Introduction

India’s journey towards a comprehensive privacy framework has been a long one. Since the Supreme Court’s landmark judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India affirmed privacy as a fundamental right, there has been sustained public and regulatory pressure to introduce a prescriptive data protection law. It became clear that the existing patchwork of sectoral guidance and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, or the “SPDI Rules,” were inadequate. Successive drafts of a proposed law circulated for years; during the same period, global privacy standards evolved rapidly, and many Indian industries, particularly outsourcing and technology, began engaging with and adapting to international privacy requirements. Even as domestic policy discussions continued, businesses were already becoming more familiar with structured privacy compliance expectations.

The wait for the law formally ended in August 2023, when the Indian government enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”). However, the law could not take effect without its implementing rules, which remained conspicuously absent for over two years. These rules, the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), were finally published on 13 November 2025 and will be implemented in phases.

The DPDPA is a comprehensive statute that identifies the entities responsible for processing personal data, adopts consent as the primary legal basis (with a limited set of additional grounds), and imposes detailed compliance obligations on organisations. The DPDPA regulates digital personal data, introduces statutory accountability for data fiduciaries, and establishes an enforcement mechanism through the Data Protection Board of India (“DPB”). It imposes requirements including adequate security safeguards, clear and transparent notices and consent requests, mandatory breach reporting, defined processes for handling children’s data, and structured mechanisms to enable data principal rights. In practice, these requirements will alter how businesses operate: internal business processes will need restructuring, technical infrastructure will require upgrades, and many products and services will require significant redesign to support consent-based processing. The scale of change will demand significant investment in technology, governance, and sustained operational oversight.

This analysis is intended to guide business stakeholders through the key requirements, the preparatory steps that may be necessary, and the strategic considerations likely to shape compliance.

Timelines and Transition

The government has adopted a phased approach to implementing the DPDPA. The provisions establishing the DPB, which is the statutory authority responsible for regulatory oversight, adjudication, and enforcement of the DPDPA, are already in force. Its duties include investigating instances of non-compliance, issuing directions, and determining monetary penalties.

The DPDPA also introduces the concept of consent managers. The provisions relating to the registration of consent managers and their obligations will take effect 12 months from the notification of the DPDP Rules (November 2026). 

The broader compliance requirements for businesses, including obligations around consent, notices, data principal rights, security measures, and breach reporting, will become applicable 18 months from the publication of the Rules (i.e., May 2027). This sequencing reflects the government’s intention to ensure that enforcement infrastructure and the consent-management framework are established before organisations are expected to comply. In the absence of a functioning regulator and the mechanisms that allow individuals to exercise their rights, immediate implementation would have limited practical value.

During this transition period, the existing SPDI Rules will continue to govern personal data processing in India. These rules are considerably narrower in scope, apply primarily to the processing of sensitive personal data (such as financial and health information, biometric data, passwords, and sexual orientation), and impose less prescriptive obligations than the DPDPA.

Applicability and Exemptions

Applicability

The DPDPA applies to personal data processed in India in digital form, and to personal data collected in non-digital form that is subsequently digitised. It also applies to processing undertaken outside India that relates to the offering of goods or services to individuals in India.

Absolute Exclusions

Certain kinds of personal data processing activities are excluded from the scope of the law. A key example is processing publicly available data made available by the concerned individual or another person legally obliged to make such data publicly available. While seemingly straightforward, this exemption raises substantial operational questions: for instance, the extent to which social media content constitutes “public data”, whether mere presence at a televised event amounts to intentional disclosure, or whether data brokers can rely on public sources without offering corresponding opt-out mechanisms. Practically, businesses will have to reconcile this exemption with constitutional free speech principles and Indian jurisprudence on public interest. 

Other examples of exemptions include the processing of non-digital personal data and the processing of personal data by individuals in a personal or domestic capacity. State processing of personal data for public-interest purposes and processing for research and statistical purposes are also exempt from the law, provided that such processing complies with the specified data processing principles.

Partial Exclusions

The law also provides a set of partial exemptions from specific obligations, including consent requirements, the exercise of data principal rights, and certain duties imposed on data fiduciaries. 

