Industry must invest in consent, embed data protection, say experts on DPDP Act

New Delhi [India], November 16 : The industry must now prioritise investments in consent, embedding data protection as a core element of digital operations rather than treating it as an expense, said experts in reaction to the government's notification of the Digital Personal Data Protection Act, a move seen as a decisive shift toward a "Trust Economy."

According to industry executives and legal experts, the law signals the end of unchecked bulk collection of personal data and ushers in an era where precision, accountability and user rights are central to every digital interaction.

They noted that for citizens, the framework introduces a transformed digital realityone where individuals gain the power to correct, erase and meaningfully control their personal information.

"The Digital Personal Data Protection Act notification of today marks the definitive pivot towards a Trust Economy where bulk personally identifiable information (PII) collection will be replaced by a mandate for precision and accountability at every digital exchange. Certainly, the industry must now invest in consent, making data protection a foundation for commerce and not a cost to it," said Santosh Singh, Senior Vice President, IT at DS Group.

On November 14, the Centre notified the Digital Personal Data Protection (DPDP) Rules, 2025, marking the full operationalisation of the DPDP Act, 2023. The Ministry of Electronics and IT stated that the Act and Rules create a simple, citizen-focused and innovation-friendly framework for the responsible use of digital personal data.

Enacted by Parliament on August 11, 2023, the DPDP Act establishes a comprehensive framework for protecting digital personal data, setting out the obligations of entities handling such data (Data Fiduciaries) and the rights and duties of individuals (Data Principals).

Talish Ray, Advocate and Managing Partner at TRS Law Offices, called the rules a significant step toward regulating India's digital landscape, noting that they "aim to protect individual privacy while promoting business growth."

She stated the rules introduce structured consent mechanisms, define the role of data fiduciaries, and enforce security and breach notification obligations, a notable advance for a country where millions are entering the digital economy every month.

However, Ray also flagged several weaknesses, including an over-reliance on consent, a narrow set of individual rights, and broad government exemptions for national security and public order.

"While the DPDP Rules 2025 represent progress, they fall short of protecting individual privacy and promoting digital rights. India must ensure that its digitally empowered society doesn't come at the cost of individual freedom and autonomy," she added.

In its official release, the government has stated that the rules seek to strike a careful balance between protecting citizens' privacy and promoting innovation and growth.

Nikhil Narendran, Partner - TMT (Technology, Media and Telecommunications), Trilegal, welcomed the clarity brought by the notification, saying, "India Inc. now has an 18-month runway to gear up for full compliance. For most organisations, it will be necessary to start with data mapping, redesigns of consent and notice flows, and training programs to ensure compliance, with the help of lawyers, technologists, and privacy professionals."

The DPDP Rules provide an 18-month phased compliance timeline, allowing organisations time for a smooth transition.

They also require Data Fiduciaries to issue standalone, clear and simple consent notices that transparently explain the specific purpose for which personal data is being collected and used. Consent Managers, entities that help individuals manage their permissions, must be Indian companies.

Disclaimer: This post has been auto-published from an agency feed without any modifications to the text and has not been reviewed by an editor