Digital Personal Data Protection Act

Skip to content
Skip to navigation

On 13 November 2025, the Ministry of Electronics and Information Technology (MeitY) released the Digital Personal Data Protection Act and Rules, completing India’s data protection framework. The phased rollout spans 18 months - core provisions and the Data Protection Board take effect immediately, consent manager obligations follow in 12 months, and full compliance requirements in 18 months.

The Rules mandate clear consent notices, breach reporting within 72 hours, parental consent for children, data retention norms, and stricter duties for Significant Data Fiduciaries, including annual audits and data protection and impact assessment (DPIA). Cross-border transfers adopt a “negative list” approach, aligning India closer to global standards like GDPR.

For businesses, this is more than compliance - it’s a strategic imperative to embed privacy-by-design, strengthen governance, and build trust in the digital economy.

Key highlights of the DPDPA

The DPB acts as the central authority for enforcing the DPDP Act. It has powers to investigate breaches, adjudicate disputes, and impose penalties up to INR 250 crore. The Board ensures accountability and compliance across organisations handling personal data.

The Act mandates specific timelines for responding to data principal requests such as access, correction, withdrawal of consent, and grievance resolution. This ensures faster and more transparent handling of individual rights.

Consent Managers are now part of a regulated framework, enabling individuals to manage and withdraw consent easily across multiple platforms. This strengthens user control over personal data processing.

A comprehensive compliance framework covering consent and notices, breach reporting, data retention, children’s data safeguards, cross-border transfers, Data Protection Impact Assessment (DPIAs), and additional obligations for Significant Data Fiduciaries (SDF).

Webinar

DPDPA Decoded: What it means for businesses in 2026

We hosted the first session of our DPDPA Webinar Series, focusing on India’s Digital Personal Data Protection Act. With phased implementation from 2026, the session discussed key provisions, timelines, and why organisations must view privacy beyond compliance, as a strategic enabler.

The video is playing. This video is playing in mini-player mode.

Regulatory governance & enforcement

Data Protection Board of India

The DPBI will be established following the appointment of its chairperson and members through search-cum-selection committees. Once operational, it will function as a fully digital office and serve as the adjudicating authority for privacy compliance. The chairperson is recommended by committee comprising cabinet secretary (Chair), legal affairs secretary, MeitY secretary, and two experts. Members are recommended by separate committee with MeitY secretary (Chair), legal affairs secretary, and two experts. Central Government appoints based on recommendations. Board chairperson and members receive compensation per Fifth Schedule specifications. The Board functions as digital office with authority to adopt techno-legal measures enabling remote proceedings without physical presence.

What our leaders have to say

A contemporary #DataPrivacy regime as a part of India’s #RegulatoryEcosytem, one of the six ecosystems that we are shaping, is critical to help shape #VibrantBharat. The #DPDPA rules represent a significant milestone, balancing two critical priorities-safeguarding individual data rights and fostering responsible business innovation. This is an opportunity for businesses to build trust through responsible data use, advance AI safety and align with global data governance standards.

Vishesh C Chandiok CEO, Grant Thornton Bharat

DPDPA is a defining moment in India’s digital journey. When organisations protect personal data with integrity, we don’t just meet regulations; we strengthen citizen trust and help shape a #VibrantBharat.

Deepankar Sanwalka Senior Partner, Grant Thornton Bharat

Auto and EV

The DPDPA 2025 rules are set to redefine how the automotive and EV ecosystem approaches data. With vehicles becoming software-driven and connected, data flows across R&D, manufacturing, dealer networks, and customer interfaces are now central to business models. These regulations elevate data governance from a compliance checkbox to a strategic lever—demanding privacy-by-design in telematics, predictive maintenance, and mobility services. For industry players, this means embedding trust and transparency into every digital touchpoint, ensuring global interoperability while mitigating risks. Those who act proactively will not only safeguard against steep penalties but also unlock competitive advantage by building resilient, customer-centric data architectures that power innovation in the era of electrification and autonomy.

Saket Mehra
Partner and Auto & EV Industry Leader, Grant Thornton Bharat

Aviation

The November 2025 DPDPA Rules impose comprehensive obligations on aviation stakeholders, requiring airlines, airports, and aerospace manufacturers to implement consent-based passenger data systems, embed privacy-by-design into biometric and IoT platforms, and ensure compliance across complex vendor networks. While these measures will inevitably increase expenditure on IT infrastructure, cybersecurity, and governance, they are indispensable for safeguarding sensitive information and sustaining international confidence in an industry which is known to attract and manage massive volume of personal data of travelers and other stakeholders.