The processing of personal data to (i) enforce legal rights and claims by courts and tribunals for investigating, preventing, and prosecuting offences, (ii) for the determination of the financial health of a person who has defaulted on a loan, and (iii) in connection with mergers and acquisitions, do not require compliance with such obligations. Indian businesses that process the personal data of non-resident Indian under contracts with foreign entities may also rely on similar carve-outs. 

Partial exemptions are also available for processing undertaken by notified State instrumentalities for specified public interest purposes, and for processing carried out for research, archiving, or statistical purposes. In these contexts, while obligations relating to consent, data principal rights, and certain data fiduciary responsibilities do not apply, the processing must still comply with prescribed standards. These include lawful and purpose-bound processing, data minimisation, reasonable efforts to maintain accuracy, retention only for as long as necessary, and the implementation of appropriate security safeguards. Where the processing relates to the provision of subsidies, benefits, services, certificates, licences, or permits under law, policy, or public funds, the entity must also issue an intimation to the data principal containing the entity’s contact details and a communication link through which rights may be exercised.

Actors and Actor Classifications

Definitions of Actors

The framework regulates three primary actors. A “data fiduciary” is any person who alone or together with others determines the purpose and means of processing personal data, broadly equivalent to the concept of a data controller in other jurisdictions. A “data processor” is any person who processes personal data on behalf of a data fiduciary. A “data principal” is the natural person to whom the personal data relates. 

The framework also permits the Indian Government to notify certain data fiduciaries as “significant data fiduciaries”. This designation may be based on the volume and sensitivity of personal data processed, the potential impact on data principal rights, and wider considerations such as public order, national security, and electoral integrity. Significant data fiduciaries will be subject to enhanced requirements, including data protection impact assessments, periodic audits, and the appointment of a data protection officer. The government has not yet specified the categories of entities likely to be designated, but businesses operating at scale, within regulated sectors, or handling particularly sensitive datasets should anticipate the possibility of being notified as significant data fiduciaries and prepare for the enhanced requirements that follow.

Supervision and enforcement are vested in the DPB. The DPB is intended to operate as an independent body responsible for investigating non-compliance, issuing directions, and determining monetary penalties. Its structure is designed to support consistent enforcement, although the government retains control over appointments, composition, and conditions of service.

Finally, the framework introduces “consent managers”, which are entities registered with the DPB that act on behalf of data principals to manage consent preferences. They must meet prescribed conditions, including residency requirements, independent certification, minimum net worth thresholds, and safeguards to prevent conflicts of interest with data fiduciaries. They are also required to maintain records, undergo regular audits, and cannot assign their statutory obligations. While consent managers do not replace the data fiduciary’s own responsibilities, they are expected to play a role in standardising consent governance and enabling interoperable consent management across sectors – as well as owe a “fiduciary duty” to data principals. The scope and enforceability of this duty remain undefined and are likely to be shaped by future rule-making or enforcement practices.

At present, data fiduciaries are not mandated to integrate with or rely on consent managers. The DPDPA also does not bar unregistered businesses from performing consent-management functions, raising questions about whether this is a deliberate policy choice, intended to allow market evolution, or a legislative lacuna that may later be closed. Enforcement will likely determine how open this ecosystem ultimately becomes, particularly for smaller or non-Indian service providers.

Actor Classification

The DPDPA does not impose direct statutory obligations on data processors; compliance responsibilities rest with data fiduciaries. Classification is determined through a functional assessment of actual processing activities, which means organisations cannot self-select their role. As a result, many are reassessing their product design, service architecture, and data flows to determine whether operating as a data fiduciary or limiting themselves to data processor functions better aligns with their strategic objectives.

While some may prefer a data processor status given the absence of direct statutory liability, this distinction offers limited practical relief. Data fiduciaries, particularly those that have greater bargaining power, will contractually transfer substantial obligations to processors, and these contractual requirements increasingly mirror statutory duties. Market practice since 2023 has shifted toward more detailed, prescriptive data processor terms, a trend unlikely to recede. A data processor classification, therefore, should not be viewed as a way to materially reduce compliance expectations.

It also remains unclear how the “significant data fiduciary” designation will be operationalised. The government has not indicated whether this status will attach to particular processing operations, specific datasets, or organisations as a whole.

