India is on the brink of implementing one of its most consequential digital regulations – the Digital Personal Data Protection Act, 2023 (DPDPA), and its accompanying rules. As the country inches closer to operationalizing this framework, there is a growing sense of urgency across the tech ecosystem. The era of soft compliance is over. Data has emerged not only as a currency for innovation but also as a growing liability, and the new regime reflects the government’s sharpened focus on accountability, transparency, and regulatory control.

At its core, the DPDPA is a principles-based legislation. The draft rules currently under consultation provide a closer view of what real-world compliance will demand—particularly in areas such as consent, retention, data erasure, and breach notification. This is where the criticality of data governance truly comes into focus—not just as a question of digital infrastructure, but as a matter of strategic economic and legal consequence.

Data compliance vs practicality

The draft rules under should adopt a more risk-based and proportionate approach to age verification and parental consent. As it stands, the requirement for verifiable consent—regardless of a data principal’s self-declared age—could impose disproportionate burdens on data fiduciaries, often compelling them to collect excessive data and implement rigid mechanisms that may violate principles of data minimisation. International standards like the EU-GDPR and COPPA offer a more balanced path by allowing entities to take “reasonable efforts” to verify age and parental consent, depending on the nature of the service and risk involved. The DPDPR should follow suit by clarifying that stricter age assurance measures be applied only where high-risk processing of children’s data is involved, while permitting flexibility for low-risk use cases. This not only prevents unnecessary operational hurdles for businesses but also aligns better with both child protection goals and practical feasibility.

What’s more, the DPDP Act also does not currently allow for “legitimate interest” as a legal basis to process data—something that other jurisdictions like the EU recognize. This could make basic business activities like internal audits, AI training, and even due diligence for M&A transactions unnecessarily difficult.

Breach reporting framework

One of the more stringent aspects of the draft rules is the breach notification framework. Data fiduciaries are required to notify both the Data Protection Board and the affected data principals of every data breach, irrespective of the perceived level of risk or harm. While a more extended window of 72 hours (or longer, subject to the Board’s discretion) has been proposed for submitting a detailed report to the Board, the timeline for notifying affected data principals is notably tighter—requiring disclosure “without delay.” In addition, a preliminary breach report must also be submitted to the Board without delay, containing essential initial details. Given the varying levels of detail and specificity expected in these “without delay” notifications to the Board and data principals, there may be differing interpretations of the timeline and its practical implications.

This structure, though well-intentioned, raises concerns about the resulting desensitization of both users and regulators. In practice, most breaches require internal triage: identifying the breach, scoping its impact, initiating remediation. Reporting too early without adequate clarity could expose companies to unnecessary reputational and legal risks. Worse, it could distract from mitigating actual harm.

A more pragmatic approach would involve the introduction of a severity threshold, distinguishing minor from major breaches, and re-calibrating reporting timelines, to ensure meaningful compliance rather than mechanical disclosure.

MSMEs and the risk of overregulation

Another critical concern is the asymmetry of impact. While large corporations may struggle with scale, it is smaller businesses that will feel the heat of non-compliance most acutely. The framework as it stands does not adequately differentiate obligations by the size, scale, or risk profile of the fiduciary.

As seen in other sectors, overly burdensome compliance can stifle MSME growth. Risk-based regulation—where the extent of compliance is proportionate to the sensitivity and volume of data—needs to be institutionalised. 

Governance beyond compliance

What the DPDP regime ultimately signals is the institutionalization of data governance in India. The legislation is not just about data protection. it is about shaping the way organizations think about trust, risk, and accountability. This is not merely a legal challenge—it is an organizational transformation. Policymakers must continue to listen—to industry, to civil society, and to consumers—so that implementation is guided by dialogue rather than dictate.

India has a unique opportunity to set the gold standard in digital governance—not just by protecting personal data, but by enabling the responsible unlocking of its economic value. But to achieve this, the DPDP Rules must evolve: from ambiguity to clarity, and from theory to real-world feasibility.

Five key areas to make the DPDP law more effective:

• Adopt a risk-based approach to age verification and parental consent—aligned with global best practices and avoid one-size-fits-all mandates that may lead to over-collection of data and create compliance burdens.
• Add “legitimate interest” as a basis for data processing—especially for due diligence in M&A and Investment activities and internal operations.
• Introduce a severity-based breach reporting system and reconcile reporting timelines to avoid false alarms and regulatory fatigue.
• Clarify the language requirements for user notices—especially for backend or automated services.
• Differentiate compliance for MSMEs to ensure ease of doing business isn’t compromised.
• Encourage industry-led self-regulation under the oversight of the Data Protection Board.

END OF ARTICLE