Ashish Chhawchharia
Partner and Aviation Industry Leader, Grant Thornton Bharat

Consumer and Retail

DPDP Act and Rules are reshaping the consumer and retail landscape, especially digital commerce, by making privacy the cornerstone of customer experience. Businesses can no longer rely on unchecked personalisation; every data point now demands explicit consent and secure handling. This shift impacts everything, from consent management at scale to cross-border data flows and vendor compliance. For e-commerce players, the implications are profound: balancing frictionless shopping with robust privacy controls will define winners and losers. Those who embrace transparency and embed privacy into their brand promise will not only avoid penalties but also earn the ultimate competitive edge, which is consumer trust.

Naveen Malpani
Partner and Consumer Industry Leader, Grant Thornton Bharat

Energy & Renewables

India’s DPDP Act marks a turning point for the energy and infrastructure sectors where data-driven operations across utilities, renewables, transport and carbon markets must now be anchored in strong consent, secure governance and clear accountability. By embedding privacy-by-design into workflows, deal pipelines and ESG reporting, organisations can not only meet regulatory expectations but also strengthen trust, reduce risk and enhance the credibility of their climate disclosures emerging as transparent, resilient and future-ready leaders.

Amit Kumar
Partner and Energy & Renewables Industry Leader, Grant Thornton Bharat

Engineering and Industrial Products

With the release of the DPDPA Rules in November 2025, manufacturers must now implement strict consent-based data collection, anonymisation of worker and IoT data, and enhanced cybersecurity across supply chains. These requirements should be regarded by manufacturers as a strategic imperative and will result in reduced costs in the long term and positioning as competitive and trusted partners in global trade.

Shridhar Kamath
Partner and Engineering & Industrial Products Industry Leader, Grant Thornton Bharat

Financial Technology

Digital Personal Data Protection Act (DPDA) presents the business opportunity to further enhance the trust for banking and financial services to the customers by protecting personal data adequately as per DPDP rules, the implementation of rules should be based on three pronged principles as spreading awareness at each level, Assessing Readiness Gaps, if any, at each process and Implementation of Rules along with testing from independent agency(ies).

Dharmendra Jhamb
Partner and Fintech Industry Leader, Grant Thornton Bharat

Healthcare

India’s DPDP regime is encouraging healthcare organisations to treat patient data with the same care as medical treatment. From electronic health records and diagnostic images to teleconsultations and connected devices, personal data across the care continuum now comes with clear responsibilities: taking proper consent, using data only for defined purposes, and keeping it secure. This is not just about compliance; it’s about building a privacy-first culture that earns long-term patient trust. The shift also impacts interoperability networks and public health programmes, ensuring consistent practices across care delivery and data exchange. Over time, these safeguards will lay the foundation for responsible AI adoption and integrated care models. They will support the creation of a connected, patient-centric healthcare system rooted in affordability, accessibility, and availability, while enhancing provider competitiveness and India’s standing as a trusted medical tourism destination.

Bhanu Prakash Kalmath
Partner and Healthcare Industry Leader, Grant Thornton Bharat

Insurance

Given insurers’ and insurtechs’ heavy reliance on sensitive customer data, the DPDPA’s applicability becomes significantly important. Alongside the IRDAI Cybersecurity Guidelines 2023, which converge on key elements of data privacy, security and accountability, the Act is reshaping how data is collected, used and protected by insurance companies. Together, these regulations are driving stronger governance and privacy-first practices, ultimately deepening customer trust.

Narendra Ganpule
Partner and Insurance Industry Leader, Grant Thornton Bharat

Media

In media and entertainment, the Digital Personal Data Protection Act directly impacts how audience profiling, targeted advertising, and content recommendation engines operate. As platforms balance personalisation with privacy-especially around children’s data and cross-platform tracking-DPDPA pushes the industry to redesign data practices that protect trust without limiting creative and commercial innovation.

Ananay Jain
Partner, Grant Thornton Bharat

Medical Devices

Devices today are not just hardware, they are data engines, streaming insights from implants, monitors, wearables, and AI-driven diagnostics. With DPDP, the expectation shifts: privacy must be engineered into every layer of the device ecosystem, from design to deployment. For manufacturers and global OEMs, this means moving beyond compliance checklists to privacy-by-design principles, clear consent flows, minimal data collection, encrypted pipelines, and lifecycle governance. Done right, this isn’t a burden, it’s a differentiator. DPDP turns data protection into a lever for responsible scale, interoperability, and sustainable growth in India’s medtech market.

Abhay Anand
Partner, Deals Lifecycle, Grant Thornton Bharat

Metals and Mining

The DPDP Act and new rules mark a critical shift for the metals and mining sector. While the government is working on greater data transparency, the sector will need to balance its data sharing commitments with protection of privacy. The sector is unique in that it hires land-losers in large numbers where their entitlements are dependent on the evidence they share against their claims. In the last several years, this sector has seen operations being handed out widely to contract workers. A lot of compassionate hiring happens on account of the hazardous nature of the sector. Most metal and mining companies provide accommodation in remote location to families of employees. They provide municipal services. Due to the large operational footprint of metals and mining companies they typically extend CSR related initiatives beyond their plant-gate and township. Needless to say, they manage not just employee-data but also citizen-data. The new DPDP Act needs to be taken seriously by the metals and mining sector and managed through strong compliances so that investor, employee, and business partner confidence is maintained.

