Become a member

Get the best offers and updates relating to Liberty Case News.

― Advertisement ―

spot_img

DPDP Cross-Border Data Transfer India: 2025 Guide

India's DPDP Rules 2025 govern DPDP cross-border data transfer India via a negative-list model — here's what every tech startup needs to know.
HomeLaw for YouDPDP Data Fiduciary Obligations India: 2025 Checklist

DPDP Data Fiduciary Obligations India: 2025 Checklist

In short: DPDP data fiduciary obligations India founders must meet are now law — the Digital Personal Data Protection Rules, 2025, were officially notified in November 2025 and full substantive compliance kicks in by May 2027. This checklist tells you exactly what to prepare for and when.

Key points

  • The DPDP Act, 2023 received Presidential assent on 11 August 2023 and is being rolled out in three phases, with all substantive compliance obligations effective from 13 May 2027.
  • The DPDP Rules, 2025 were officially notified on 13 November 2025 (Gazette published 14 November 2025, notification G.S.R. 846(E)) and impose detailed obligations on every organisation processing personal data of individuals in India.
  • Consent must be free, specific, informed, unconditional, and unambiguous — “legitimate interest” is not a lawful basis under this framework.
  • The law covers not just Indian companies but any foreign business processing digital personal data outside India when connected to offering goods or services to individuals in India.
  • Until core operational provisions fully take effect in May 2027, the existing IT Act and its Privacy Rules continue to govern data privacy in India.
  • India’s Supreme Court recognised privacy as a fundamental right under Article 21 of the Constitution in the landmark 2017 Puttaswamy judgment, providing the constitutional bedrock for this legislation.

Why DPDP data fiduciary obligations India matter to your business

India now has its first comprehensive law governing the collection, processing, storage, and transfer of digital personal data. If your startup or SME collects any customer data digitally — or scans and digitises paper records — the DPDP Act applies to you.

The constitutional grounding is solid. The Supreme Court’s nine-judge bench in the Puttaswamy case held that privacy is a fundamental right under Article 21. Parliament has since translated that right into enforceable statutory obligations through the DPDP Act, 2023, and the DPDP Rules, 2025.

Founders who wait until the May 2027 deadline to start preparing will find the compliance window uncomfortably short. The time to build systems is now.

What data does the DPDP Act actually cover?

The Act applies only to digital personal data. This includes data that is collected in digital form from the outset, and data that begins as paper records but is later converted into a digital format.

It does not apply to personal data that remains in non-digitised form throughout its lifecycle. If you maintain purely paper-based records and never scan or upload them, those records fall outside the DPDP Act for now — though that is an unusual situation for most modern businesses.

Does it apply to you if you are based abroad?

Yes, if the relevant condition is met. The Act has extraterritorial reach: any foreign company processing digital personal data outside India, where that processing is connected to offering goods or services to individuals in India, is covered.

If your SaaS product is built overseas but sells to Indian users, you have DPDP obligations. Structure your compliance programme accordingly from day one.

The three-phase implementation timeline you need to know

Implementation is being rolled out in three distinct phases. Missing a phase deadline is a compliance failure — even if the final deadline feels far away.

PhaseDateWhat comes into force
Phase I13–14 November 2025Data Protection Board established; specified sections of the Act and Rules 1, 2, and 17–21 in force immediately.
Phase II13 November 2026Consent manager provisions become effective (Rule 4 of the DPDP Rules).
Phase III13 May 2027All substantive compliance obligations, including Rules 3, 5–16, 22, and 23, become fully enforceable.

The Rules text itself confirms this phased commencement. Use the period between now and May 2027 to build your consent infrastructure, update your privacy notices, and train your team — not as a reason to delay.

Consent: the only lawful basis that counts

This is the most significant structural shift for Indian businesses. Unlike the European GDPR framework, the DPDP Act does not recognise “legitimate interest” as a lawful basis for processing personal data.

Consent under the DPDP framework must be all of the following: free, specific, informed, unconditional, and unambiguous. If any one of these elements is absent, the consent is not valid.

The Act also mandates strict protocols for consent withdrawal. A data principal (the individual whose data you process) must be able to withdraw consent as easily as they gave it. Your systems must be built to honour that withdrawal promptly.

