India Set to Notify Final DPDP Act Rules: IDfy’s Perspective on Privacy

The government is preparing to release the final rules of the Digital Personal Data Protection (DPDP) Act, 2023, with notification expected imminently. The Act, passed in 2023, is widely seen as a turning point in India’s digital governance framework, balancing individual privacy rights with the demands of a growing digital economy.

Draft rules were circulated in January 2025, followed by consultations across industry and civil society. The Ministry of Electronics and Information Technology (MeitY) has now confirmed the framework is ready. With privacy recognized as a fundamental right by the Supreme Court in the landmark Puttaswamy vs. Union of India judgment of 2017, the DPDP Act represents the most comprehensive legislative response to date.

At its core, the law establishes rules for collecting, processing, and safeguarding personal data, while also defining obligations for businesses and rights for citizens. Penalties for non-compliance can extend up to ₹200 crore.

Ahead of the final notification, CiOL spoke with Malcolm Gomes, COO at IDfy, to understand the practical challenges businesses may face.

With the DPDP Act rules expected soon, what are the key areas where Indian businesses are most likely to face compliance challenges, particularly in balancing consent management and operational efficiency?

The DPDP Act challenges businesses to move beyond long, static privacy policies and towards contextual, purpose-driven privacy notices that truly enable informed consent, along with putting the right safeguards on handling of customer’s personal data inside and outside the enterprise.

While there will be compliance challenges, from our work with several early movers we believe there is substantial value beyond just compliance — in the form of smaller, more accurate data footprints, leaner and cleaner data models, tighter third-party controls, and higher-quality personalization.

In terms of few challenges expected, having a ringside view - we believe the key ones could span (but not limited to) -

• Building Privacy and consent into customer interactions, both for new as well as existing customers while managing consent fatigue

• Understanding where personal data resides and ensure right safeguards

• Ensuring tight control with 3rd parties on flow and usage of customer’s personal data

• Setting up a multi-skilled org. and ensuring Trust & privacy is front and centre in the agenda

For example : while one challenge is managing consent fatigue, The real solution isn’t more pop-ups, it’s smarter design: tying consent to the customer lifecycle, asking for it at the right moment, with clarity and relevance. At Privy by IDfy we are partnering with several ‘early mover’ enterprises and working through these challenges, powering privacy and data governance for some of India’s largest organizations and setting the foundation for scalable privacy transformation

How do you see the DPDP framework aligning or diverging from global data privacy standards like GDPR and CCPA, especially in terms of cross-border data flows and enterprise obligations?

The DPDP Act shares global principles like purpose limitation, notice, and accountability, but it is deeply rooted in India’s reality. We have to solve for Bharat: 22 languages, inclusion across digital and assisted journeys, and consent flows that work for every demographic. Unlike GDPR or CCPA, DPDP explicitly places the burden of proof on the data fiduciary, making immutable consent artifacts and auditable trails a must.

In addition, DPDP necessitates collecting consent in 22 regional languages, managing granular purpose-specific consents, supporting assisted digital journeys, maintaining end-to-end auditability, and ensuring compliance across every third-party interaction, all while building systems that are scalable, accountable, and user-trust-first

Hence to drive end-to-end trust and privacy, simply copy-pasting Western playbooks won’t work. What’s needed is a fundamental re-think of privacy architecture, built for India. Early movers are already leveraging Privy by IDfy to embed this re-think into their trust and privacy transformations.

India’s digital ecosystem is dominated by startups and SMEs with varying maturity in data governance. What practical approaches can smaller enterprises adopt to ensure compliance without stifling innovation?

For all organizations - large or small, we don’t believe DPDPA compliance has to come at the cost of innovation. In fact, we believe the value of embedding Trust and Privacy at scale is far more substantial - enabling smaller, more accurate data footprints, leaner and cleaner data models, tighter third-party oversight, and more meaningful, high-quality personalization

Even for startups and SMEs, ensuring Trust and Privacy and driving compliance doesn’t need to impact innovation innovation; it’s about building on the right foundations. We see three practical ’minimum viable privacy’ (MVP) pillars to anchor this journey:

1. Consent Lifecycle Management – Capture, Storage, and Revocation via a Consent Governance Platform so teams don’t need to reinvent the wheel.

