Skip to main content

Q1 - When should organizations start complying with DPDPA?

Answer
  • Compliance is required from the date notified by the Central Government for each provision of the Act and Rules.
  • The law will not apply retroactively, but once the rules come into force, organizations must already be prepared — there is no “grace period” for negligence.
Example

If the government notifies that breach reporting rules start from 28th September 2025, then:

  • A bank suffering a cyberattack on 29th September 2025 must notify the Board within 72 hours.
  • If it fails, penalties can apply, even if the bank argues it “needed more time” to build reporting systems.

In short, businesses should start preparing now, because once commencement is notified, compliance becomes legally binding.