Updated: May 26, 2026
India's Digital Personal Data Protection Rules were notified on 13 November 2025. Substantive compliance becomes enforceable on 13 May 2027. Enterprises must encrypt personal data at rest and in transit, retain audit logs for one year, enable data principal rights, and report breaches to the Data Protection Board without delay, with a detailed report inside 72 hours.
The DPDP Act, 2023 and the DPDP Rules, 2025, place enforceable obligations on every Data Fiduciary that processes the personal data of individuals in India. The obligations fall into five buckets: lawful basis and consent, data principal rights, reasonable security safeguards, breach notification, and additional duties for entities designated as Significant Data Fiduciaries.
The Rules were notified on 13 November 2025. Provisions relating to the Data Protection Board took effect immediately. Consent-manager provisions take effect on 13 November 2026. The substantive compliance provisions take effect on 13 May 2027. That is the hard deadline boards should plan against. Soft enforcement, warnings and guidance are expected through 2026.
The Schedule to the Act sets upper-limit penalties. Up to ?250 crore for failure to implement reasonable security safeguards. Up to ?200 crore for failure to notify a breach, processing without valid consent, or failure to protect children's data. These are ceilings, not flat amounts. The Data Protection Board applies the factors set out in Section 33 of the Act, including the nature and gravity of the breach, the duration, the type of personal data, and any mitigating action taken, before fixing the penalty.
Section 10 of the Act allows the Central Government to designate any Data Fiduciary, or class of Fiduciaries, as a Significant Data Fiduciary based on six factors: volume of personal data, sensitivity of the data, risk to data principals, risk to sovereignty and integrity of India, risk to electoral democracy, and risk to public order. Any one factor is enough.
The list has not yet been published. The categories widely expected to be designated include large social media platforms, fintech and payments, telecom and ISPs, e-commerce marketplaces, healthcare and health-tech, and large mobility platforms. Significant Data Fiduciaries must appoint a Data Protection Officer based in India, complete an annual Data Protection Impact Assessment, and undergo an annual independent data audit.
Rule 6 is where the Act stops being abstract. It is the rule that maps directly to budget and architecture decisions. The Rules require Data Fiduciaries to deploy "appropriate technical and organisational measures" including encryption, access control, monitoring, and the ability to detect and reconstruct an incident. The table below translates the legal language into the control set a CISO can hand to a network and security team.
| Rule 6 requirement | Control category | What enterprise teams must operationalise |
|---|---|---|
| Confidentiality of personal data | Encryption | AES-256 at rest, TLS 1.2 or higher in transit, key management with rotation. |
| Access limited to authorised persons | Identity and access | Centralised identity, role-based access, multi-factor authentication for all privileged and remote access, joiner-mover-leaver discipline. |
| Detection of unauthorised access | Network and endpoint visibility | Next-generation firewalls, network segmentation between systems holding personal data and the general estate, EDR on endpoints and servers, IDS / IPS at perimeter and core. |
| Logs to enable detection, investigation and prevention | Logging and SIEM | Continuous audit logs retained for at least one year, centralised log aggregation, correlation rules tuned to detect data exfiltration patterns. |
| Continuity of processing in the event of an incident | Resilience | Tested backups, immutable copies for ransomware resilience, documented recovery time and recovery point objectives. |
| Means to investigate and report a breach | Incident response | A documented IR playbook, 24x7 monitoring, breach reporting workflow to the Data Protection Board, communications templates for data principals. |
| Reasonable contractual safeguards with processors | Vendor management | DPA clauses with every processor, audit rights, breach pass-through obligations. |
A network estate that already runs Catalyst or Meraki switching, Catalyst SD-WAN or Meraki MX for WAN, Cisco Secure Access for SSE and SASE, Cisco Duo for MFA, and Cisco XDR for detection covers most of the technical surface of Rule 6. The work is closing the gaps between what is licensed, what is deployed, and what is tuned.
Rule 7 sets a two-stage breach notification obligation. The Data Protection Board must be informed "without delay" with the nature, extent, timing and likely impact of the breach. Within 72 hours, or longer if the Board allows, the Data Fiduciary must file a detailed follow-up report covering the facts, causes, mitigations, individuals or entities responsible, steps to prevent recurrence, and a summary of notifications issued to affected data principals.
Affected data principals must be notified in plain language. The notice must describe the breach, the data exposed, the protective steps a principal can take, and the Fiduciary's contact details.
