[2026 update]: Decoding India’s DPDP Act: Your guide to protecting personal data

By Iliyan Gerov, Product Marketing Manager, Acronis

In November 2025, the Indian government formally enforced the Digital Personal Data Protection (DPDP) Rules, 2025, operationalizing the DPDP Act, 2023. This marked the transition from a principles-based law to an enforceable compliance regime.

Key developments businesses must be aware of:

• The DPDP Act is now enforceable, subject to phased compliance timelines.

• The Data Protection Board of India (DPBI) is operational, with adjudication and penalty powers.

• Consent, notice, grievance redressal, and breach reporting requirements are now procedurally defined.

• Clear timelines of up to 90 days are prescribed for responding to Data Principal requests.

• Children’s data obligations are clarified, including verifiable parental consent mechanisms

• Mandatory one-year data retention period has been introduced.

• Cross-border data transfers clarified: The final DPDP Rules, 2025 confirm a blacklist-based approach (not data localization), allowing cross-border transfers by default while requiring businesses to maintain continuous, up-to-date data mapping to restrict transfers to any government-notified prohibited jurisdictions.

Obligations become mandatory 18 months after notification (November 2025). This is the active compliance window, not a future consideration.

What is personal data and why does it need protection? In today’s digital world, personal data is more valuable than ever. It includes any information that can be used to identify an individual, such as names, phone numbers, email addresses, financial details and even online behavior patterns. Organizations routinely collect such data to deliver services, manage operations and fulfill customer requests.

However, with the rise of cyberthreats and data breaches, protecting personal data is crucial to prevent identity theft, financial fraud and unauthorized surveillance.

To answer the rising risks, governments worldwide are implementing stringent regulations to safeguard personal data. India’s Digital Personal Data Protection (DPDP) Act, 2023, is landmark legislation that aims to protect personal data and regulate its processing, including collection, storage, usage, sharing, disclosure, erasure, etc.

This article explains the DPDP Act’s requirements and outlines practical measures to help organizations protect personal data and maintain compliance.

The DPDP Act, 2023 (updated November 2025) establishes clear rules for businesses and organizations that handle personal data. It defines the roles and responsibilities of different entities, ensures Data Principals (individuals) have control over their data, and mandates compliance measures for Data Fiduciaries (entities determining the purpose and means of processing).

The DPDP Act applies to:

• Digital personal data collected within India.

• Personal data of Data Principals within India, processed outside of India if it relates to offering goods or services in India.

• The Rules reaffirm that offline data later digitized also falls within scope once processed digitally.

There are three main entities when it comes to DPDP Act:

• Data Principal: The individual whose personal data is being processed.

• Data Fiduciary: Any entity (business, government or individual) that determines why and how personal data is processed.

• Data Processor:   Any person who processes personal data on behalf of a Data Fiduciary. (Data Processors inherit security and breach-reporting duties contractually, even though statutory liability remains with the Data Fiduciary.) Note: Government organizations can be exempt from the DPDP Act regulatory requirements.

The DPDP Act grants individuals several rights, including:

• Right to Information and Access: Individuals can request details on how their data is being processed.

• Right to Correction and Erasure: Individuals can request corrections or deletion of their data.

• Right of Grievance Redressal: Individuals can file complaints if their data is mishandled. Such complaints are tied to concrete response times of up to 90 days.

• Right to Nominate: Individuals (principals) can nominate another person to exercise rights in the event of death or incapacity.

• Duty for Legitimate Grievance Redressal: Data principals must not register a false or frivolous complaint.

• Duty for Data Accuracy: Data principals must not furnish any false particulars or impersonate another person in specified cases.

The duties of Data Principals under the DPDP Act are:

• Not to impersonate another person.

• Not to suppress any material information.

• Furnish only such information as is verifiably authentic.

• Not to file false or frivolous grievances.

Violation of duties will be punishable with a penalty of up to ₹10,000.

Entities handling personal data (data fiduciaries) and individuals handling personal data on behalf of such entities (data processors) must:

• Ensure lawful data processing with consent and legitimate use.

• Protect data against data breaches by taking reasonable security safeguards.

• Notify authorities (Data Protection Board of India) and affected individuals in case of data breaches.

• Store data only in locations that are not blacklisted/prohibited under the Act.

• Ensure compliance with data retention and deletion policies.

• Make reasonable efforts to ensure the accuracy and completeness of data.

• Address grievance redressals within up to 90 days from receiving them.

• The Rules mandate that grievance redressal mechanisms and contact details be clearly published and accessible, including through digital interfaces.

The Data Protection Board (DPB) is the regulatory authority responsible for enforcing the DPDP Act.. It is empowered to:

• Inquire into personal data breaches.
• Enforce compliance with the Act and Rules.
• Impose monetary penalties.
• Direct remedial or corrective measures.

The Board operates digitally and follows a quasi-judicial adjudication process.

The DPDP Act, 2023 (updated November 2025) introduces strict penalties for noncompliance. Organizations that fail to adhere to data protection requirements may face significant financial consequences.

Penalties are discretionary and proportional, based on breach severity, mitigation effort and cooperation.

