EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
They discuss how DPDP empowers data principals with greater control over their personal data while placing clear obligations on data fiduciaries from consent, retention and breach reporting to reasonable security safeguards. They also explain the Act’s phased rollout and the critical role of consent managers, technology integration and cross-functional governance.
Key takeaways
DPDP Act and Rules empower individual data control and enforces accountability on all organizations, including companies based outside India.
Implementation unfolds in three phases: immediate activation of the Data Protection Board, consent-manager onboarding in one year, and full compliance within 18 months.
Organizations must maintain one-year tamper-proof logs and align data retention with purpose, keeping in mind additional requirements from RBI, SEBI, IRDAI and the Companies Act.
Penalties for non-compliance range up to INR 800 crore for violations such as breach reporting failures or inadequate security safeguards.
Prescribed safeguards like encryption and access controls require a culture shift and robust processes for compliance.
Boardroom scrutiny will increase as auditors certify DPDP compliance, making it a core business and governance priority.
DPDP Act and the Rules cannot be implemented in isolation. Organizations must align it with sectoral laws and build governance that ensures compliance not just on paper, but in practice.
Ritika Loganey Gupta
Partner - Tax & Regulatory Services, EY India
The Act is a game changer. With clear expectations around consent, retention and security safeguards, organizations need to rethink their data culture—not just their technology.
Lalit Kalra
Partner, Cybersecurity and National Leader-Data Privacy, EY India
Ritika Loganey Gupta
Hi all, we have gathered today as a part of the EY India Insights podcast. My name is Ritika Loganey Gupta and I am a Partner in the Tax and Policy Advisory Specialty services at EY India. We are going to talk about a regulatory development that has hit the Indian digital space: ‘The Digital Personal Data Protection Act’. This Act has been going through rounds over the last two years and it finally saw the light of day on 13 November 2025, when the rules were notified by the central government. I am joined by my colleague Lalit Kalra, who is a Partner at EY India. Hi, Lalit.
Lalit Kalra
Hi Ritika, it is a pleasure to be here. Hi everyone, my name is Lalit Kalra. I am a Partner in the EY Cybersecurity practice and I lead data privacy practice for India, which is the hot topic we are going to talk about today.
Ritika Loganey Gupta
What is the Digital Personal Data Protection Act? As we go along, we will refer to it as DPDP. What does it hold for companies and for individuals like you and me?
Lalit Kalra
This is one of the Acts we have been waiting for quite some time. DPDPA stands for Digital Personal Data Protection Act, it was released in 2023 and it took only nine days from the time it was drafted to getting it signed by the President — that was the fastest I have experienced in my career, but it took some time for the government to draft the Rules. In November 2025, the government released the Rules. The Act talks about digital aspects, it focuses on helping the data principal, or the individual, gain more control over their personal data, which is either collected in digital form by an organization or collected in hardcopy, such as signing a visitor register or filling out a form and later digitized. The data law aims to protect and give rights to the individual.
Ritika Loganey Gupta
I think these individuals are called data principles.
Lalit Kalra
Absolutely, the Act introduces several new terms, which we will discuss. It talks about individual data and its applicability, more importantly, it is a game changer for organizations. The term for an individual is ‘data principle’, while for an organization it is ‘data fiduciary’, meaning the organization that defines the purpose and means of collecting and processing personal data.
I want to go a little more into personal data, but I will refrain from doing that. From an Indian perspective, the Act is applicable to any organization providing goods or services to people within the territory of India. It is also applicable to companies outside India that process personal data of people in India. The Act talks about applicability and giving individuals more control over personal data.
The definitions and everything are okay, but you have been doing this in the regulatory space for almost 20 years. What are you seeing in the market for this?
Ritika Loganey Gupta
You mentioned that the Act took more than two years to come into effect. The government realizes that companies are going to take time to implement the Act. Although, it is a simple 10-page Act, companies are going to take some time. Interestingly, three time gaps or periods have been given for companies to adapt themselves to DPDP.
Ritika Loganey Gupta
The first timeline starts immediately, which means that the Act is applicable and the government will form a Data Protection Board to oversee the implementation of the outcome. The second timeline is after one year—which is November of 2026—where identified companies must take the approval as consent managers. Consent managers will manage the consents that the companies will take from data principles.
The third timeline is after 18 months, when the Act will fully comes into force and companies must establish systems and ensure that they are fully compliant with the Act. Lalit, you are in the technology space, what is the consent manager system and what technological changes will companies need to meet this requirement?
Lalit Kalra
It would not be wrong to say that consent manager is a new wonderkid on the block because none of the laws globally have this concept of consent manager. The consent manager acts as a bridge between the individual and the company. Under the Act, the consent manager will act as a data fiduciary. He must comply with all obligations required of an online organization. At the same time, he would only be responsible for consent.
