India DPDPA Enforcement 2025: Data Protection Board, Consent Management and Breach Notification Requirements

Compliance

India's Digital Personal Data Protection Act is moving from legislation to enforcement in 2025. The Data Protection Board has started operations, consent management frameworks are being audited, and breach notification windows are tighter than most teams expect. Here is what the compliance deadline actually requires.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 7, 2025 · 10 min read

The Digital Personal Data Protection Act 2023 received presidential assent in August 2023. By the second half of 2025, the Data Protection Board of India has moved from formation to active enforcement. Notices have gone out to data fiduciaries across sectors including fintech, healthtech, and e-commerce. The era of treating DPDPA compliance as a future obligation is over.

For Indian companies processing personal data and for global companies processing data of Indian residents, the operational requirements are more demanding than many compliance teams anticipated when they read the act's text. Consent management is not a checkbox — it requires purpose-specific, granular, revocable consent with audit logs. Breach notification is not the 72-hour GDPR window — the DPDPA rules propose significantly shorter timelines for certain categories of breach.

DPDPA consent is not GDPR consent with an Indian flag. Purpose limitation, granularity, and revocability requirements are stricter in several respects.

The Data Protection Board — structure and powers

The Data Protection Board of India is an adjudicatory body, not a regulator in the GDPR sense. It receives complaints from data principals, investigates, and imposes penalties. It does not issue binding guidance or codes of practice the way the ICO or CNIL do. This means there is less regulatory clarity and more enforcement risk for organizations that interpret the act conservatively.

The Board can conduct inquiries suo motu — on its own initiative — for cases of significant public interest. It can require data fiduciaries to produce records, audit reports, and technical documentation. A Board inquiry is adversarial; treat it like litigation, not a compliance review.

Consent management — what the act actually requires

DPDPA consent must be free, specific, informed, unconditional, and unambiguous. Each of those words has operational implications. Specific means one consent per purpose — bundled consents that cover multiple data uses in a single accept are non-compliant. Unconditional means you cannot make access to the service contingent on consent to non-essential processing. Revocable means you must provide a mechanism to withdraw consent that is as easy to use as the mechanism to give it.

• Maintain a consent receipt for every data principal with purpose, timestamp, and version of the privacy notice at the time of consent.
• Log every consent event — grant, withdraw, modification — to an immutable audit trail.
• Map each data processing activity to a specific consent record or legitimate use ground.
• Re-obtain consent when the purpose changes or when the privacy notice is materially updated.
• Ensure the consent withdrawal UX is no more than two clicks and does not require account deletion.

Significant data fiduciaries — additional obligations

The Central Government will notify certain data fiduciaries as Significant Data Fiduciaries based on volume, sensitivity, risk to national security, or impact on sovereignty. Significant Data Fiduciaries face additional obligations: appointment of a Data Protection Officer based in India, periodic Data Protection Impact Assessments, and algorithmic audits of profiling systems.

The DPO must be a senior employee, not an external consultant, and must have direct reporting access to the Board of Directors. Many organizations have appointed DPOs for GDPR purposes; those roles frequently do not meet the DPDPA residency and seniority requirements.

Breach notification — timeline and content

The draft DPDPA rules establish a tiered breach notification regime. Breaches involving sensitive personal data or biometric data must be reported to the Board within 6 hours of becoming aware. Breaches affecting more than a threshold number of data principals require notification within 72 hours. All affected data principals must be notified individually, not through a generic public notice.

Breach notification content requirements include: nature of the personal data affected, estimated number of data principals, likely consequences, measures taken or proposed to mitigate harm, and contact details of the Data Protection Officer. Incident response runbooks must be updated to generate a DPDPA-compliant notification as a workflow output, not an afterthought.

Cross-border data transfer requirements

DPDPA allows transfer of personal data to countries notified by the Central Government. The approved country list had not been published as of mid-2025. Until the list is finalized, organizations transferring data internationally must document the transfer basis and maintain records demonstrating that the receiving country's data protection framework meets DPDPA standards. This is a significant operational uncertainty for companies using US-based cloud providers for Indian personal data.

Closing

DPDPA enforcement in 2025 is real and accelerating. The penalties are large enough to be material for mid-size companies. The consent management requirements are technically demanding and require product changes, not just policy updates. Organizations that treated the act's passage as a long-lead item now have a narrow window to complete remediation before the Board's next enforcement cycle.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.