DPDP does not replace CERT-In. CERT-In's 2022 direction still requires reporting of specified cyber incidents within six hours of becoming aware of them, on an entirely separate channel. These are parallel obligations, not alternatives. The same incident may need to be filed twice, to two regulators, on two different clocks. CISOs should build a single internal trigger that fans out to both channels with the right level of detail to each.
Two consequences for security operations follow. First, log fidelity matters. If a SIEM cannot reconstruct the path of an intruder, the Fiduciary cannot file a defensible 72-hour report. Second, the incident response playbook must include both the Board and the CERT-In notification workflow.
Sectoral regulators already impose data norms on their regulated entities. RBI has data localisation requirements for payment system data and outsourcing norms for financial entities. IRDAI has information and cybersecurity guidelines for insurers and intermediaries. SEBI has its CSCRF for capital-market entities.
DPDP does not displace any of these. It layers on top. Where the two regimes touch the same control, for example, breach reporting timelines or encryption, the stricter requirement applies in practice. A bank that already runs to RBI norms does not get a free pass on DPDP, and a DPDP-compliant fintech does not automatically clear RBI outsourcing rules. CISOs in regulated sectors should map their controls against both regimes side by side.
The Rules require Data Fiduciaries to publish on their website or app the contact details of a Data Protection Officer or designated person, a mechanism for data principals to exercise rights, and a grievance redressal mechanism with defined response timelines. The rights include access, correction, completion, erasure, nomination and grievance.
These are workflow obligations, not paper obligations. The product, customer service, HR and marketing systems that hold personal data must each support these rights. Building the workflow once, in a single point of orchestration that calls each downstream system through APIs, is faster and cheaper than building it seven times.
The Consent Manager framework, governed by Rule 4 and the First Schedule, becomes effective on 13 November 2026. Consent Managers will be registered by the Data Protection Board and will give data principals a single interoperable interface to give, review and withdraw consent across multiple Data Fiduciaries.
For enterprises, three actions are due this year. First, redesign consent capture so each purpose is recorded separately with a plain-language notice and a verifiable timestamp. Second, retain consent and notice artefacts as an audit trail the Board can inspect. Third, build the API surface that lets a registered Consent Manager pull and update a principal's consent state. The November 2026 milestone is closer than May 2027 and arrives first.
For personal data of anyone under 18, the Rules require verifiable parental consent before processing, and prohibit behavioural tracking and targeted advertising. Healthcare, education, edtech and any consumer platform with a meaningful under-18 user base must build a parental-consent workflow that meets the verifiability test, log the parental identity check, and exclude minors from any tracking-based personalisation. Penalties for failure here are capped at ?200 crore.
Section 16 of the Act allows the Central Government to restrict the transfer of personal data to specified countries. The Rules require Significant Data Fiduciaries to ensure that specified categories of personal data are not transferred outside India. The detailed list has not been notified.
The practical implication for IT is to know, today, which workloads hold what personal data and where those workloads run. Cloud architects should expect, at a minimum, that BFSI, healthcare and government-adjacent workloads will face localisation pressure. Hybrid architectures with regional data residency controls become the safer default.
DPDP is consent-led, lighter on lawful bases than GDPR, narrower in scope to digital personal data, with penalties expressed in absolute rupee ceilings rather than as a percentage of global turnover. Enterprises with GDPR programmes already have most of the controls; the work is the India-specific overlay, not a rebuild.
If a board asks the CISO what good looks like by 31 December 2026, this is the list.
Two open questions will shape the next twelve months. First, which classes MeitY designates as Significant Data Fiduciaries under Section 10, with fintech, telecom, large e-commerce and major social platforms most exposed. Second, whether the Central Government notifies the list of countries restricted under Section 16 and the categories of personal data that must stay onshore. Both decisions will move CISO budgets. A live watch on MeitY notifications is a small but useful 2026 governance habit.
Proactive Data Systems is a Preferred Partner under the Cisco 360 Partner Program across Networking, Security, Collaboration, Cloud & AI, and Services. The Cisco stack already maps to most of Rule 6. The work that bridges licence to compliance, segmentation design, MFA rollout discipline, SIEM tuning, breach playbook engineering, is what our practice has done for Indian BFSI, manufacturing and ITeS enterprises for over three decades.
Book a DPDP Readiness Assessment. Ninety minutes. Your network and identity baseline mapped against Rule 6. A remediation plan in your hands within ten working days. Write to [email protected].
We'll get back to you shortly.