Grounds of Processing

Consent and Legitimate Uses

Consent is the primary legal basis available to process personal data. In its absence, the law recognises a narrow set of “legitimate uses” that permit processing without seeking consent. These cover situations in which a data principal voluntarily provides personal data to a data fiduciary, as well as scenarios in which processing is necessary for defined public-interest and exigency-based functions. Examples include the performance of State functions or delivery of State benefits (subject to prescribed safeguards), compliance with court orders, responses to medical emergencies, the provision of healthcare during epidemics or public health threats, and activities undertaken during disasters or breakdowns of public order. Limited employment-related processing is also included within this category.

This is consistent with the conceptual origins of the DPDPA, which emphasised user autonomy and transparency in private sector data ecosystems. However, the narrow set of non-consent grounds creates practical challenges. Several grounds commonly relied upon in global data protection frameworks, such as processing for compliance with legal obligations, journalistic necessity, contractual necessity, or legitimate interests, are not contemplated under the DPDPA. 

Expected Market Practice

The DPDPA’s approach to legal bases stands in contrast with most global data protection regimes, which recognise legal bases such as compliance with legal obligations, performance of a contract, and legitimate interests. These grounds are widely relied on by organisations to support core operational activities, inter-corporate data transfers, service delivery, and risk management functions. Their absence from the framework significantly heightens the reliance on consent for routine processing activities that, in other jurisdictions, would be managed under alternative bases.  Businesses that had anticipated a broader suite of legal bases under the Rules will need to reassess their assumptions, rethink the popular global “catch-all” architectures, and instead build India-specific processing justifications that align with consent or one of the narrowly framed legitimate uses.

There is also a structural gap between the limited set of statutory grounds and the range of processing activities that businesses routinely undertake. Functions such as analytics, fraud monitoring, service optimisation, internal governance, and B2B service delivery may not always fit neatly within the available legal bases. As a result, organisations will need to evaluate how these activities can be supported under the existing framework through more granular consent models, revised data flows, or adjustments to product design. Over time, further clarity may emerge through regulatory guidance, industry standards, or sector-specific practices.

Consent, Notices, and Translations

Under the DPDPA, any processing based on consent must meet a far more rigorous threshold than most businesses in India (and even many global organisations) are accustomed to. Consent must be freely given, specific, informed, unambiguous, unconditional, and expressed through a clear affirmative act that reflects an unambiguous indication of the data principal’s intent. It must also remain capable of being withdrawn at any time. A valid request for consent must be preceded by a notice made available not only in English but also across all 22 constitutionally recognised Indian languages. This is a non-trivial operational requirement and, in practice, moves the regime closer to an explicit consent model, something that most global business frameworks rarely rely upon because of how complex it is to scale consistently across products and geographies.

Consent notices must accompany consent requests. The obligations on notice design and content are also detailed and prescriptive. A notice must be self-contained and understandable on its own, without requiring the data principal to refer to any other information provided by the organisation. It must present, in clear and plain language, the information necessary to enable specific and informed consent. At a minimum, this includes an itemised description of the personal data proposed to be collected, the specific purposes for which each item will be processed, and an itemised description of the goods or services to be provided or the uses to be enabled by that processing. This requires a level of granularity that may not exist in current consent flows and will necessitate more careful structuring of onboarding journeys and user-facing disclosures.

A notice must also include the contact details of the data protection officer or another authorised representative who can respond to communications from data principals. It must provide a communication link to the organisation’s website or app and describe the means through which the data principal may withdraw consent, exercise rights, or submit complaints to the DPB.

Data fiduciaries must also make their points of contact for privacy matters clearly and consistently accessible. They are required to prominently publish on their website or app the business contact information of their data protection officer or of another authorised individual. This information must also be included in every response sent to a data principal in connection with the exercise of statutory rights.

The cumulative effect of these obligations is to shift organisations away from broad, bundled, or generic consent models. Consent notices must now be precise, self-contained, and capable of supporting clear acceptance models without reliance on additional documents or context. Businesses that operate with global templates may need to adapt their processes to reflect these standards and build India-specific consent and notice architectures that satisfy the heightened requirements of clarity, specificity, and user comprehension.

Managing Pre-Law Personal Data and Ongoing Processing Activities

For organisations that have historically relied on consent under the pre-DPDPA framework, which will be the case for the vast majority of businesses in India, transition obligations focus less on reseeking consent and more on transparency. While processing legacy data collected with pre-DPDPA consent does not require fresh consent, data fiduciaries must use the new, multi-language consent notices as soon as reasonably practicable. These notices reference data principal rights, and as a result, businesses should anticipate and operationalise for higher deletion and withdrawal requests in respect of historic data, alongside the need to map where such personal data sits across their systems.

