<h2>Executive Summary</h2><ul><li><p>DPDP shifts India from a narrow IT-rules regime to a <strong>full privacy law with clearer duties</strong> and stronger rights</p></li><li><p><strong>Consent is now central</strong>; legitimate-use grounds are limited and tightly framed</p></li><li><p>Organisations must <strong>refresh notices, contracts, retention and security</strong> while preparing for individual rights</p></li><li><p>Cross-border transfers remain broadly open, with blacklisted countries and SDF mandates as key exceptions</p></li><li><p><strong>Breach reporting requirements</strong> are strict and time-bound</p></li><li><p>M&A, outsourcing and group structures must factor <strong>DPDP into design, diligence and integration</strong></p></li><li><p>An <strong>18-month runway</strong> exists, but leaders need early data mapping, policy refresh and governance clarity</p></li></ul>.<p>Regulation is rapidly turning data stewardship into a marker of organisational credibility, and for Corporate India, the Digital Personal Data Protection (DPDP) Act represents a decisive shift. At a recent combined session of the India CXO Forums held virtually, experts from Trilegal outlined how the newly-implemented law recasts consent, accountability, cross-border flows and breach management, setting a far more exacting baseline for digital operations. The discussion unpacked what DPDP means for customer journeys, employee data, vendor ecosystems and enterprise risk, and examined how leaders must recalibrate governance, technology and culture as India moves from a loose, notice-based framework to a rights-driven, enforcement-ready regime.</p> <h2>A New Phase in India’s Data Governance Journey</h2><p>DPDP marks a decisive shift in how India regulates personal data. Earlier rules focused on sensitive data, basic consent and minimal levels of security. The new framework is wider, more structured and anchored in the Supreme Court’s recognition of privacy as a fundamental right. It reflects years of consultation, industry feedback and global benchmarking. For businesses, the implications go far beyond compliance. DPDP formalises expectation around transparency, user agency and responsible data use. It will shape digital product design, vendor choices, internal controls and governance. Organisations that treat DPDP as an operating discipline rather than a legal hurdle are likely to gain trust and show greater resilience in the long run.</p> <h2>From IT Rules to an Omnibus Privacy Law</h2><p>India’s earlier privacy regime was narrow and incremental. DPDP replaces it with a unified law that applies to most digital personal data, regardless of its apparent ‘sensitivity’. This creates a clearer baseline, with uniform duties for collection, use, sharing and retention. The change is particularly meaningful for entities that relied on generic privacy policies and broad consent. DPDP demands specificity of purpose, clarity in communication and demonstrable responsibility in how data is handled. While the structure is familiar to organisations operating under the European GDPR (General Data Protection Regulation), there are material departures, including India’s preference for consent over broader ‘legitimate interest’ claims and a more flexible stance on cross-border transfers. The compliance burden rises, but so does predictability. </p> <h2>Scope, Definitions and the New Cast of Actors</h2><p>DPDP applies to personal data that is processed digitally in India or processed overseas by firms offering goods or services to individuals in this country. Truly offline records remain outside its scope unless they are later digitised. Anonymised data is similarly exempt but the bar for anonymity is high. The Act introduces a clear vocabulary:</p><ul><li><p>A data fiduciary determines the purpose and means of processing. </p></li><li><p>A data processor acts solely under instruction, without independent decision-making. </p></li><li><p>The most heavily-regulated category – Significant Data Fiduciaries – are to be identified by government notification and subject to audits, impact assessments, DPO appointment and potential localisation. </p></li></ul><p>Organisations will need to examine their own role in each data flow, as DF (Data Fiduciary)–DP (Data Principal) classifications determine liability and contractual obligations.