What must your consent notice contain?

Under Rule 3 of the DPDP Rules (which comes into force in Phase III), consent requests must be accompanied or preceded by a standalone notice in clear, plain language. That notice must set out the specific data being collected and the purpose for which it is being processed.

Buried clauses in a general terms-and-conditions page will not satisfy this requirement. The notice must stand alone and be genuinely understandable to an ordinary person.

Legitimate use: what is permitted without consent?

The DPDP Act recognises certain processing activities that can proceed on grounds other than consent — typically described as “legitimate uses” in the statute. However, these are narrowly drawn categories. The fact sheet confirms that “legitimate interest” as a broad, open-ended basis is expressly rejected.

Founders should map every data processing activity against the specific lawful bases the Act provides. Anything that does not fit a recognised category requires valid consent. For a practical breakdown of lawful bases and when each applies, consult the Law for You guides at The Courtroom, which cover core legal concepts in plain language for non-lawyers.

What the transitional period means in practice

Until May 2027, the IT Act and its Privacy Rules remain the operative privacy law in India. This is not a reason to ignore the DPDP framework — it is a reason to run a parallel compliance track.

Your current obligations under the IT Act continue. Your future obligations under the DPDP Act must be built simultaneously. Businesses that treat these as sequential tasks rather than parallel ones will face a compliance crunch in 2027.

Your founder checklist: DPDP data fiduciary obligations India

Use this checklist to assess where you stand:

  • Map your data: Identify every category of digital personal data your organisation collects, processes, or stores, including data that was originally in paper form and has since been digitised.
  • Check territorial scope: If you serve Indian users from abroad, confirm your compliance programme covers DPDP obligations, not just those of your home jurisdiction.
  • Audit your consent mechanisms: Verify that every consent request meets the free, specific, informed, unconditional, and unambiguous standard. Remove pre-ticked boxes, bundled consents, and vague purpose descriptions immediately.
  • Draft standalone consent notices: Prepare clear, plain-language notices that precede or accompany every consent request, specifying the exact data and purpose. Do this before Phase III, not after.
  • Build a consent withdrawal pathway: Ensure your product or service allows users to withdraw consent as easily as they provided it, and that withdrawal is acted upon promptly.
  • Understand the Phase II consent manager requirement: By November 2026, consent manager provisions come into force under Rule 4. Begin reviewing how consent managers may interact with your data flows.
  • Continue IT Act compliance: Do not allow current obligations under the IT Act and Privacy Rules to lapse while preparing for the DPDP transition.
  • Appoint a legal adviser: The DPDP Rules are detailed and technically complex. Engage a qualified advocate with data privacy experience well before the May 2027 deadline.

Frequently asked questions

When do DPDP data fiduciary obligations India become fully enforceable?

The substantive compliance obligations under the DPDP Act and Rules — including consent notice requirements and most operational duties — come into force eighteen months after the Rules were notified, which means 13 May 2027. However, some provisions and the Data Protection Board were already activated in November 2025, and consent manager rules take effect in November 2026. Businesses should treat all three phases as live deadlines rather than waiting for the final one.

Can a business rely on legitimate interest instead of consent under the DPDP Act?

No. The DPDP Act expressly rejects “legitimate interest” as an open-ended lawful basis for processing — this is one of the most significant differences from frameworks like the European GDPR. Almost all processing requires consent that is free, specific, informed, unconditional, and unambiguous, with limited narrow exceptions for specific categories of legitimate use defined in the statute itself. If your compliance programme was designed around a legitimate-interest model, it needs to be rebuilt.

Does the DPDP Act apply to my company if I am incorporated outside India but sell to Indian customers?

Yes. The Act has extraterritorial applicability. If you process digital personal data outside India in connection with offering goods or services to individuals in India, your company is subject to DPDP obligations. Being incorporated abroad does not exempt you. You should review your data processing activities, appoint appropriate contacts, and align your practices with the DPDP framework before May 2027.

This article is for general information only and is not legal advice. Laws change; verify against the primary sources cited and consult a qualified advocate for your situation.