Children’s Data 

The DPDPA places strict limits on the processing of children’s personal data. Data fiduciaries may not process such data in a manner likely to cause any detrimental effect on a child’s well-being, including tracking, behavioural monitoring, or targeted advertising. These prohibitions apply by default, although the government may create limited exemptions for defined classes of entities or specific purposes. Narrow exemptions apply for certain classes of data fiduciaries, such as clinical establishments, healthcare professionals, educational institutions, childcare providers, and transport providers, as well as specific purposes that include child safety, the provision of subsidies or benefits, child-specific email accounts, real-time location tracking for ensuring safety, and preventing access to harmful content. These exemptions are tightly framed and apply only to the extent necessary for the stated purpose.

Processing the personal data of anyone under 18 requires verifiable parental consent. The law does not prescribe a single verification mechanism. Instead, a data fiduciary may rely on reliable identity and age information already available to it, identity and age details voluntarily provided by the parent, or a virtual token mapped to such information, issued by authorised entities such as digital locker service providers. This flexibility, while helpful, leaves open practical questions around how businesses should design age-gating and onboarding flows, to what extent they must confirm the identity of the parent, and what evidentiary standards will be deemed sufficient. The government may exempt certain data fiduciaries from restrictions if their processing of children’s data is verifiably safe. 

Age-gating and parental verification mechanisms must be robust enough to meet the “verifiable consent” standard while remaining workable in a digital environment. As the DPDP Rules leave room for interpretation, organisations will need to adopt conservative approaches, build clear records of verification steps, and monitor how market practice and regulatory expectations evolve as the law matures.

Security Safeguards and Technical and Organisational Measures 

The law sets out a detailed and prescriptive baseline for security safeguards. A data fiduciary must protect personal data in its possession or under its control, including any processing carried out by its processors, by implementing reasonable security safeguards to prevent a personal data breach. These safeguards must, at a minimum, include appropriate data security measures such as encryption, obfuscation, masking, or the use of virtual tokens, access controls over systems and infrastructure, logging, monitoring, and review mechanisms that provide visibility into access to personal data for the detection and investigation of unauthorised activity, and continuity measures such as data backups to ensure that processing can continue if the confidentiality, integrity, or availability of personal data is compromised.

In addition, organisations must retain logs and personal data, and ensure that their data processors retain such information, for at least one year to enable investigation, remediation, and continued processing following a compromise, unless a longer retention period is required under another law. Security obligations must also be reflected in contracts with processors, ensuring that processors adopt safeguards consistent with those required of fiduciaries. Beyond these minimum standards, data fiduciaries must put in place broader technical and organisational measures to ensure the effective observance of security requirements across their operations.

Data Retention 

Data retention obligations under the law are purpose-bound and time-limited. For most organisations, the law eschews fixed retention periods in favour of a purpose-limitation principle: retain data only as long as necessary to fulfil the original collection purpose or until consent is withdrawn. This principles-based framework places the burden squarely on businesses to justify continued retention. In addition, all data fiduciaries must retain personal data, associated traffic data, and processing logs for at least 1 year from the date of processing, to ensure compliance with lawful government requests. Once this 1 -year period concludes, data may be deleted unless another law or a government notification requires continued retention.

Certain categories of data fiduciaries, such as social media intermediaries, online gaming entities, and e-commerce platforms, are subject to fixed retention periods. At the point of expiry, organisations must give data principals at least 48 hours’ advance notice. If the data principal does not access their account or otherwise engage with the service during that window, the data must be erased upon the end of the retention period. These rules require businesses to integrate deletion triggers, archival processes, and user notification systems into a coherent data lifecycle governance programme.

Taken together, these provisions mean that organisations will need to treat retention as an operational requirement with defined technical outcomes. Retention periods must be recorded clearly, mapped to specific datasets, and enforced through systems that can trigger deletion when required. This places a practical burden on organisations, particularly when legacy infrastructure does not support automated deletion or user notification. Organisations will need to review how their systems identify when a purpose is fulfilled, how retention clocks are calculated, and how deletion may be operationalised across backups, archives, and replicated environments. An added layer of complexity is India’s patchwork of sector-specific retention mandates. Tax laws, corporate compliance obligations, labour laws, and litigation considerations provide for varying retention periods. While the DPDPA does not override these requirements, businesses may also consider coherent data retention policies that guide internal teams and reconcile purpose limitation with retention obligations. 

