India’s Data Protection Regime begins: How Prepared is India Inc.?

The Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025 ushering in a new era of enforceable digital privacy. This marks the full operationalization  of the Digital Personal Data Protection Act, 2023 (DPDP Act), passed by the parliament in August 2023. Together, the  Act  and the Rules form a clear and citizen-centred framework for the responsible use of digital personal data. They place equal weight on individual rights and lawful data processing. With the notification of the Rules, India now has a practical and innovation-friendly system for data protection. It supports ease of understanding, encourages compliance and strengthens trust in the country’s growing digital ecosystem. It explains what organisations must do when they collect or use such data.

SO WHAT DOES IT MEAN FOR ENTEPRISES OPERATING IN INDIA?

According to Sanket Atal, SVP, Engineering and Country Head, OpenText India, the DPDP Rules represent  one  of the most consequential shifts  in  India’s data governance framework. “Beyond the headline requirements, the rules formalize three critical obligations for enterprises - verifiable consent, demonstrable accountability, and real-time breach visibility. These expectations move organisations from passive data collection to active data stewardship. The impact will be felt most by organisations with large and complex data estates.”

Diwakar Dayal, Managing Director & Area Vice President – India & SAARC, SentinelOne believes that the mandate will accelerate India’s shift from reactive security to continuous monitoring and AI-driven response. It will also  spotlight the gap between companies that have modernized their SOC and those that are still reliant on legacy tools. “The  regime will push India Inc toward stronger cyber hygiene, real-time security operations, and accountable governance. The organisations that modernize early will not just meet compliance — they will gain long-term resilience and trust in an increasingly AI- driven digital economy,” he says.

At the same time, Diwakar says that enterprises must know what data  they have, where it resides, its sensitivity, and who accesses it. Without this, reporting obligations become chaotic and inconsistent. “Moreover, fragmented systems make breach identification slow and inconsistent. India Inc must consolidate visibility across endpoint, cloud, identity, and network, supported by AI-driven correlation so that incidents are validated quickly and accurately.”

Sanjay Agrawal, Head Presales and CTO, India and SAARC, Hitachi Vantara also feels that the DPDP Rules will bring clarity and urgency to breach reporting by defining personal data breaches broadly and requiring timely intimation to the Board and affected users. “Many digitally mature enterprises have already strengthened   monitoring and incident response systems. Others are still building unified visibility across data environments, which is essential for timely and accurate breach determination,” he says.

However, Sanjay points out that  the key challenge is that many organisations still operate with fragmented legacy environments and inconsistent recovery readiness. Protection-first modernization will solve this problem quickly and reliably.

“The new DPDP rules mark a pivotal moment for India’s digital ecosystem, setting a clear and long-awaited benchmark for how organizations must handle personal data,” agrees Huzefa Motiwala, Senior Director, Technical Solutions, India and SAARC, Palo Alto Networks. “And with any legislation of this kind, it’s important to remember: the goal isn’t to instantly solve every data challenge — it’s to establish a baseline that everyone must meet, so the ecosystem moves forward together.” 

CHALLENGES & CONCERNS

There are challenges organizations can face in aligning with the new DPDP rules. Sanket from OpenText points out that today, many Indian enterprises still operate with legacy applications sitting alongside multi-cloud deployments, making it difficult to track how personal data is collected, shared, stored and deleted. Many particularly SMEs and small businesses, continue to use legacy systems and operate in fragmented IT environments.

“The DPDP Rules now require organisations to maintain accurate data maps, establish consent-verification workflows, standardize retention schedules and ensure that any cross-border movement of personal data aligns with the ‘blacklist-based’ transfer regime. This is where the real challenge begins. Compliance cannot be limited to a documentation exercise anymore. It has to become part of how work happens every day rather than something documented after the fact,” says Sanket.

Some of these businesses also lack or have limited talent, forensic and breach readiness. Duplicated and scattered data and security data access by third-party vendors, growing operational burden with compliance costs and training requirements are serious concerns.

Ajay Yadav, Head  –IT  &  Security, SBL opines that Indian enterprises are progressing, but overall preparedness for the 72-hour reporting window is mixed. “Larger organisations with established SOC and IR capabilities are closer to compliance, having already introduced structured escalation matrices, breach-impact assessment frameworks, and automated alerting. However, many mid-sized businesses still face challenges in correlating incidents across hybrid environments and validating breaches quickly enough. The real test lies not just in detecting incidents but in producing a defensible, well-documented report within the mandated timeline.”