So, as an individual, the model we envisage works like this: a small organization that collects personal data but does not have the skill and manpower to manage and comply with the consent requirements for the Act. This is where the consent manager comes into the picture. It is a third party. The company onboards the consent manager, who manages the consent through its own platform, which is interoperable across different companies. Instead of visiting Company A’s website, the individual first accesses the consent manager’s platform. From there, the data is shared with company and vice versa. For withdrawal of consent, the individual goes through the consent manager. As a user, I am pretty happy because I have to find one consent manager, who is omnipresent, to get my consent.
Ritika Loganey Gupta
The consent manager will ensure that the consent is moved across all companies that need your consent, right?
Lalit Kalra
Yes, whenever I request for removal, instead of me running around, the consent manager will do the job for me. This is just one aspect of the Act. Similarly, there are other elements to discuss, including large volumes of data that must be identified and retained. The consent manager must retain data, organization will also retain data and both must comply with multiple other laws.
For a consent manager or a company, how will retention work? Do you have any idea?
Ritika Loganey Gupta
Retention has been discussed in two parts. One, retention logs have to be maintained for a period of one year—that is an important part. They have taken clue from the Department of Telecom regulations, which also require companies to maintain logs used for internet and connectivity.
Lalit, regarding retention, what are some of the technological changes needed? Because retention is a mandatory requirement under the Act. Companies will also need to work around keeping the logs, which should be tamper-free logs, right?
Lalit Kalra
Absolutely. More than the logs, retention is one of the key requirements across data privacy laws in the world. Globally, organizations should retain data until the purpose is fulfilled. Once the purpose is met, the organization should delete the data.
Globally, companies are hungry for data and they want to retain as much as possible. Many of my clients—and many of yours—retain data perpetually. This will be a challenge for organizations because, with DPDPA coming in, they will have to define what data needs to be retained and for how long. That is the first part.
Once they identify how long they can retain data, the next step is deletion of data. Some data will be in archives, some will be in backup and so on and so forth. Systems and organizations do not communicate with each other—this will be a huge challenge. I was wrong to say 18 months is long enough; considering the technology changes that the retention would require, they will take 18 months. Specifically, about logs, this is interesting because CERT-In requires retention for 180 days. CERT-In, the Computer Emergency Response Team of India, mandates retaining logs for 180 days. Similarly, RBI also gives a different timeline.
Ritika Loganey Gupta
That is an excellent point— you noted that different laws in the country prescribe different timeframes for maintaining logs. For example, under the Companies Act, data is supposed to be maintained for eight years. SEBI has its own requirements and insurance regulatory authorities have its own requirements. This is another important part—how DPDP overlaps with these other laws. It is important for a company to devise a policy compliant with DPDPA, as well as other applicable laws.
Lalit Kalra
That brings me to my question: How does an organization do that? A legal counsel or a DPO, who is already doing that, would essentially ask, ‘why am I doing this?’
Ritika Loganey Gupta
Absolutely, this law is important because it cannot be just done in isolation. You do not need to have the general counsel or the IT head looking at it; you need to have people coming from compliance, income tax and governance because entities will need to comply with multiple laws in the country. For them to ensure that the DPDP is compliant, while other laws are also complied (with). I think that is going to be a very important cornerstone on which the privacy policy is going to be based.
Lalit Kalra
Yes. I had a very interesting conversation with a client of mine. He said, ‘What if I do not do it?’ What do I tell him?
Ritika Loganey Gupta
That is an important point— what happens if you do not follow the law? In India, every law has some penalties ascribed to it.
Lalit Kalra
You need to have the stick.
Ritika Loganey Gupta
You need to have the stick. Penalties under this law are huge; they can range from INR250 crore to nearly INR800 crore—a huge amount for a company to be non-compliant with the Act. If you do not report any data breach, there is a penalty ascribed to it.
One of the important words that they have used in the law is that you need to have a reasonable security safeguard.
Lalit Kalra
That is my forte.
Ritika Loganey Gupta
That is your forte, right? There is an INR250 crore penalty if a company does not maintain reasonable security safeguard.
Lalit Kalra
Yes, I read about that and it was a scary one.
Ritika Loganey Gupta
That is a scary one. Absolutely.
Lalit Kalra
This carries the maximum amount of penalty among other penalties. However, they have made it easier, whenever you look at GDPR or CCPA, they leave it a little open-ended. Organizations decide which controls should they implement. DPDPA has done a great job, by giving minimum controls. It clearly defines what constitutes a reasonable security safeguard. They have talked about encryption, which essentially means that you need to encrypt data wherever possible. They have talked about access, which is to ensure that unauthorized access is controlled. They have talked about backup and business continuity. They have also talked about ‘how do you identify a breach?’ They have talked about key systems and key baseline control that an organization should be implementing and they have mentioned those in the Act.
