The Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules") mark a turning point for how companies in India manage personal data.

Authors: Sunny Goel Suraj Theruvath Gaurav Dhwaj

null

With the DPDP Rules being notified on 13 November 2025, data protection has moved from being a compliance topic handled by legal or IT teams to a core board-level governance and risk issue. For organizations across sectors, this shift brings direct accountability for boards and senior management. The regulatory framework introduces strict obligations, significant financial penalties, and reputational consequences for failures. Digital Personal Data Protection (DPDP) regime suggests that data protection must now be treated as an enterprise-wide discipline, integrated into governance, operations and risk management.

This article explains what the DPDP regime means for organizations, why it matters at the board level and how organizations should respond in a practical and structured manner.

Executive takeaways

  • DPDP Act and DPDP Rules convert data protection from a legal obligation into an enterprise-wide governance and risk issue
  • Boards and senior management in enterprises are now directly exposed to regulatory scrutiny, penalties, and reputational fallout
  • Compliance must be demonstrable, auditable and operational, not limited to written policies

Legal perspective

With the notification of the DPDP Rules, the DPDP Act has become an enforcement-driven law. Data principals now have enforceable rights, including access to data, correction, erasure and grievance redressal, all within prescribed timelines.

Businesses (referred to as data fiduciaries), are responsible for ensuring that personal data is processed lawfully and securely. This responsibility is outcome-based. It's not enough to have policies on paper but organizations must be able to show that those policies work in practice.

Data processors such as third-party administrators (TPAs), cloud service providers and other vendors remain under the control of businesses engaging them. Any failure by these processors can result in direct liability for the businesses if oversight and contractual controls are weak.

The law looks at the entire data lifecycle, consent, purpose limitation, rights handling, breach response, record retention and board oversight. Regulators will assess failures collectively. Weak governance, poor supervision or lack of board engagement can significantly worsen regulatory outcomes.

Depending on the volume and sensitivity of personal data handled by organizations, some are likely to be classified as significant data fiduciaries (SDFs), which brings additional compliance, audit and governance requirements.

Business perspective

For corporate leaders this means a hard deadline structure (phased commencement), new operational controls across people, processes and technology, stronger liability tethering to third‑party processors and the practical need for robust cyber risk insurance and proactive incident response capabilities. This article aims to explain the Rules in operational detail, maps timebound actions and lays out an integrated remediation and risk transfer plan

Operationalizing DPDP Act in business: Consent, service delivery and continuous

Executive takeaways

  • Consent architecture and data minimization directly affect core business operations especially the units engaging with individual customers either directly or through data processors
  • Handling of data principal rights and vendor oversight are key regulatory focus areas
  • Legal, technology and operations teams must work together as one system

Legal perspective

The DPDP Rules impose detailed requirements around lawful processing, consent design and data usage. Consent must be clear, informed, specific, easy to withdraw and properly recorded. Withdrawal of consent must be as simple as giving it.

For organizations, this could be challenging because data is often reused across business functions for various purposes. Practices based on broad or open-ended consent will need to be re-examined.

Organizations must also exercise strong control over their data processors, including business process / technology vendors, cloud providers and offshore service partners. Although these entities process data, the legal responsibility remains with the organizations engaging them. Failures at the vendor level can directly trigger regulatory action.

Ultimately, regulators will assess how well the systems work in reality and not how well the policies are drafted.

Business perspective: Core obligations (in operational terms)

Third-party processors as critical exposures

  • Why do processors multiply risk?
    • The fiduciary remains accountable for processing done "by it or on its behalf" and thereby a processor breach or failure to preserve logs immediately vicariously becomes the fiduciary's regulatory problem.
    • Processors typically hold backups, keys and logging evidence; without their timely cooperation, organizations face delayed incident response, greater regulatory exposure and significantly higher remediation costs
  • Mandatory contractual and operational remedies:
    • DPAs must include specific security controls, log retention obligations (1 year), immediate breach notification, audit rights, sub‑processor approval clauses, data return and secure deletion obligations; and indemnities for negligence, data breach, breach of confidentiality, breach of IPR etc.
    • Operationally tier vendors by criticality, demand SOC2/ISO27001 attestation, require penetration tests and enforce remediation SLAs.
    • Require processors to carry E&O and cyber risk insurance with limits specified based on data breach loss quantification exercises with ‘additional insured' status requirements and include insurer details in DPAs with such requirements to be adhered to even 3 to 5 years after the termination of DPA.
  • Limitations of contractual mitigation: Indemnities are only as good as the counterparty's solvency and jurisdictional enforceability. This reinforces the need for technical controls, insurance cover and contingency arrangements for rapid service transition.

Implications of non-compliance

The principal categories of non-compliance and their indicative exposure are set out below:

Category of Non-Compliance Regulatory Basis Indicative Penalty Exposures Governance and Risk Implications
Failure to implement reasonable security safeguards DPDP Act read with DPDPA Rules (Rule 8) Up to ₹250 crore Assessed based on the sensitivity of data, scale of processing and adequacy of technical and organizational measures
Delayed, incomplete, or inaccurate breach notification to DPBI DPDPA Rules (breach notification obligations) Up to ₹200 crore (subject to DPBI discretion) Procedural failure is treated independently of the breach; lack of escalation discipline is a key aggravating factor
Deficient consent mechanisms or inadequate privacy notices DPDP Act and DPDPA Rules (consent and notice provisions) Up to ₹200 crore Structural consent failures may be treated as systemic non-compliance
Violations relating to children's personal data DPDP Act (children's data provisions) Up to ₹200 crore Heightened regulatory sensitivity; limited tolerance for design or process lapses
Failure to enable Data Principal rights (access, correction, erasure, grievance redressal) DPDP Act and DPDPA Rules Up to ₹200 crore Focus on timeliness, scalability and operational readiness
Non-compliance with additional obligations applicable to Significant Data Fiduciaries DPDP Act and DPDPA Rules (SDF obligations) Up to ₹150 crore Governance failures and the absence of board oversight materially increase exposure
Repeated or systemic non-compliance DPDP Act (general enforcement powers) Enhanced penalties within statutory caps Past violations, remediation history and compliance maturity are key determinants

Who is responsible?

