By Probir Roy Chowdhury
With the government notifying the Digital Personal Data Protection Rules, the age of broad, unexplained data collection is ending. The companies that move early will realise that good privacy practices are not a cost, they are a competitive advantage. This is India’s GDPR moment, writes Probir Roy Chowdhury
Significance of the notified rules
For two years, the Digital Personal Data Protection Act, 2023, (DPDP Act) remained in a state of regulatory uncertainty, with more questions than answers. The ministry of electronics and information technology (MeitY) has now notified the DPDP Rules 2025, putting the operational framework of the law into motion. The Rules now provide the clarity we’ve all been waiting for. They prescribe, in concrete terms, what is allowed, what is not, and what regulators will expect when they knock on the door. This is not a minor compliance update. This marks a shift in how companies in India collect, use, store and monetise personal data. This is India’s GDPR moment —the age of broad, unexplained data collection is ending.
Consent is critical
The rules provide strict standards for consent collection, purpose limitation and transparency. You cannot ask for “everything, just in case” anymore. Companies will now have to disclose why they need each category of data and ensure that individuals have a real choice not to give their data. Withdrawal of consent must be as easy as giving it, which means product teams will need to build those pathways into their interfaces. Children’s data and data of persons with disabilities now come with a higher bar called “verifiable parental or guardian consent”, supported by age and identity checks.
Firms responsible for securing data
Security obligations too are no longer general expectations. Businesses can be expected to maintain evidence of the controls they claim to have. And breach notifications now come with defined timelines. Businesses need to notify incidents promptly and with substance. Cross-border data transfers, retention and deletion requirements, and processor obligations are also addressed with greater clarity.
What do these changes mean for Indian businesses across sectors?
Consent: For many businesses, particularly in FMCG, adtech, retail, education and healthcare, that have numerous touchpoints for data collection, the DPDP Rules call for demonstrable accountability. Consent notices will need more than a round of edits. Companies will need to revisit their data practices, what they seek consent for, and whether their current UX (user experience) genuinely offers a choice to individuals. Consent layers on apps and websites, many of which were built for ease rather than clarity, will need to be rebuilt with effective withdrawal mechanisms.
Data Minimisation: Senior management will need to make concrete internal decisions on what data is actually necessary and how long it should be retained. Businesses that scaled quickly and collected broadly, without embedding privacy into design, are likely to feel the heat. Several companies will have to re-examine data flows and streamline what they gather and store.
Practically, this will require cross-functional alignment. Product and engineering teams will have to sit with legal teams to validate purposes, retention schedules and deletion processes. Marketing teams will need to recalibrate their campaign models and refine what they truly need. Vendor contracts will also need a refresh.
What immediate steps should firms take to prepare?
Companies need to begin with a data map of what all they collect, who touches all this information, how long the company keeps it, and where this data is stored. If a company cannot answer these questions confidently, then it is perhaps not compliant with the Act. That should be followed by a thorough review of the company’s consent and notice mechanisms. The company should also revisit all vendor contracts. Finally, it is essential to revisit the company’s incident-response plan.
How should business leaders view this shift?
Businesses should treat data protection as part of customer trust, market credibility and brand value. India Inc. has waited a long time for the DPDP Act. The Rules bring clarity, but they also bring urgency. Compliance is not optional anymore, and it certainly isn’t cosmetic. The companies that move early will realise that good privacy practices are not a cost, they are a competitive advantage.
The writer is partner, JSA Advocates & Solicitors