The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.
Contact us

India’s DPDP Act Delay: What It Means for Data Protection Compliance

India’s Digital Personal Data Protection (DPDP) Act 2023 is still waiting for enforcement, leaving businesses in legal limbo. Explore why the delay matters for compliance, cross-border data transfers, and global trust—and how companies can prepare now.

Unlocking the Delayed Rollout: Why India’s DPDP Act Matters for Global Data Protection

Let’s talk data, and not the kind you leave lying around. India’s Digital Personal Data Protection (DPDP) Act 2023 was hailed as a pivotal leap for privacy. But guess what? Two years post-enactment, we’re still waiting on the official “go-live”. This isn’t just a local hiccup, it reverberates through international business, compliance, and trust dynamics.

 

Why is the DPDP delay a big deal?

1. Legal limbo for organisations

Without formal activation, businesses lack clarity on how to comply. They’re in limbo: uncertain which standards to adopt or when they’ll be enforceable.

2. Missed trust-building opportunity

For a market as dynamic as India’s, a strong data protection framework builds consumer and partner confidence. Delays undermine that.

3. Global compliance headache

International companies often frame data protection strategies around global standards. Uncertainty in India complicates GDPR alignment, cross-border data transfers, and overall risk planning.

 

What’s holding India’s DPDP back?


The DPDP Act was gazetted, indicated assent—but crucially, it hasn’t been officially notified for enforcement. Draft implementation rules surfaced in January 2025, hinting at movement—but still no green light. This gap between legislation and implementation creates a vacuum many wish wasn’t so expansive.

 

Why We Should Care (Beyond India’s Borders)

Entrenched commercial impact

Multinational firms operating in India may need to juggle conflicting data compliance regimes or wait to update policies until enforcement clarity emerges.

Data transfers in flux

GDPR and other frameworks require clear legal bases for data moves. Without live regulation in India, companies tread carefully—or err on the side of limitation.

Momentum matters

When data laws lag, it sends a subtle signal: “Privacy can wait.” That’s a dangerous precedent in a world where digital trust must be earned daily.

 

What’s Next—and How You Can Prepare

Stay agile

Watch for government notifications, these typically come via Gazette or regulatory updates.

Audit your data flows

Take stock of what personal data you hold, how it’s processed, and whether your current practices align with anticipated DPDP norms.

Build frameworks now

You don’t need enforcement to start. Draft frameworks, train staff, and prepare contracts with DPDP in mind, especially if you plan to expand or interact with Indian markets.

India’s DPDP Act will eventually roll out. When it does, it may not be a splashing world tour, but it’ll matter. Preparation is your best projection. By staying alert, aligning practices early, and building operational flexibility, organisations can turn a legislative delay into a competitive advantage.

FAQs:

1. What is India’s DPDP Act 2023?

The Digital Personal Data Protection (DPDP) Act 2023 is India’s first comprehensive data privacy law. It sets rules on how personal data should be collected, processed, stored, and transferred, aiming to strengthen privacy rights and accountability.

2. Has the DPDP Act been enforced yet?

No. Although the Act received presidential assent in 2023, it has not yet been officially notified for enforcement. Draft rules were released in early 2025, but businesses are still waiting for a clear timeline.

3. Why is the delay in DPDP enforcement important?

The delay creates uncertainty for businesses operating in India or handling Indian data. Without clear rules, companies struggle to prepare compliance frameworks, risking future penalties or misalignment with global standards like GDPR.

4. How should businesses prepare for the DPDP Act?

Organisations should begin auditing their data flows, updating privacy policies, training staff, and aligning contracts with anticipated requirements. Preparing early can reduce compliance costs and build trust with customers.

5. Will the DPDP Act align with GDPR?

The DPDP Act shares principles with GDPR such as; consent, data minimization, and accountability—but is designed with India’s context in mind. Multinationals should expect similarities, but not a complete overlap.

If you would like to learn more about how GRC Hub can support your Data Protection and Cybersecurity programme with our specialist GRC, GDPR and Cybersecurity support services, please contact us at hello@grc-hub.co.uk or by phone on 0113 532 7830.

The Governance Risk & Compliance Hub - Data Protection and Cybersecurity Specialists Logo.

Governance Risk & Compliance Hub LIMITED

Facebook Youtube Linkedin