Reiterating the same concern, Adv (Dr.) Prashant Mali, Practicing Lawyer Bombay High Court says that most Indian enterprises are currently underprepared for the stringent 72-hour breach reporting requirement under the DPDP Rules. “The mandate requires not just incident detection within this tight window, but also impact assessment, root cause analysis, and formal notification to both the Data Protection Board and affected users a level of operational maturity that many organizations lack.”

He further adds, “The most pressing challenge lies in the regulatory ambiguity with final  notifications  on  classifications of significant data fiduciaries, exemptions for research and legitimate uses, and cross- border transfer mechanisms still pending, due to which organizations face uncertainty in scoping their compliance investments. Additionally, the interoperability between DPDP and existing frameworks like IT Act 2000, sectoral regulations (RBI, SEBI, IRDAI guidelines), and emerging  standards  like the Digital India Act creates a fragmented compliance landscape that demands careful legal interpretation and adaptive governance structures.”
 
According to Manish Alshi, Senior Director, Channels   &   Alliances,   India & South Asia, Check Point Software Technologies, it is known within the industry that determining breach scope, impact, and root cause often takes longer than three days, especially in complex hybrid environments, and SMEs may struggle most. “According to Check Point’s India threat data reinforces why readiness is urgent: Indian organisations are already facing 3,237 attacks per week over the last
6 months, well above the global average, with attackers increasingly using AI to scale phishing, impersonation, and data theft. In that environment, meeting a 72-hour clock requires more than policy—it demands pre-built incident playbooks, automated detection, and coordinated response,” says Manish. “The DPDP effectively moves India closer to a “cyber-resilience by default” expectation, where organisations must detect faster, assess impact quickly, and communicate transparently. Several DPDP compliance guides now recommend organisations establish DPDP-aligned breach response playbooks, tighter logging, and vendor contracts that support rapid notification.”

Hufeza from Palo Alto Networks further clarifies that with many organizations still operating with fragmented logs, siloed systems, and manual escalation processes, industry estimates suggest when companies finally modernize, the transition to could drive a 10–30% increase in tech and compliance spending - from automated detection and continuous monitoring to structured audits and repeatable response workflows. “The challenge ahead is not just technical; it’s operational and legal too — and meeting the DPDP’s requirements with confidence will demand tighter alignment across teams and more modernized systems.”

Anil Nama, CIO, CtrlS Datacenters however, presents another scenario. He says that Indian organisations face a steep learning curve, with the average cost of a data breach in India reaching an all-time high of INR 220 million in 2025, marking a 13% increase from the previous year. Further, research on Cybersecurity Readiness Index shows that, only 7% of organisations in India have achieved a "Mature" level of cybersecurity readiness, with around 81% expecting a significant cyber disruption within the next 12 to 24 months.

“This reveals a troubling disconnect between regulatory expectations and operational reality. The challenge is compounded by the dual reporting requirements, as companies also have to report cybersecurity incidents  to  CERT- In within six hours, alongside the DPDP Board notification within 72 hours,” he says. “The 72-hour breach reporting requirement under the DPDP Rules demands immediate organizational readiness, yet what qualifies as a "material breach" remains loosely defined, potentially leading to over-reporting or inconsistent enforcement across sectors.”

Says Narendra Sen – Founder & CEO, RackBank, “Many organisations  continue to rely on legacy systems and fragmented data stores that were never designed with ‘privacy by design’ principles in mind, making retrofitting complex and resource- intensive. Cultural maturity is another hurdle - organisations must shift from viewing privacy as an annual audit item to embedding continuous compliance across procurement, product design, vendor onboarding, and daily operations. Vendor risk adds a further layer of complexity, with enterprises now responsible for ensuring third-party partners uphold equivalent standards of data protection.

Meanwhile, the industry still awaits further clarity on aspects such as significant- fiduciary thresholds and cross-border transfer rules.”

