuity question.

The Preparation Window: What Leadership Should Be Doing Today

The next 18 months are a strategic gift. Leadership teams should prioritise: 

1. Comprehensive Data-Flow Mapping: Where data originates, where it travels, which vendors touch it, which cloud regions store it.

2. Sensitivity Classification: Identify data types that may attract future restrictions.

3. Contractual Redesign: Rebuild DPAs and vendor agreements with DPDP-specific clauses.

4. Cloud-Region Resilience: Can you shift regions in 30–90 days? If a government order drops at 8 am, will operations break by noon?

5. Governance and Monitoring: Assign responsibility. Build a regulatory watch. Track notifications.

6. Board Awareness: Cross-border data transfer is becoming a business risk, not a compliance appendix.

The Bigger Picture: Why This Moment Matters

The DPDP regime is not merely shifting rules; it is shifting mindsets. Data sovereignty, security, and responsible processing are becoming foundational business expectations. Organisations that adapt early will:

  • Build operational resilience
  • Win global trust
  • Stand out during regulatory transitions
  • Protect themselves from sudden disruptions in cross-border flows

The law’s flexibility is an opportunity. The unpredictability is the challenge. Both demand preparation.

Wrapping Up

India’s DPDP framework is ushering in a new phase of digital regulation, one that gives businesses room to move, but also requires them to move wisely. Over the next 6–12 months, the organisations that invest in mapping, architecture, contracts, and governance will be the ones who remain steady when the first restricted-list notification lands.

Because that cloud server in Europe may be convenient today, but tomorrow, it could be the very thing that tests your systems, your contracts, and your strategy.

Build smart now. And build for the world that’s coming.

Suggested Reading

  1. Data Protection & Privacy Archives | Rainmaker 
  2. Data Protection & Privacy | Rainmaker 
  3. India’s – DPDP Rules 2025 Downloads | Rainmaker
cloud compliance cross‑border data transfers data governance data localisation data privacy compliance DPDP Act 2023 DPDP Rules 2025 GCC compliance India data protection law Indian startups negative list model privacy law India Significant Data Fiduciary
WhatsApp