From a governance standpoint, organizations are expected to demonstrate clear ownership, oversight and accountability for data protection across the organization. An overview of the core governance expectations is set out below:

Board oversight Data protection risks should be considered within enterprise risk management and reviewed periodically at board or committee level
Senior management accountability Clear allocation of responsibility for compliance outcomes, with defined escalation and reporting lines
Role of the DPO Independence, authority, and access to senior management to enable effective monitoring and regulatory engagement
Audit and assurance Periodic internal or independent reviews to assess effectiveness of controls and compliance with DPDP requirements
Documentation and evidence Maintenance of records evidencing decisions, oversight, remediation and ongoing compliance
Vendor governance Structured oversight of TPAs and service providers, aligned to contractual and operational controls

Phased commencement along with a schedule for when and what organisations must deliver

Phasing summary

  • Immediate on gazette publication: Rules creating the board, definitions, appointments and governance take effect. Organizations must be ready to interact with a functioning regulator.
  • One year from publication: Consent manager registration requirements come into force.
  • Eighteen months from publication: The substantive operational rules become binding which applies to notice, consent, security, breach reporting, retention / erasure, DPIA mandates and third‑party obligations.

Suggested timebound implementation road map

  • Within next 3 months: Assign Board liaison and DPO / contact. Run a full DPDP Rules gap assessment, identify whether you meet significant data fiduciary thresholds, compile vendor inventory.
  • 3 to 9 months: Redesign consent UI and notice content. Deploy consent store (machine‑readable exports). Strengthen SIEM, logging retention for one year, negotiate Data Protection Agreement(DPA) with processors and require audit evidence and minimum cyber risk insurance and errors and omissions insurance in place.
  • 9 to 12 months: Complete technical rollouts (encryption / tokenization, automated erasure workflows with 48‑hour notices) and conduct tabletop exercises for breaches.
  • 12 to 18 months: Finalize DPIAs and audits for high‑risk processing, complete consent manager registration where applicable, conclude vendor attestations and ensure readiness for board reporting.

When things go wrong: Breach response and notification expectations

From an operational and governance standpoint, the DPDP framework expects organizations to maintain structured, time-bound, and auditable processes for identifying, assessing and reporting personal data breaches. The key areas and corresponding expectations are outlined below:

Incident identification Insurers are expected to maintain mechanisms capable of detecting personal data breaches across internal systems and third-party environments in a timely manner.
Internal escalation Clear escalation protocols should exist to ensure that suspected breaches are promptly assessed and elevated to appropriate decision-makers, including senior management where required.
Decision-making authority Roles and authority for determining breach materiality, notification requirements and response actions should be predefined and understood across functions.
Timely regulatory notification Breach notification to the Data Protection Board of India is expected to be accurate, complete and made within prescribed timelines once awareness is established.
Data principal communication Where notification to affected individuals is required, communication should be clear, consistent and designed to enable data principals to take protective measures.
Third-party coordination Incident response arrangements should account for breaches involving TPAs, hospitals, surveyors or service providers, with contractual and operational clarity on cooperation and reporting.
Documentation and audit trail Decisions, timelines, assessments and remedial actions taken during an incident should be documented to support regulatory review and internal accountability.
Testing and preparedness Incident response frameworks are expected to be periodically tested and reviewed to ensure effectiveness under time-sensitive conditions.

Conclusion: From reactive compliance to board-led accountability

The DPDP regime makes it clear that fragmented or reactive compliance is no longer sufficient. For organizations, data protection now directly affects governance credibility, financial strength and long-term trust.

Boards that treat DPDPA compliance as a checklist exercise risk regulatory penalties, operational disruption and reputational harm. A sustainable approach requires clear legal understanding, strong operational execution and effective risk transfer.

Companies that adopt a board-led, structured approach to data protection are better positioned to manage enforcement risk, respond effectively to incidents and maintain organizational resilience as regulatory expectations continue to evolve.

How Gallagher supports DPDPA readiness

Gallagher supports organizations through an integrated approach to cyber and data protection risk management. Our cyber risk insurance broking team helps to identify exposures under the DPDP regime and structure insurance coverage addressing regulatory penalties, breach response costs and complex cyber risks. Gallagher's Cyber Defense Centre (CDC) strengthens preparedness through vulnerability management, employee awareness initiatives, and incident response planning aligned with regulatory expectations. Our Another Day team specializes in digital forensics and crisis management, helping clients investigate, contain and recover from data breaches while also advising on best practices for ethical data handling

Dhwaj and Associates provides legal and regulatory support to insurers navigating the DPDP Act and DPDP Rules, including interpretation of statutory obligations, advice on governance and accountability requirements and guidance on managing regulatory and enforcement risk in line with emerging practices.

Together, Dhwaj and Associates and Gallagher enable organizations to adopt a coordinated approach to DPDP compliance, combining legal interpretation, governance alignment, operational readiness, incident response capability and risk transfer to address regulatory, operational and financial risks under India's evolving data protection regime.

Author Information

Sunny Goel

Sunny Goel

Head of Liability and Growth Projects

Suraj Theruvath

Suraj Theruvath

Cyber Business Leader — India

Gaurav Dhwaj

Gaurav Dhwaj

Founder and Managing Partner, Dhwaj and Associates