</p> <h2>Consent, Legitimate Uses and Individual Rights</h2><p>Consent has become the core legal basis for data storage and processing. Such consent must be specific, itemised and as easy to withdraw as it is to provide. Existing users do not need to reconfirm consent, but they must receive DPDP-compliant notices with a clear option to opt out. New users must expressly opt in before processing starts. Carve-outs on the basis of legitimate-use grounds (such as for employment, legal compliance, emergencies and investigations) exist, but these are narrow. Routine analytics, cross-selling and internal reuse of data will almost always require explicit consent. Individuals will gain new rights to information, correction, erasure and grievance redress, and organisations must respond within defined timelines. Much of this will demand operational (re)design: structured request workflows, internal coordination, escalation paths and record keeping. Crucially, too, employee data, historically managed through informal practices, must now be treated with the same rigour as customer data.</p><h2>Cross-Border Transfers, Localisation and Security</h2><p>DPDP permits cross-border transfers except to blacklisted countries, a list yet to be notified. This is more permissive than many global regimes and should reduce friction for firms using global cloud or analytics services. Significant Data Fiduciaries may, however, face localisation requirements for notified classes of data. Sector-specific rules, such as those from RBI, remain unchanged. Security obligations will require organisations to implement reasonable safeguards, including encryption, access controls, monitoring and structured vendor oversight. A one-year log retention requirement is mandatory and may require system changes. The breach reporting requirements are strict: an initial alert to users and the Data Protection Board must be issued without delay, followed by a detailed report within 72 hours. These timelines will demand rehearsed incident-response routines and coordination across legal, IT and communications teams.</p> <h2>Retention, Special Categories and the Role of the State</h2><p>DPDP reinforces the principle of data minimisation by requiring organisations to delete data once it is no longer needed. Some categories, such as large e-Commerce platforms, will face specific retention timelines, and others may be notified later. Retention schedules will need to be codified, automated and monitored. Children’s data will attract additional safeguards, including verifiable parental consent and restrictions on targeted advertising or behavioural profiling. The threshold for compliance is high and requires thoughtful UX design. Government authorities remain within the scope of the Act but have broader exemptions relating to national security, law enforcement and public order. The interpretations of these terms will shape industry expectations and judicial oversight in the first year of implementation.</p> <h2>Transactions, Outsourcing and Group Structures</h2><p>DPDP introduces a new layer into M&A, outsourcing and intra-group operations, influencing how deals are structured and valued:</p><ul><li><p><strong>Transactions:</strong> Due diligence processes will need to include examining whether the target’s consents, notices, breach history, vendor contracts and data flows meet DPDP standards. Inadequate consent may reduce the utility of acquired data sets and alter deal value. </p></li><li><p><strong>Outsourcing contracts:</strong> These must clearly define DF/DP roles, permitted uses and security safeguards. Generic global templates will no longer suffice. </p></li><li><p><strong>Intra-group data flows</strong>: These must now be justified through consent or legitimate-use provisions, and retention policies must apply consistently across entities. </p></li><li><p><strong>Post-merger integration:</strong> May require harmonising consent frameworks, deleting noncompliant data and redesigning customer journeys. <strong> </strong></p> </li></ul><h2>A Leadership Roadmap for the Next 18 Months</h2><p>The current transition period offers leaders time to build a structured response rather than a lastminute retrofit. Five practical steps will matter most:</p><p>1. <strong>Map all data flows</strong> and identify where personal data enters, moves and exits</p><p>2. <strong>Run a DPDP gap assessment</strong> across notices, consent, security, contracts and rights management</p><p>3. <strong>Redesign user journeys and HR processes</strong> to ensure clarity, specificity and documentation</p><p>4. <strong>Review and renegotiate vendor contracts</strong>, establishing role clarity and breach obligations</p><p>5. <strong>Operationalise retention and breach response</strong>, with automated deletion and clear on-call protocols</p> <p>The companies that are likely to benefit from DPDP are those that treat compliance as a foundation for trust, transparency and disciplined data use. The law raises the threshold for accountability but also provides a consistent rulebook in a landscape where expectations of privacy are rising sharply.</p>