Niladri Bhattacharjee
Partner and Metals & Mining Industry Leader, Grant Thornton Bharat

NBFC, Banking, and Asset Management

Data has always been the key pillar for business growth, be it in form of revenue, operational excellence or customer experience. Hence, privacy has always been one of the most imperative drivers for data governance. While financial services organisations have always factored this into account in their data governance journey, DPDPA guidelines empower the governance functions to formally implement this with rigour. While not explicitly called out yet, it would be useful for financial services organisations to assume that they will be significant data fiduciaries and implement DPDPA.

Vivek Iyer
Partner and Fintech Industry Leader, Grant Thornton Bharat

Real Estate

The DPDP Act is reshaping India’s Real Estate and REIT sector as it scales digital platforms across construction, operations, and investor engagement. With customer data embedded in access systems, leasing platforms, and engagement apps, the Act demands stronger consent management, data minimisation, secure sharing, and clear accountability. Early adoption of privacy-by-design will reduce cyber and compliance risk while reinforcing trust with customers, tenants, and investors.

Shabala Shinde
Partner and Real Estate Industry Leader, Grant Thornton Bharat

Sports

In sport today, data is at the heart of every major decision, from fan engagement to athlete management to sports infrastructure. The DPDP framework puts this on firm ground by setting clear rules for consent, purpose limitation, data minimisation and security by design whenever health, biometric or behavioural data is used. Getting privacy right is now a competitive advantage, especially for our sports industry: it builds fan trust, safeguards athletes and underpins sustainable performance and commercial value across our sporting ecosystem.

Arjun Singh
Partner and Sports Industry Leader, Grant Thornton Bharat

Technology

The DPDPA is reshaping the technology industry from compliance-by-design to trust-by-design. With clearer rules on consent, retention and breach response, businesses now need stronger data governance and sharper engineering discipline. Firms that treat this as a trust advantage—not a cost—will lead the digital economy.

Raja Lahiri
Partner and Technology Industry Leader, Grant Thornton Bharat

Transport and Logistics

DPDPR is transforming the transportation and logistics sector by making data privacy cornerstone and integral to operational excellence and business continuity. From real-time tracking to digital proof of delivery, compliance demands secure systems, consent-driven processes, and vendor accountability. This is not just a regulatory shift; it’s a strategic pivot. Businesses that embed privacy into their logistics workflows will not only mitigate risk but also strengthen customer / stakeholders trust, turning compliance into a competitive differentiator in an increasingly data-driven supply chain.

Bhavik Vora
Partner and Transportation & Logistics Industry Leader, Grant Thornton Bharat

Financial services	Customer profiling, authentication, sensitive data Process outsourcing - fintech partnerships, data processing, product alliances Risk management - credit, AML, fraud and insurance Financial information and transaction data Fingerprints, facial recognition data for secure access
Tech, media, telecommunications and entertainment (TMTE)	Personal preferences and behaviour Device information and location Personal data from online activities Communication records, media consumption patterns, browsing histories
Consume and retail products	Name, address and contact numbers Consumer preferences Payment and transaction data Browsing histories, shopping preferences, feedback and reviews Service usage, feedback, loyalty programme details
Healthcare and life sciences	Patient health records Health insurance Clinical trial data Biometric and genetic data Appointment histories, feedback, health monitoring data Diagnostic results, treatment plans, prescription records
Tourism and hospitality	Travel itinerary Payment information Reservation information Guest feedback Credit card details, transaction histories, billing information
Digital natives	Identity data - Name, date of birth, gender, profile picture Behavioural data - Browsing history, social media likes, comments, and shares Health data - Fitness activity, medical history Communication data - Chat messages, voice call recordings, emails or feedback submitted via platforms

The experts viewpoint

The video is playing. This video is playing in mini-player mode.

How Grant Thornton Bharat can help?

Develop customised compliance approaches for different industries

Establish and manage Data Protection Offices

Implement automated tools to ensure compliance

Guide organisations in data gathering to meet DPDP requirements

Streamline data assimilation and management processes

Deliver independent data audit services

Integrate compliance into governance practices

Uphold reputation by ensuring airtight compliance for independent directors

Support CIOs and CISOs with strategic and technical measures

10.

Align IT systems with DPDP requirements through expert collaboration

11.

Resolve data breach disputes with expert intervention

Our insights

Our resources

Incident response management lifecycle for DPDPA

Under DPDPA’s strict timelines, support across detection, containment and reporting helps meet the 72-hour SLA, reduce risk and strengthen trust.