© IE Online Media Services Pvt Ltd
Tags:
Journalism of Courage
India’s digital privacy regime entered a new phase with the notification of the Digital Personal Data Protection (DPDP) Rules, 2025. It is the operational framework that gives effect to the country’s first comprehensive data protection law.
The newly notified rules cover various aspects of data protection including registration and obligations of consent manager, processing of personal data by state, data retention, consent for processing of a child’s personal data, obligations of significant data fiduciary among other compliances.
Experts have weighed in on several important aspects of the Rules 2025, highlighting both the opportunities and challenges posed by the new data protection law.
A recent trend Prachi Shrivastava, Founder, Lawfinity Solutions and Vakil Vetted, has noticed is early-stage startups allocating 15-20% of their legal budgets specifically to DPDPA readiness.
“This is mostly toward privacy policy architecture, consent management frameworks, and data processing agreements with vendors. For growth-stage companies targeting enterprise clients, that figure jumps to 25-30% because compliance has become a deal-breaker in sales cycles. Hospitals, BFSI institutions, and multinational buyers now audit data governance before onboarding. If your contracts and technical controls aren’t DPDPA-compliant, you don’t make it past procurement,” she said.
Ankit Sahni, Partner, Ajay Sahni & Associates, outlined Rules 17 to 21, which are operational and lay the procedural groundwork for the constitution and functioning of the Data Protection Board.
“We therefore await the formal appointment and notification of the Board to complete the institutional framework. This phased timeline provides fiduciaries with a structured runway to re-engineer their consent, purpose limitation, security and grievance redressal mechanisms while maintaining continuity of service,” he said.
For legal practitioners such as Sahni, the rules provide a “materially clearer compliance grid” that balances lawful processing with principled limitations and offers industry adequate temporal flexibility to operationalise security by design and accountability centric practices.
Akshat Agrawal, Founder & Counsel, AASA Chambers, pointed out that certain provisions in the law might require clarification which includes Rule 20 (Functioning of Board as digital office) and Rule 19(6) which allows chairperson to take necessary action in case of an emergency situation.
“For instance, Rule 20 mentions ‘techno-legal measures’, which may need to be clarified to indicate the exact measures that may be desirable for the Rule to see any practical reality. Similarly, the emergency powers under Rule 19(6) ought to be clarified as regards their scope to avoid arbitrariness, particularly in defining what constitutes an “emergency situation” warranting unilateral action by the Chairperson and establishing clear review mechanisms for such decisions,” he said.
Advocate Yash Vardhan Singh from Sarvaank Associates, underlined the rise in compliance costs owing to the “sharply expanding” regulatory obligations across data protection, AI governance, ESG, cybersecurity and sector-specific rules.
“Companies now face more disclosures, tighter reporting timelines and significantly higher fines for lapses. Meeting these expectations requires stronger internal controls, specialised compliance talent and new monitoring and documentation technologies, all of which are driving legal and compliance spend upward across the board,” Singh said.
Arun Prabhu, Partner & Co- Head, Digital +, TMT, Cyril Amarchand Mangaldas, said that limited refinements made, such as a mandatory one year data retention obligation and allocation of responsibility for potential cross border transfer restrictions to an inter ministerial committee, and clarifications on positions relating to persons with disabilities, have been broadly helpful.
However, he added, “It was widely hoped that the final rules would include clarity on the manner of recording consent and data processing agreements (including through a template notice, and DPA), but this has not occurred.”
According to Mitakshara Goyal, Co-founder, Svarniti Law Offices, the real test would be enforcement of these laws and whether the regulatory authorities could hold the tech giants and Indian entities to these standards.
“With MeitY notifying the DPDP Rules, India finally has an operational, first-of-its-kind data protection law. The rules lay out duties on notice, consent, children’s data and data-retention limits, especially for large platforms but the real test now is enforcement capacity and whether regulators can actually hold Bigtech and Indian companies to these standards”, she said.
She further added, “By prescribing requirements on consent, children’s data and strict erasure timelines for e-commerce, gaming and social-media platforms, the government has sent a strong signal that misuse of personal data is no longer a cost-free business model in India”.
Hardeep Sachdeva, Senior Partner, AZB & Partners, emphasised that the obligations provided under the DPDP Act and the DPDP Rules will result in incremental compliance costs.
“Given the breadth of obligations introduced under the DPDP Act and the new DPDP Rules, they will require a step-change in how enterprises collect, store, process and protect digital personal data. This will naturally translate into incremental compliance costs. For digital-first and data-heavy companies, technology budgets alone could rise by approx. 10% to 15% depending on scale, while legal and process-governance spends will also increase,” he said.
