The Digital Personal Data Protection Act (DPDP Act) 2023 establishes a legal framework for processing digital personal data, reinforcing privacy as a fundamental right. Supplemented by DPDP Rules 2025, it shifts the focus from compliance to strategic opportunity, emphasising governance, consent integrity, and robust security frameworks. As data volumes surge and AI adoption accelerates, DPDP compliance is key to building trust and ensuring organisational readiness for a privacy-first future.
Decoding DPDP Act 2023 and DPDP rules 2025 for boards
18 December 2025
Join KPMG in India at the webinar on the Digital Personal Data Protection (DPDP) Act 2023 and the DPDP Rules 2025
Latest insights
DPDP - Webinars & Webcasts
The 18-month countdown begins: DPDP Rules 2025 action plan
Watch the webinar to understand how to run compliance into advantage and build a credible privacy foundation
Driving growth with DPDP trends
- Digital Personal Data Protection Act 2025
- DPDPA Rules are foundational for Digital India
- Digital Personal Data Protection Act (DPDPA) - Obligations to opportunities
- DPDP pushes automakers towards 'privacy-by-design' architechture
- The risk navigator: Forensic and legal strategy
- Akhilesh Tuteja
- Atul Gupta
- Nitin Shah
While the large corporations in India may be ready for the new DPDP rules, the ecosystem of partners, vendors, suppliers, etc. may not be ready - this is one of the significant holes in the entire readiness for our country. Smaller organisations have a lower level of understanding to start with, and also sometimes implementation of DPDP rules.
It's not the notice, it's not the consent, it's not about getting your system right, it's about getting your ecosystem right. Because larger organisations will take several months just to educate their ecosystem partners what it is, why is it important, even before they start to put the first process in.
DPDPA rules build on the pragmatic approach adopted while publishing the act, which is evident from the additional considerations for significant data fiduciaries and prioritising identified industry segments. These rules will enable addressing the wider issue that the citizens and consumers face today of mass data proliferation across digital channels and need of adequate protection around digital data. Having a data protection board shall lead to stronger enforcement and will go a long way in addressing the vision as part of Digital India and Viksit Bharat.
Nitin Shah
Partner, DT-Cyber Strategy and Govn
KPMG in India
The Digital Personal Data Protection Act empowers India Inc to put customers at the heart of digital transformation. By giving individuals greater control over what data is processed, why it’s processed, and how outcomes are delivered, organisations can build trust as the foundation for innovation and growth.
One of the things India has been proud of is the speed, the ability to innovate and drive outcomes using digital technologies. One of the key challenges around this digital revolution is how do we protect personal data. The DPDPA Rules are foundational for us to become Digital India and continue the journey of acceleration on how we bring digital into our everyday life.
The ongoing wave of digital transformation has exposed new gaps in security structures, intensifying the complexities of data protection and regulatory adherence. At the CIO Meet, we explored how enterprises must gear up for India's DPDPA rollout.
Though compliance has been a familiar theme, its strategies are constantly redefined by evolving technology. Modern data protection demands an advanced, nuanced approach shaped by innovation and digital evolution. This shift encourages businesses to expand their perspective, moving from strict regulatory adherence to uncovering broader advantages.
“DPDPA introduces a structured approach to personal data protection. It represents more than fulfilling requirements-it is about reshaping how we manage, store, and process sensitive information. Navigating this complex terrain requires robust controls that integrate behavioral insights. This balance not only safeguards key assets but also strengthens trust across stakeholder groups. To manage this challenging environment, organisations should establish strong controls while considering human behavior. This is key to protecting assets and maintaining trust among stakeholders."
Jeffry Jacob
Partner and National Sector Leader - Automotive, Industry Group Leader - Chemicals
KPMG in India
While the large corporations in India may be ready for the new DPDP rules, the ecosystem of partners, vendors, suppliers, etc. may not be ready - this is one of the significant holes in the entire readiness for our country. Smaller organisations have a lower level of understanding to start with, and also sometimes implementation of DPDP rules.
It's not the notice, it's not the consent, it's not about getting your system right, it's about getting your ecosystem right. Because larger organisations will take several months just to educate their ecosystem partners what it is, why is it important, even before they start to put the first process in.
Corporate risk isn’t what it used to be. With DPDP Rules 2025 coming in and Gen AI changing the game, forensic and regulatory readiness is not just about reactive investigations anymore it’s about showing resilience in response, building stronger redressal forums/ethics committees, and conducting periodic sanctity reviews, with most effective use of technology. Legal and forensic strategies must work hand-in-glove to help organisations stay ahead of emerging threats and be compliant with regulatory requirements.
