India has officially released the Digital Personal Data Protection (DPDP) Rules and constituted the Data Protection Board of India on November 14, 2025, marking the full operational rollout of the country’s new privacy regime.

These developments now make compliance mandatory for every organization handling personal data of Indian citizens, irrespective of whether the company is based in India or abroad.

This applies broadly to companies that:
• Serve Indian customers or users
• Employ or contract individuals in India
• Operate support centres or offshore teams in India
• Transfer or process India-linked personal data through global systems

Key Compliance Requirements

• Clear, plain-language consent and purpose-specific notices

• Strict breach notification obligations to affected individuals

• Verifiable parental consent for children’s data

• Enforceable rights to access, correction, erasure, and nomination

• Enhanced compliance for Significant Data Fiduciaries (audits, DPIAs, tech due diligence).

Penalties for non-compliance

The Act introduces one of the strongest enforcement models in the region.
Non-compliance can attract financial penalties up to ₹250 crore ( Approx USD 28 million) for violations, depending on nature, severity, duration, and impact.

Penalties may apply for:
• Failure to implement security safeguards
• Failure to report data breaches
• Breach of children’s data requirements
• Non-fulfilment of data principal rights
• Violations of purpose limitation or consent obligations
• Failure to comply with Data Protection Board directions

Startups and smaller entities benefit from graded penalties, but all global businesses remain within the Board’s jurisdiction if they process Indian personal data. Most provisions have been implemented with immediate effect, and the remaining measures will be rolled out according to a strict schedule, with key milestones at 12 months and full completion within 18 months.