Lalit Kalra
From the perspective of a person or an organization, who does not have a lot of insight into where do they start, this provides a clear starting point and roadmap for implementing reasonable security safeguards.
Ritika Loganey Gupta
You brought up this interesting point about understanding what all this is about. In today’s digital age, everybody is hungry for data. The more security somebody will enable, the more hacks will happen, because every day, we are reading about hacks happening. But with this kind of a provision, which MeitY (Ministry of Electronics and Information Technology) has come out with, if you have reasonable security safeguards, you stand a chance of defending there is a data breach.
Lalit Kalra
In today's world, it is not a matter of whether you will be hacked; it is a matter of whether you have already been hacked or do not know you have already been hacked.
Ritika Loganey Gupta
Absolutely.
Lalit Kalra
Companies aware that attacks will happen, there are companies where the attacks may not happen, but it is a volatile environment and MeitY understands. This also goes for penalties—the organization has to show intent and showcase that we have done what we could.
Lalit Kalra
If breaches happen, they can report them within 72 hours, as the Act mandates. There is no need for a CISO or a DPO to lose sleep over it.
Ritika Loganey Gupta
Absolutely correct.
Lalit Kalra
Organizations will experience breaches, but organizations have about 72 hours to give a detailed report to the Data Protection Board. The interesting part is they also have to report to the data principal whenever an incident happens, like: ‘What has happened’? ‘What are the organizations doing?’ ‘What are the measures that they have implemented?’ But this is just one part of it, Ritika. If I am the CEO of an organization, should I be worried, or is there a method to this madness?
Ritika Loganey Gupta
In all the conversations that I have had so far, everybody is thinking that there is an 18-month period, I still have time, let somebody take a first step, but we do not have time for that. What we need to do till the 18-month period is over, is first check and do a gap assessment, check the data you have, who has access to that data? What are the data touchpoints in your organization? What all departments are getting impacted? Then map it up with the requirement under the Act; that will throw up exactly the kind of efforts required for you to be compliant in the first part. After that, move on to technology.
Lalit Kalra
Yes, just to add to what you said, once an organization does a gap assessment, that is where the actual journey starts because privacy for an organization is to comply with DPDPA. It is not a matter of the drafted policies or the best technology available with you, but it is the mindset that has to change. How are you embedding the culture of privacy within the organization? That is the most important aspect; the privacy team should be working towards building a culture of privacy within the organization. At the same time, technology plays a key role. How do I identify data? This is where data discovery tools come into the picture. For organizations dealing with huge amounts of data, it is practically impossible to manage the data principal requests, keeping a track of changes, impact of privacy and so on. Manually, it is not possible. There are a lot of privacy program management tools which help you take consent, manage consent, withdraw consent, identify grievances and keep a track of retention: which data do I need to retain, delete and so on.
Like I said earlier, these security technologies play a key role because there is a huge penalty on breach of reasonable security safeguards. An organization must look at it from all angles. We used to earlier call it PPT, which was essentially people, process, technology. All three need to be handled to ensure that compliance is maintained with the DPDPA.
Ritika Loganey Gupta
Once that is done, it is equally important that you continue to maintain it, because it is not the end of the story. This is going to be there for a long time to come. It is going to impact a company's brand because if you are able to provide the trust to the data principal—whether it is a vendor, a customer, or an employee—people will start trusting your brand and that is what is going to impact the businesses in the country.
Lalit Kalra
It is no longer a compliance activity; this is going to become a business enabler for an organization—how they handle data and what level of trust an individual has in the organization.
Ritika Loganey Gupta
Interestingly, from a boardroom perspective, the auditors are supposed to certify a company that has complied with all the laws. This is part of the CARO report (Companies (Auditor’s Report) Order) that goes in audit because the auditors are going to ask you question, “Have you complied with DPDPA?” If there are going to be any breaches, or any noncompliance, it will be mentioned in the financial statements as well. At the end of it, data principles, data fiduciaries—everything is fine, but when it reaches the boardroom, that is when it reaches the highest level.
Lalit Kalra
That is an interesting point, Ritika. It is no longer a compliance activity, but something that the board would be interested in. The organizations would get 18 months to comply with the Act. There are different obligations—from managing consent to having a record of inventory of personal data and putting reasonable security safeguards. I think we have had an interesting discussion and people would love it. Thank you for your time and thank you everyone for tuning in. Keep listening to EY India Insights podcast for more such conversations. Thank you.
Data protection & privacy services at EY ensures data security, lifecycle management, compliance frameworks, risk assessment & strategic privacy solutions.
Cybersecurity Managed Services at EY provide strategic security solutions, ensuring effective security management to mitigate cyber risks for continued growth.
