Insights · Digital Security
The DPDP Act: what your business must do
India's Digital Personal Data Protection Act is now in force — if you hold personal data, you have new duties around consent, rights, and breach reporting.
The DPDP Act, 2023, with Rules notified in 2025, requires businesses (Data Fiduciaries) to obtain valid consent, honour data-principal rights, secure data, and report breaches.
Compliance is phased through 2026–2027, so now is the time to assess and prepare.
- ₹22 crore average data-breach cost in India (2025) — the highest in the world.
- 263 days average time to identify and contain a breach in India.
Why It Matters Now
What the data shows
The evidence is hard to ignore.
Why this matters for your business
India's Digital Personal Data Protection Act, 2023, with its Rules notified in 2025, has moved data protection from good practice to legal obligation. If your business collects or handles personal data — customers, employees, users — you are a Data Fiduciary with defined duties: obtain valid, informed consent; provide clear notices; honour individuals' rights (access, correction, erasure, grievance, and nomination); secure the data you hold; and report breaches to the Data Protection Board of India.
Enforcement is phased through 2026–2027, which makes now the sensible time to prepare rather than scramble later. Practical readiness means mapping what personal data you hold and why, fixing how you capture and record consent, building processes to handle data-principal requests, tightening security and retention, and establishing breach-response procedures. Penalties for non-compliance can be significant. Breeur helps you assess your gaps against the Act and implement the controls — consent management, rights handling, security, and breach processes — so you're ready ahead of the deadlines and treating compliance as an opportunity to earn trust rather than a last-minute risk.
The DPDP Act has moved data protection in India from good practice to legal obligation, so understanding what it requires — and preparing now — is simply part of running a responsible business. The Digital Personal Data Protection Act, 2023, with its Rules notified in 2025, means that if your business collects or handles personal data of customers, employees, or users, you are a Data Fiduciary with defined duties: obtain valid, informed consent; provide clear notices about what you collect and why; honour individuals' rights to access, correction, erasure, grievance redressal, and nomination; secure the data you hold; and report breaches to the Data Protection Board of India. Enforcement is phased through 2026 and 2027, which makes now the sensible time to prepare rather than scramble later, and penalties for non-compliance can be significant. Practical readiness means mapping what personal data you hold and why, fixing how you capture and record consent, building processes to handle data-principal requests, tightening security and retention, and establishing breach-response procedures. The mistake is assuming the Act only applies to large tech companies, or waiting until enforcement bites to begin. Start by understanding your data — what you collect, where it lives, who can access it, and why — because that map underpins everything else. When you engage a partner, look for one who assesses your gaps against the Act and implements the controls — consent management, rights handling, security, and breach processes — rather than offering a generic policy template. Approached this way, DPDP compliance becomes an opportunity to earn trust and put your data house in order ahead of the deadlines, rather than a last-minute legal risk — and, handled well, it signals to customers that you take their privacy seriously, which is increasingly a competitive advantage in its own right.
The Benefits
The benefits
Valid consent
Collect and manage consent as the Act requires.
Honour rights
Enable access, correction, erasure, and grievance.
Secure & report
Protect data and report breaches to the Board.
How Breeur helps
Breeur helps you assess DPDP gaps and implement the controls — consent, rights handling, security, and breach processes — ahead of the compliance deadlines.
Frequently Asked
Questions, answered.
What is the DPDP Act?
India's Digital Personal Data Protection Act, 2023 — with Rules notified in 2025 — governing how businesses collect, use, and protect personal data.
What must my business do?
Obtain valid consent, provide clear notices, honour data-principal rights (access, correction, erasure, grievance, nomination), secure data, and report breaches.
When does it take effect?
Enforcement is phased through 2026–2027, so businesses should assess and prepare now. Breeur helps you get ready.
How do I get started with Digital Security for my business?
The best first step is a short, no-obligation conversation. Share your goal and current setup, and Breeur will map a practical, high-return path — often beginning with a small, focused pilot before any larger commitment, so you invest based on proof. You can reach the team at info@breeur.com or through the contact page.
Sources
Figures are drawn from the third-party sources cited above and were cross-checked against them. They reflect industry-wide research and estimates — not guarantees of specific outcomes — and some are indicative industry figures rather than exact measurements.
Ready to move forward?
Tell us your goal and we'll map a practical, high-return path — with no obligation.
Talk to Breeur →