<h2>Executive Summary</h2><ul><li><p>DPDP shifts India from a narrow IT-rules regime to a <strong>full privacy law with clearer duties</strong> and stronger rights</p></li><li><p><strong>Consent is now central</strong>; legitimate-use grounds are limited and tightly framed</p></li><li><p>Organisations must <strong>refresh notices, contracts, retention and security</strong> while preparing for individual rights</p></li><li><p>Cross-border transfers remain broadly open, with blacklisted countries and SDF mandates as key exceptions</p></li><li><p><strong>Breach reporting requirements</strong> are strict and time-bound</p></li><li><p>M&A, outsourcing and group structures must factor <strong>DPDP into design, diligence and integration</strong></p></li><li><p>An <strong>18-month runway</strong> exists, but leaders need early data mapping, policy refresh and governance clarity</p></li></ul>.<p>Regulation is rapidly turning data stewardship into a marker of organisational credibility, and for Corporate India, the Digital Personal Data Protection (DPDP) Act represents a decisive shift. At a recent combined session of the India CXO Forums held virtually, experts from Trilegal outlined how the newly-implemented law recasts consent, accountability, cross-border flows and breach management, setting a far more exacting baseline for digital operations. The discussion unpacked what DPDP means for customer journeys, employee data, vendor ecosystems and enterprise risk, and examined how leaders must recalibrate governance, technology and culture as India moves from a loose, notice-based framework to a rights-driven, enforcement-ready regime.</p> <h2>A New Phase in India’s Data Governance Journey</h2><p>DPDP marks a decisive shift in how India regulates personal data. Earlier rules focused on sensitive data, basic consent and minimal levels of security. The new framework is wider, more structured and anchored in the Supreme Court’s recognition of privacy as a fundamental right. It reflects years of consultation, industry feedback and global benchmarking. For businesses, the implications go far beyond compliance. DPDP formalises expectation around transparency, user agency and responsible data use. It will shape digital product design, vendor choices, internal controls and governance. Organisations that treat DPDP as an operating discipline rather than a legal hurdle are likely to gain trust and show greater resilience in the long run.</p> <h2>From IT Rules to an Omnibus Privacy Law</h2><p>India’s earlier privacy regime was narrow and incremental. DPDP replaces it with a unified law that applies to most digital personal data, regardless of its apparent ‘sensitivity’. This creates a clearer baseline, with uniform duties for collection, use, sharing and retention. The change is particularly meaningful for entities that relied on generic privacy policies and broad consent. DPDP demands specificity of purpose, clarity in communication and demonstrable responsibility in how data is handled. While the structure is familiar to organisations operating under the European GDPR (General Data Protection Regulation), there are material departures, including India’s preference for consent over broader ‘legitimate interest’ claims and a more flexible stance on cross-border transfers. The compliance burden rises, but so does predictability. </p> <h2>Scope, Definitions and the New Cast of Actors</h2><p>DPDP applies to personal data that is processed digitally in India or processed overseas by firms offering goods or services to individuals in this country. Truly offline records remain outside its scope unless they are later digitised. Anonymised data is similarly exempt but the bar for anonymity is high. The Act introduces a clear vocabulary:</p><ul><li><p>A data fiduciary determines the purpose and means of processing. </p></li><li><p>A data processor acts solely under instruction, without independent decision-making. </p></li><li><p>The most heavily-regulated category – Significant Data Fiduciaries – are to be identified by government notification and subject to audits, impact assessments, DPO appointment and potential localisation. </p></li></ul><p>Organisations will need to examine their own role in each data flow, as DF (Data Fiduciary)–DP (Data Principal) classifications determine liability and contractual obligations.