For more updates follow Grant Thornton Bharat on WhatsApp
India has taken a decisive step toward enforcing its modern privacy regime, with the Government formally activating the Digital Personal Data Protection Act, 2023 (DPDP Act) through a series of three gazette notifications.
These notifications operationalise the Act by setting out its implementation schedule, constituting the Data Protection Board, and issuing the DPDP Rules 2025 — collectively forming the legal and institutional backbone that will steer the handling of personal data over the next 18 months.
With this move, the country’s Ministry of Electronics and Information Technology (MeitY) has ushered in a new compliance environment that reshapes how organisations collect, process, and govern personal information, extending across social media platforms, digital services, online marketplaces, and every entity that manages personal data.
The shift places greater control in the hands of citizens while signalling to businesses that India’s data protection regime has entered its enforcement phase.
This development marks more than administrative progress. It represents a structural inflexion point: compliance transitions from a theoretical requirement to an enforceable obligation, and the window for industry adaptation is now clearly defined.
For businesses, the implications are considerable. Foundational duties relating to notice, consent, and basic governance are already in force, requiring organisations to ensure that essential controls are operational without delay. While the phased schedule offers some preparation time, the countdown has effectively begun for more complex requirements that will apply after 12 and 18 months.
These include independent audits, classification as a 'significant data fiduciary', the introduction of consent and withdrawal mechanisms, conducting data protection impact assessments, and establishing procedures for cross-border data transfers. With the enforcement architecture now formalised, companies must prepare for active oversight, investigations, and potential sanctions rather than relying on guidance-led compliance.
Sectors that handle large volumes of personal data, such as fintech, digital platforms, advertising technology, hospitality, and healthcare, face particular urgency. They must map data flows, evaluate their fiduciary classification, and implement mechanisms that align with the new regulatory expectations. The operationalisation of the DPDP Act highlights the balance India is attempting to strike between safeguarding individual privacy and enabling the growth of its digital economy. For industry, however, the message is clear: the transition is underway, and substantive compliance action must begin immediately.
This article first appeared in the Voice&Data on 14 November 2025.
Economic Survey 2025-26 outlines India’s macroeconomic performance, growth drivers, inflation dynamics and fiscal consolidation, offering key policy signals ahead of the Union Budget 2026
India Union Budget 2026: India has a strategic opportunity in Budget to solidify its position as a global technology leader. By focusing on clear AI governance, robust data infrastructure, and sustained innovation funding, the nation can accelerate responsible digital transformation and compound economic value for businesses and citizens.
This playbook captures key insights from Risk Week 2025 on building organisational resilience amid regulatory convergence, technology disruption, climate risk and shifting stakeholder expectations.