Cross-Border Transfers and Localisation

Cross-border data transfers are permitted except for restricted territories notified by the Indian government. However, if another law provides for a higher degree of protection or restriction on transfers, that law prevails. This provision ensures that existing sectoral localisation restrictions, such as those applicable to payments, financial services, or telecommunications, remain in force, limiting the DPDPA’s seemingly liberalising effect in practice.

Transfers to foreign regulators or companies under foreign regulatory control require compliance with additional requirements that the Indian government may prescribe. The contours of these requirements remain undefined, creating uncertainty for businesses subject to extraterritorial regulatory oversight or involved in cross-border regulatory investigations. The DPDPA does not provide principles to govern these restrictions, and market consensus is that they will evolve based on geopolitical considerations rather than legal ones. 

The localisation position, however, is stricter for significant data fiduciaries. The government may require that specified categories of personal data, once identified by a designated committee, be processed only on the condition that such data, along with associated traffic data, remain within India. This creates a potential localisation regime by executive action, with no current clarity on which data categories may be captured or the timeline for notification.

Personal Data Breach Reporting

The breach reporting structure creates two distinct notification stages. When a personal data breach is detected, the data fiduciary must issue a preliminary notification to affected data principals through their registered communication channel or user account. At the same time, the DPB must also receive a preliminary notification without undue delay. These early notifications are intended to convey that an incident has occurred and that personal data may have been affected, even if the full scope and impact are not yet known.

A more comprehensive notification to the DPB must follow within seventy-two hours. This second notification must include details on the nature of the breach, the categories of personal data involved, the number of affected individuals, containment measures, and the steps taken or proposed for remediation. Only one notification is required for data principals, and this occurs at the preliminary stage. The law anticipates that investigations will continue during this period, and the comprehensive notice is intended to reflect a more accurate assessment based on early forensic findings.

These obligations operate alongside the existing CERT-In Directions issued under the Information Technology Act, 2000. CERT-In prescribes its own categories of reportable incidents, formats, and timelines. In many cases, the same event will trigger obligations under both regimes. Organisations will therefore need incident response processes that coordinate the requirements of the two systems, ensure consistency of information, and avoid delays caused by parallel reporting tracks.

Given these timelines, organisations must prioritise forensic readiness. This includes maintaining logs that provide visibility into access to personal data, preserving system artefacts that may be relevant to investigations, and ensuring that incident response teams can quickly identify whether personal data has been compromised. The ability to distinguish between a general security incident and a personal data breach is central to meeting statutory obligations. Clear internal escalation pathways, well-defined breach identification criteria, and pre-approved content templates will be important for issuing preliminary notices promptly.

Over time, guidance from the DPB and industry practice will likely clarify expectations on the level of detail required at each stage.

Significant Data Fiduciaries – The Expectations

The law also empowers the Indian Government to impose additional obligations on data fiduciaries or significant data fiduciaries. These obligations shall be applied based on an assessment of relevant factors, such as the volume and sensitivity of personal data processed, the risk to the rights of data principals, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, the security of the State, and public order. Moreover, significant data fiduciaries are also subject to additional obligations, which include appointing a data protection officer located in India. 

Additionally, significant data fiduciaries must conduct DPIAs and audits annually, and submit reports to the DPB, verify that technical measures, including any algorithmic software deployed in relation to the processing of personal data, are not likely to pose a risk to the rights of data principals, and localise certain personal data in India, based on recommendations from a designated government-appointed committee.

Data Principal Rights and Duties

Data principal rights are designed to give individuals structured access, control, and recourse over their personal data. Where consent forms the basis for processing, individuals may obtain a summary of the personal data held, the associated processing activities, and the identities and categories of data fiduciaries with whom their data has been shared, along with any further disclosures notified by the government. They may also request correction or erasure of their personal data. All data principals, regardless of the ground of processing, must have access to a clear grievance-redressal mechanism and may nominate another individual to act on their behalf in the event of death or incapacity. 

