Skip to main content
Compliance

DPDP Rules Are Live: What Indian Businesses Must Do Now

Knowspams Compliance Desk20 November 20256 min read
DPDP Rules Are Live: What Indian Businesses Must Do Now

The blueprint finally has a manual

When the Digital Personal Data Protection Act passed in 2023, no one was quite sure how it would operate day to day. In November 2025 that changed: the DPDP Rules came into force, turning the Act’s principles into concrete obligations.

If the Act was the blueprint, the Rules are the user manual — and the stakes are serious, with non-compliance carrying penalties up to ₹250 crore per incident.

What the Rules actually require

  1. Clear, plain-language consent. Tell people exactly what data you collect, why, and how long you keep it — in language a non-expert understands.
  1. Purpose limitation and retention. Collect only what you need; delete it when the purpose ends.
  1. Breach notification. Report breaches to the Data Protection Board and affected individuals.
  1. Employee responsibility. Staff must understand their data-protection duties — because most breaches begin with human error or a phished credential.
A compliant privacy policy means little if an employee hands over the keys to a convincing phishing email.

Why this is a training problem, not just a legal one

Regulators increasingly expect demonstrable awareness programmes, not just paperwork. The fastest path from "compliant on paper" to "breached in practice" is an untrained workforce:

  • Phished credentials remain the leading cause of data exposure.
  • A single mishandled data request can become a reportable incident.
  • "We had a policy" is not a defence if staff were never trained on it.

A practical starting checklist

  1. Map what personal data you hold and why.
  2. Rewrite consent notices in plain language.
  3. Stand up a breach-response and notification process — and rehearse it.
  4. Roll out role-based data-protection and phishing-awareness training, with records you can show a regulator.

The bottom line

DPDP compliance is now operational reality, not a future concern. Technical controls matter, but the Rules put your people at the centre — and a documented, continuous awareness programme is among the most cost-effective compliance investments you can make.

Tags

DPDPcompliancedata protectionIndiaprivacy

Ready to strengthen your human firewall?

See how Knowspams can help your organization build security awareness that sticks.

Get the next Threat Watch in your inbox

Security insights, threat alerts and best practices. No spam, unsubscribe anytime.

Back to all articles

Related Articles

AI-Enhanced Phishing in 2026: When the Lure Is Flawless

18 February 2026

AI-Enhanced Phishing in 2026: When the Lure Is Flawless

India’s Deepfake Crackdown: What the IT Rules 2026 Mean for Your Business

20 February 2026

India’s Deepfake Crackdown: What the IT Rules 2026 Mean for Your Business

“Assume Breach”: What Bharat NCX 2025 Signals for Private-Sector Security

15 December 2025

“Assume Breach”: What Bharat NCX 2025 Signals for Private-Sector Security