ON THE BRIGHTER SIDE

The Rules introduce an eighteen- month period for phased compliance. This gives organisations enough time to adjust their systems and adopt responsible data practices. With staged implementation, breach reporting timelines, and a dedicated regulatory board, the rules demand swift compliance. This means that enterprises and OEMs must now assess readiness and realign offerings to meet new obligations.

“The DPDP Rules have a phased implementation window, with some aspects taking up to 18 months to become fully effective,” says Dr. Makarand Sawant, Director & CTO, SEAFB. “This phased approach provides companies a crucial runway to build the necessary capabilities, realign their data practices, and re-engineer their systems to meet the new obligations before the final enforcement deadline.”

He further says that implementing solutions to achieve speed and automation including data governance and discovery will be necessary. A robust breach response processes will be  required  with  proper user notification, identity and consent management. “The phased implementation over the next 12-18 months provides time for these adjustments,” Dr Sawant assures.

Agrees Dipesh Kaura, Country Director, India and SAARC, Securonix, “The key aspect of the new DPDP rules is the phased rollout, giving organizations breathing time to comply. Organizations at the very outset have to build or upgrade their infrastructure, identify all personal data, map data flows, classify and document them, update consent notices and privacy policies, and ensure they are DPDP-compliant.”

He further says that the appointment of a Data Protection Officer is mandatory, along with establishing relevant internal processes for audits and reporting to the Board. “Data retention and deletion policies with data retention schedules have to be implemented, followed by the activation of data access controls and erasure rights. Implementing the new processes is technical and should have all necessary safeguards in place,” cautions Dipesh.

Heng Lee, Head of Government Affairs and Public Policy for Asia Pacific, Kaspersky too contends that the phased implementation will buy time for organizations to level up their response capabilities. “A key focus however remains in empowering people and partners across the region through targeted training and technical enablement, equipping them with the knowledge to navigate shifting regulatory demands and maintain alignment with industry standards. However, ensuring consistent compliance across diverse partner networks and varying enterprise maturity levels remains a challenge, requiring phased adoption, deeper enablement, and standardized frameworks.”

With its extensive global expertise, Kaspersky advises organizations to strengthen governance models, adopt intelligence-led platforms, and continuously evolve compliance practices to remain resilient and forward-looking in the face of new regulatory requirements.

Says Dr Harsha E Thennarasu, Chief IT & Cyber Security Advisor, HKIT Security Solutions, “Even if Indian enterprises are partially getting prepared for this regulation, the real challenge lies in identifying & classifying personal and non-personal data. Another major challenge  for  enterprises is to identify appropriate skill set in the CISO and DPO positions. This position would need to have expertise to avoid facing huge penalties. Training all categories of work forces in the organization is also a major challenge. There must be an AI based monitoring mechanism to be built to filter communications in block, allow & monitor methods.”

In her opinion, Dr. Karnnika A Seth, Cyberlaw expert & Founder, Seth Associates believes that banks, telcos, and major platforms generally have SOC capability, SIEM logging, and breach playbooks adaptable to a 72-hour reporting timeline. Technical readiness is high, and so are legal compliance mechanisms.

“However, mid-size entities are not robust enough on maintaining one-year retention logs, consent linked deletion and grievance redressal practices. Smaller firms not only lack in evidence and record keeping practices but  also  lack  currently in reviewing their vendor contracts  for Data  protection  compliance.  They  need to build their incident response teams and mechanisms aligned with breach reporting requirements,” she says.

“Achieving the 72-hour deadline necessitates not only technology but also organized governance,” agrees Piyush Somani, Promoter, Managing Director and Chairman, ESDS Software Solution. “This includes established workflows, interdepartmental collaboration, and refined communication templates. Currently, intent is strong, but achieving operational readiness will require targeted investment. Organizations that prioritize establishing robust governance, enhancing observability, and practicing breach-response simulations will be optimally equipped to comply easily with the developing regulatory landscape,” he concludes.

IN CONCLUSION

The notification of the DPDP Rules 2025 marks a significant step in making India’s personal data protection framework fully enforceable. By outlining clear responsibilities for organizations and granting individuals defined rights over their data, the Rules aim to strengthen trust across the country’s digital landscape. As the digital economy expands, this regime enhances India’s appeal for data-driven enterprises while reinforcing its commitment to safeguarding citizen privacy.