Bar Council of India Notice

Disclaimer

The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, www.oakbridgelaw.co, you acknowledge and confirm that you are seeking information relating to Oakbridge Law of your own accord and that there has been no form of solicitation, advertisement or inducement by Oakbridge Law or its members. The content of this website is for informational purposes only and should not be interpreted as soliciting or advertisement. No material or information provided on this website should be construed as legal advice. Oakbridge Law shall not be liable for consequences of any action taken by relying on the material or information provided on this website. The contents of this website are the intellectual property of Oakbridge Law.

Oakbridge Law
Back to Insights
General Laws

DPDP Act Rules Notified: A 90-Day Compliance Sprint for Indian Corporates

November 24, 20259 minute read

The notification of the Digital Personal Data Protection Rules brings the legislative architecture into operational territory. For most corporates, this is the moment the work shifts from policy reading to programme delivery, and the firms that began the preparation in earnest twelve months ago are about to find the runway noticeably easier than those who treated the statute as an abstract obligation.

Our advisory experience over the last quarter has surfaced a recurring sequence that we believe holds up well as a ninety-day sprint. The first thirty days should be dedicated to a candid internal data inventory. Not a refresh of the existing register, but a clean audit. Where the data sits, who has access to it, what historical retention practices remain in place, and which vendor sub-processing flows are presently undocumented. The honesty of this inventory dictates the quality of everything that follows.

Days thirty to sixty should be spent re-architecting notice and consent. The Rules are clear in their preference for plain language, granular purposes, and unbundled consents. Layered disclosures buried in terms of service will not survive scrutiny, and the firms that have been operating under the comfort of pre-DPDP drafting habits will need to retire those habits. We are advising clients to re-draft consumer-facing notices alongside their internal HR and employee-data flows, since the regulator is likely to view the two as a single posture of seriousness.

Days sixty to ninety should focus on grievance redressal and breach readiness. The Act contemplates a named officer, defined turnaround windows, and an auditable trail. We advise clients to treat the grievance pipeline with the same rigour the audit committee applies to a SEBI complaints register, with version control, time stamps, and committee-level review at a regular cadence.

Two areas frequently underestimated are vendor governance and cross-border transfer protocols. Standard data-processing addenda drafted under the prior regime will need to be retired in favour of DPDP-aligned templates, with sharper allocation of liability and clearer breach-notification mechanics. Cross-border flows in particular benefit from being addressed early, since renegotiation with offshore processors typically requires more lead time than companies anticipate.

Compliance with the DPDP regime is not a single-quarter project. It is a programme that will be refined across several reporting cycles. But the next ninety days are the window in which the foundation is set. The companies that use that window well will treat regulator engagement as a strength rather than an exposure.

Oakbridge Law
Corporate & Commercial Law Chambers, Bengaluru
Speak with Counsel