</p> <h2>Consent, Legitimate Uses and Individual Rights</h2><p>Consent has become the core legal basis for data storage and processing. Such consent must be specific, itemised and as easy to withdraw as it is to provide. Existing users do not need to reconfirm consent, but they must receive DPDP-compliant notices with a clear option to opt out. New users must expressly opt in before processing starts. Carve-outs on the basis of legitimate-use grounds (such as for employment, legal compliance, emergencies and investigations) exist, but these are narrow. Routine analytics, cross-selling and internal reuse of data will almost always require explicit consent. Individuals will gain new rights to information, correction, erasure and grievance redress, and organisations must respond within defined timelines. Much of this will demand operational (re)design: structured request workflows, internal coordination, escalation paths and record keeping. Crucially, too, employee data, historically managed through informal practices, must now be treated with the same rigour as customer data.</p><h2>Cross-Border Transfers, Localisation and Security</h2><p>DPDP permits cross-border transfers except to blacklisted countries, a list yet to be notified. This is more permissive than many global regimes and should reduce friction for firms using global cloud or analytics services. Significant Data Fiduciaries may, however, face localisation requirements for notified classes of data. Sector-specific rules, such as those from RBI, remain unchanged. Security obligations will require organisations to implement reasonable safeguards, including encryption, access controls, monitoring and structured vendor oversight. A one-year log retention requirement is mandatory and may require system changes. The breach reporting requirements are strict: an initial alert to users and the Data Protection Board must be issued without delay, followed by a detailed report within 72 hours. These timelines will demand rehearsed incident-response routines and coordination across legal, IT and communications teams.</p> <h2>Retention, Special Categories and the Role of the State</h2><p>DPDP reinforces the principle of data minimisation by requiring organisations to delete data once it is no longer needed. Some categories, such as large e-Commerce platforms, will face specific retention timelines, and others may be notified later. Retention schedules will need to be codified, automated and monitored. Children’s data will attract additional safeguards, including verifiable parental consent and restrictions on targeted advertising or behavioural profiling. The threshold for compliance is high and requires thoughtful UX design. Government authorities remain within the scope of the Act but have broader exemptions relating to national security, law enforcement and public order. The interpretations of these terms will shape industry expectations and judicial oversight in the first year of implementation.</p> <h2>Transactions, Outsourcing and Group Structures</h2><p>DPDP introduces a new layer into M&A, outsourcing and intra-group operations, influencing how deals are structured and valued:</p><ul><li><p><strong>Transactions:</strong> Due diligence processes will need to include examining whether the target’s consents, notices, breach history, vendor contracts and data flows meet DPDP standards. Inadequate consent may reduce the utility of acquired data sets and alter deal value. </p></li><li><p><strong>Outsourcing contracts:</strong> These must clearly define DF/DP roles, permitted uses and security safeguards. Generic global templates will no longer suffice. </p></li><li><p><strong>Intra-group data flows</strong>: These must now be justified through consent or legitimate-use provisions, and retention policies must apply consistently across entities. </p></li><li><p><strong>Post-merger integration:</strong> May require harmonising consent frameworks, deleting noncompliant data and redesigning customer journeys. <strong> </strong></p> </li></ul><h2>A Leadership Roadmap for the Next 18 Months</h2><p>The current transition period offers leaders time to build a structured response rather than a lastminute retrofit. Five practical steps will matter most:</p><p>1. <strong>Map all data flows</strong> and identify where personal data enters, moves and exits</p><p>2. <strong>Run a DPDP gap assessment</strong> across notices, consent, security, contracts and rights management</p><p>3. <strong>Redesign user journeys and HR processes</strong> to ensure clarity, specificity and documentation</p><p>4. <strong>Review and renegotiate vendor contracts</strong>, establishing role clarity and breach obligations</p><p>5. <strong>Operationalise retention and breach response</strong>, with automated deletion and clear on-call protocols</p> <p>The companies that are likely to benefit from DPDP are those that treat compliance as a foundation for trust, transparency and disciplined data use. The law raises the threshold for accountability but also provides a consistent rulebook in a landscape where expectations of privacy are rising sharply.</p>