Data fiduciaries must publish the manner in which these rights can be exercised and are required to resolve grievances within a defined period that cannot exceed ninety days. The law also places duties on data principals, including to not file frivolous grievances, not provide false information, and not impersonate others when exercising their rights. Breach of these duties may attract financial penalties, signalling that individuals are expected to engage with the rights framework responsibly.

The Government’s Power to Call for Information

The DPDPA grants the Indian Government the authority to request information from the DPB, data fiduciaries, or intermediaries. The DPDP Rules specify the purposes for which such information may be sought, and empower the government to specify deadlines for its submission. The government may also direct data fiduciaries or intermediaries to withhold disclosures regarding such requests to data principals and other persons, in the interest of sovereignty and integrity of India or security of the State. 

Enforcement and Penalties

Enforcement is anchored to the DPB, which functions as a digital-first adjudicatory authority. Proceedings may be initiated through complaints from data principals, references from the central or state governments, directions issued by courts, or on the DPB’s own motion where a potential violation is evident. Once a matter is brought to its attention, the DPB assesses whether an inquiry is warranted and conducts proceedings in accordance with the principles of natural justice. It is vested with civil court powers, including the ability to summon information, issue interim orders, seek assistance from law enforcement agencies, and direct parties to mediation or other alternate dispute resolution mechanisms. Decisions of the DPB may be appealed to the Telecom Disputes Settlement and Appellate Tribunal within sixty days, with a further right of appeal to the Supreme Court.

The law also provides for voluntary undertakings. A data fiduciary may commit to specific remedial actions or compliance improvements, and once the DPB accepts such an undertaking, no further proceedings may be initiated on the same matter. This offers a structured alternative to adversarial enforcement and may emerge as a preferred mechanism for resolving process-level non-compliance that does not result in significant losses.

Financial penalties are substantial. The statute contemplates maximum penalties of up to INR 2,500,000,000 (~USD 28.1million) for failures such as implementing inadequate security safeguards, non-reporting of breaches, or non-compliance with obligations relating to children’s data or data principal rights. The Indian Government also retains the power to direct intermediaries to block access to information that enables a non-compliant data fiduciary to offer goods or services in India. Penalty thresholds may be doubled by notification, giving the government significant power to respond to evolving risk patterns.

A structural limitation of the enforcement model is the absence of a private right to compensation. Individuals cannot seek damages for harm arising from non-compliance, which may weaken incentives to pursue complaints unless an incident disrupts service access or creates identifiable detriment. In practice, this may result in a higher proportion of complaints concerning operational dissatisfaction rather than substantive privacy harms, and sustained enforcement may rely more heavily on government references, supervisory monitoring, and DPB-initiated inquiries. Over time, the DPB’s approach to screening complaints, interpreting “harm” in the context of penalties, and using voluntary undertakings will shape how actively the system is used and how reliably it deters non-compliance.

Next Steps – Domestic Businesses

Domestic businesses will need to approach compliance as an operational programme rather than a policy exercise. The first step is to map all personal data processing activities, identify the legal basis for each, and isolate activities that rely heavily on consent. Consent flows, notices, and rights-handling mechanisms will require early redesign, particularly where current interfaces do not support granular disclosures or the ninety-day grievance-redressal window. Businesses should also evaluate whether any of their processing activities, scale, or datasets could expose them to designation as a significant data fiducia, and plan for the additional obligations that may follow. Security safeguards, log retention, and breach-response processes should be reviewed for forensic readiness and alignment with CERT-In requirements. Finally, retention schedules and deletion workflows must be technically enforceable and auditable.

Next Steps – Global Businesses

For global businesses, compliance will require reconciling India’s consent-centred model with more diverse legal bases available under other regimes. Organisations will need to develop India-specific consent and notice architecture, adjust data flow maps to account for sector-specific localisation requirements, and evaluate whether any of their Indian operations could qualify as significant data fiduciaries. Cross-border transfers should be assessed on a jurisdiction-by-jurisdiction basis, with particular attention to existing data-residency mandates in regulated sectors and the possibility of new restricted territories. Multijurisdictional incident-response programmes must also be aligned so that personal data breaches can be notified to the DPB and CERT-In within the required timelines without creating inconsistency with obligations under the GDPR, CCPA, or other regimes. Global data processors should expect more prescriptive contractual requirements from Indian customers, especially where those customers seek to mirror statutory obligations.