2. Personal Data Governance – Start small but strong: classify data, minimise collection, and link everything back to defined purposes

3. Continuous Compliance & Risk Management – Automate Prinicipal Rights management, retention, and audit logs so compliance isn’t a one-off project but an ongoing capability

This lightweight but structured approach ensures smaller enterprises can meet DPDP expectations while staying agile.

● To support exactly this need, we recently launched Priview in partnership with DSCI, helping organisations benchmark their readiness and build out compliant privacy notices.
● We also continue to enable the ecosystem with roundtables and workshops that transcend industries inviting key stakeholders to share across policy to implementation dimensions
● And we’re proud to be recognised among the top six consent management systems in India through MeitY’s Code for Consent Challenge, a validation of the path we’re shaping for the ecosystem.

Consent management is central to DPDP. What are the emerging industry best practices for consent capture, storage, and revocation, and what gaps still exist in current corporate implementations?

Compliance with the DPDP Act cannot be reduced to a checklist exercise -it needs to be architected as a future-proof operating model. That means thinking not just about today’s consent screens, but about the downstream implications of every data flow : how information is shared, repurposed, and eventually retired.

The real challenge for Indian enterprises will be to design systems that are stress-tested for Bharat: 22 languages, accessibility for children and persons with disabilities, and cultural nuances of trust. At the heart of it all lies demonstrability: being able to showcase, with evidence, that consent was informed, purpose-limited, and honoured throughout its lifecycle.

This is why our approach at Privy goes beyond tooling — it’s about enabling enterprises to build privacy programs that can withstand regulatory scrutiny, scale with business growth, and adapt as new use cases of data emerge

Closing the loop i.e., revoking consent or deleting data for non-mandatory purposes is the other leg that needs to be managed. This requires robust data discovery to know where personal data resides and the right controls in place to enforce consent decisions, ensuring that data usage aligns with stated purposes and unlocking the true value of compliance and trust.

From a policy perspective, which aspects of the DPDP Act and its rules could have the most impact on sectors like fintech, healthtech, and e-commerce, and what are the potential unintended consequences for digital businesses?

The impact will be felt most immediately in BFSI and allied sectors where trust, security, and compliance are mission-critical. But it won’t stop there, every B2C business whether Digital-native or Digital-enabled, will need to rethink how data is collected, processed, and governed in light of DPDP’s obligations.

In case of Digital-native businesses, for example : Healthtech will face the highest bar — safeguarding sensitive data while ensuring accessibility. E-commerce will need to rethink profiling, tracking, and retention practices that were once taken for granted. Online media & entertainment will need to transparent about implicit data collected and what it is used for

There is of course an ‘imagined’ unintended risk that compliance requirements could open up an additional avenue of scrutiny and slow down product cycles. But the smarter view is that this shift drives value beyond just compliance and forces enterprises to have smaller, more accurate data footprints; build leaner, cleaner data models; have tighter third-party controls; and higher-quality personalization. These second-order benefits strengthen trust, which is the real currency in a digital economy.

How should organizations prepare for enforcement and audit under the DPDP Act, and what role should open standards and interoperable technologies play in building scalable, future-proof data privacy practices in India?

While the rule will provide the timelines for full compliance, the first 90 days after rule notification are critical — they set the tone for long-term compliance. Enterprises should use this window to lock in the fundamentals: build authoritative personal data inventories, codify the consent lifecycle across customer journeys, and set up continuous compliance monitoring with audit-ready evidence. Those who get this foundation right will find scaling privacy far easier as obligations tighten over time.

From our work with early movers - the idea is to build an ‘Island of excellence’ for Trust and Privacy with the organization within 90 days e.g., a set of key journeys, a business unit. This can be scaled rapidly to cover the full organisation and ensure fully compliance within the stipulated deadlines, along with the requisite change management

While technology choices matter, the focus should be on creating systems and processes that can adapt and scale. Early movers using Privy by IDfy are already leveraging this approach, turning DPDP compliance from a regulatory obligation into a strategic advantage and a platform for building stronger trust with customers.

The way I see it, the DPDP Act is not just about compliance. It’s about earning trust. Organisations that invest in consent lifecycle, personal data governance, and continuous compliance will not only de-risk themselves but also unlock second-order benefits: tighter partner and risk control; smaller, accurate data footprints; higher quality models for better personalisation; and a stronger bond of trust with their customer base