Security + privacy regulations in India

The Digital Personal Data Protection Act 2023 is India's first comprehensive privacy law after years of draft bills and parliamentary debate. It establishes a Data Protection Board of India (DPBI) as the enforcement authority and introduces GDPR-like rights (access, correction, erasure, grievance redressal) for data principals. Structurally the DPDP is closer to GDPR than to US state laws. It applies extraterritorially to anyone processing digital personal data of individuals in India where processing is for offering goods or services. Penalties can reach INR 250 crore (approximately US$30M) per instance for significant non-compliance. Implementation is phased — the Act was enacted in August 2023 but operational rules and final timelines have been rolled out through 2024-2026. As of 2026, most provisions are in force or imminent. DPBI is operational and has begun enforcement. Layered on top: RBI Master Directions on Storage of Payment System Data require domestic storage of payment-related data for Indian payment operations. IRDAI has sectoral rules for insurance companies. CERT-In Directions (2022) require incident reporting within 6 hours for a defined category of cybersecurity incidents by covered entities.

Key laws + frameworks

DPDP Act 2023

India's first comprehensive privacy law. GDPR-adjacent with India-specific variations.

RBI Master Directions

Banking data residency + security requirements for Indian payment operations.

IT Act 2000 + 2011 Rules

Earlier electronic transactions + reasonable security practices regime; largely superseded by DPDP for privacy matters.

CERT-In directions

Incident reporting within 6 hours for covered entities + logs retention 180 days.

Telecommunications Act 2023

New telecom framework affecting OTT messaging + communication services.

Regulators
  • Data Protection Board of India (DPBI)
  • CERT-In (cybersecurity incidents)
  • RBI (banking)
  • IRDAI (insurance)
Breach notification

DPDP: to DPBI and affected data principals within prescribed timelines (final rules phased in). CERT-In: within 6 hours of awareness for covered incident categories.

Cross-border transfer

DPDP allows the Central Government to notify countries to which personal data may be transferred. List is still evolving as of 2026. For sensitive categories (children's data, health), additional rules apply.

Startup priority

Priority stack for India-facing SaaS: (1) DPDP-compliant Privacy Policy + consent flow + grievance-redressal mechanism; (2) Appoint a Data Protection Officer if required (significant data fiduciaries); (3) CERT-In incident-reporting plan; (4) RBI compliance only if handling Indian payment data.