Implications for businesses

• Hefty fines: Organizations handling large volumes of personal data must implement robust security measures to avoid penalties.

• Reputational damage: Data breaches and noncompliance can lead to loss of customer trust and business credibility.

• Regulatory scrutiny: The Data Protection Board of India has the authority to investigate and enforce compliance, increasing oversight on businesses handling personal data.

With these penalties in place, businesses must take proactive security measures to ensure compliance, prevent breaches and avoid financial and reputational risks.

Certain organizations and scenarios may be exempt from specific provisions of the DPDP Act, including:

• Government agencies for national security or law enforcement purposes.
• Certain small businesses based on processing volume and nature, e.g., personal data processed for any personal or domestic purpose and personal data that is made publicly available by the Data Principal to whom such personal data relates.
• Data processing for journalistic, research or archival purposes.

Managed service providers (MSPs) play a crucial role in securing and managing IT environments for businesses of all sizes. The DPDP Act, 2023 (updated in November 2025) introduces new responsibilities for MSPs who typically act as Data Processors and, in some cases, co-fiduciaries depending on contractual control, as they handle personal data on behalf of their clients.

1. Increased compliance burden: MSPs must ensure their services align with DPDP Act requirements, including secure data handling, breach notification and compliance reporting.

2. Data storage and localization: MSPs serving Indian clients need to ensure personal data is not stored in restricted countries.

3. Incident response and breach management: Since MSPs often manage cybersecurity for their clients, they must have robust mechanisms for detecting, reporting and mitigating data breaches.

4. Data retention and deletion policies: MSPs must implement clear policies for data retention and deletion, ensuring compliance with client requirements and regulatory mandates, requiring mandatory one year data-retention period.

5. Security as a service: With growing compliance demands, MSPs have an opportunity to offer managed security services, including data loss prevention (DLP), endpoint detection and response (EDR) and compliance monitoring. How MSPs can stay compliant To maintain compliance and enhance security, MSPs should:

• Implement advanced cybersecurity solutions such EDR, XDR and DLP to protect personal data.

• Ensure data storage practices align with DPDP Act regulations.

• Use automated tools for breach detection and reporting.

• Offer cyber resilience services, including data backup, recovery and risk assessment.

• Maintain audit-ready logging and incident records.

• Support client breach notification workflows.

With these strategies, MSPs can not only comply with the DPDP Act, but also position themselves as trusted partners in the data protection and security space. How Acronis can help you comply with the DPDP Act Acronis provides a portfolio of natively integrated cybersecurity, data protection and management solutions, designed for MSPs (and by extension, businesses they serve) to help organizations meet key DPDP Act requirements. Here’s how:

Solution: Acronis EDR and XDR and Acronis Data Loss Prevention (DLP)

• How it helps:

o          The award-winning and AI-guided Acronis EDR and XDR protect against ransomware and advanced  attacks, helping safeguard sensitive data across endpoints, cloud applications, email and identity environments. Furthermore, with Acronis EDR and XDR, partners and organizations can ensure that business continuity remains uninterrupted by rolling back attack changes or recovering as part of incident response.

o           Acronis DLP prevents unauthorized access and data exfiltration — with the fastest time to value in the market. Automatically create and fine-tune DLP policies per organization by observing user behavior.

Solution: Acronis Backup with ML-based data validation

• How it helps: Ensures stored data remains untampered and authentic. Acronis’ machine learning-powered validation detects corruption or unauthorized changes in backup files, maintaining data integrity.

Solution: Acronis EDR and XDR

• How it helps: Automatically monitors and correlates events to provide real-time visibility into a prioritized list of security incidents — helping you focus on what’s most important. At the same time, our solution streamlines incident analysis with unparalleled AI-guided summaries and attack interpretations, empowering lower tier technicians to analyze with ease and speed. Finally, it provides automated reporting capabilities, enabling quick compliance with the DPDP Act’s breach notification requirements.

Solution: Acronis global and India-based data centers

• How it helps: Acronis operates India-based data centers, ensuring organizations have a way to store personal data locally. While the DPDP Act doesn’t explicitly prohibit cross-border data transfers, it operates a list of blacklisted countries, and Acronis’ 53 other data centers worldwide can help ensure sovereignty and compliance across the globe.

5. Data retention and deletion compliance

Solution: Acronis Backup and Recovery

• How it helps: Enables businesses to set automated retention policies and ensure timely deletion of personal data, helping meet legal and compliance obligations.

Solution: Acronis Remote Monitoring and Management (RMM)

• How it helps: Provides real-time, AI-based monitoring of IT systems, detects and mitigates vulnerabilities, streamlines processes via scripting and ensures proactive risk management to prevent potential compliance violations.

With the DPDP Rules now in force, compliance is no longer theoretical. Organizations and MSPs must treat 2026–2027 as the execution phase for consent, security, breach response and governance.

Acronis enables MSPs and businesses to operationalize DPDP compliance through integrated cybersecurity, data protection and management capabilities, reducing regulatory risk while strengthening trust.

• Sign up for a demo of Acronis Cyber Protect Cloud

• Contact us