DPDPA 2023: Obligations on Data Fiduciaries Every Indian Business Must Know

The Digital Personal Data Protection Act, 2023 (DPDPA) and the DPDP Rules notified on 13 November 2025 have fundamentally changed how Indian businesses must handle personal data. Every organisation that determines the purpose and means of processing digital personal data, termed a Data Fiduciary under the Act, now faces a comprehensive set of legal obligations with significant financial penalties for non-compliance. Whether you operate an e-commerce platform, a fintech application, a healthcare service, or any business that collects customer data, understanding your obligations as a Data Fiduciary is essential to avoid penalties that can reach up to two hundred and fifty crore rupees.

The DPDPA imposes several core obligations on Data Fiduciaries under Sections 4 through 10 of the Act, operationalised by the DPDP Rules 2025. First, before processing any personal data, fiduciaries must provide a clear, plain-language notice specifying the data being collected, the purpose of processing, and how data principals can exercise their rights, as detailed in Rule 6. Consent must be free, specific, informed, unconditional, and based on clear affirmative action. Second, fiduciaries must implement reasonable security safeguards including encryption, access controls, periodic audits, and breach detection mechanisms, with retention of logs for at least one year under Rule 6. Third, personal data breaches must be reported to the Data Protection Board within seventy-two hours and affected individuals must be notified promptly under Rule 7, regardless of the severity of the breach. Fourth, data must be deleted when it is no longer necessary for the specified purpose or when consent is withdrawn, with data principals to be notified at least forty-eight hours before erasure under Rule 8.

Businesses classified as Significant Data Fiduciaries (SDFs) based on the volume and sensitivity of data they process face additional obligations under Rule 13. SDFs must appoint a Data Protection Officer who is an Indian resident, conduct annual Data Protection Impact Assessments, undergo independent audits, and comply with potential data localisation requirements for categories of personal data specified by the Central Government. The framework also introduces algorithmic governance, making the DPDPA the first Indian law to explicitly mandate due diligence on AI and machine learning systems that process personal data. For all fiduciaries, Rule 14 requires responding to data principal requests within seven days of receipt and completing all access, correction, or erasure actions within ninety days.

The DPDP Rules follow a phased implementation timeline: the Data Protection Board establishment began in November 2025, consent manager registration opens in November 2026, and full compliance including consent, privacy notice, and security requirements becomes mandatory by May 2027. Businesses should not wait for the final deadline. Building a compliant data governance framework takes time, and early preparation reduces the risk of enforcement actions. Sansa Kanoon Pranali Partners assists organisations with DPDPA compliance assessments, privacy policy drafting, data processing agreements, breach notification frameworks, and preparation for Significant Data Fiduciary obligations.