This is Edition #1 of The Tamvada Brief — a fortnightly note from Sirish Tamvada on Indian commercial law, written for founders, business owners, and the senior leaders who run real businesses.

We are publishing this first edition because the Digital Personal Data Protection Act, 2023 has moved from “passed but pending” to operational law. The DPDP Rules were notified on 14 January 2025. Most of the substantive provisions have commenced. And the regulatory grace period — the window in which the DPDP Board is expected to take an educative rather than punitive posture — ends in approximately May 2027.

If your business handles personal data of any kind from Indian residents — and almost every business does — the next thirteen months are when DPDP compliance must be built. Not started, built.

What the Act actually does

The DPDP Act creates a single, comprehensive privacy framework for the processing of digital personal data in India. It replaces the patchwork that existed previously under the Information Technology Act, 2000 and the SPDI Rules, 2011.

The five principles that anchor the Act:

Lawful purpose — every processing activity must have a defined lawful purpose
Consent — most processing requires the data principal’s free, specific, informed, unconditional, unambiguous consent
Notice — clear, accessible, and translated where necessary
Purpose limitation — data collected for one purpose cannot be repurposed without fresh consent
Data minimisation — collect only what you need

These principles get operationalised through:

Consent managers (Section 6) — a registered intermediary class
Data Principal rights (Chapter III) — access, correction, erasure, grievance redressal, nomination
Significant Data Fiduciary designation (Section 10) — additional obligations including DPIA and audit
Data Protection Board of India (Sections 18–29) — the enforcement authority

What changes for your business

Three operational changes for almost every business:

Consent architecture. The implicit-consent models that worked under the SPDI Rules do not work under DPDP. Affirmative, specific, granular consent — captured at the moment of collection, with the ability to withdraw — must be built into every customer touchpoint.

Vendor pass-through. Every Data Processor relationship (your CRM, your payroll provider, your analytics platform) must now be governed by a written contract that imposes DPDP obligations on the processor. Most vendor agreements today do not.

Breach notification. Section 8(6) of the Act requires the Data Fiduciary to notify the Data Protection Board and affected Data Principals of a personal data breach in such form and manner as prescribed. The Rules give specific timelines and channels. Operationally, this means a breach-response playbook that knows what to do in the first 24 hours.

What the penalties look like

Section 33 read with the Schedule prescribes financial penalties for various contraventions. The headline numbers:

Failure to take reasonable security safeguards — up to Rs 250 crore
Failure to notify the Board or affected principals of a personal data breach — up to Rs 200 crore
Failure of additional obligations for children’s data — up to Rs 200 crore
Failure of obligations of Significant Data Fiduciaries — up to Rs 150 crore
Other non-compliance — up to Rs 50 crore

These are upper limits. The Board has discretion under Section 33(2) to consider the nature and gravity of the breach in fixing penalty. But the discretion is calibrated against a top end that is, by Indian regulatory standards, very high.

The senior advocate’s take

Three things I tell every founder client about DPDP:

Compliance is an architecture exercise, not a policy exercise. A 20-page privacy policy that you posted in 2018 will not get you through DPDP. The Act demands engineering — consent capture, data inventories, processor agreements, breach response — that lives in your product and your operations, not in a Word document.
The grace period is not a holiday. May 2027 is the operative ceiling, not a finish line. The Board is expected to test enforcement in defined areas — significant data fiduciaries, children’s data, breach notification — well before then. Compliance failures discovered in 2027 will be measured against what was reasonable from 2025 onward.
Start with data flows, not policy. Map every place personal data enters, transforms, and leaves your business. Most founders cannot do this for their own company. The map is the compliance project’s starting point.

What to do this quarter

Conduct a data inventory — what personal data you collect, where it is stored, who it is shared with
Audit your consent capture points — is your consent unbundled, specific, withdraw-able?
Re-paper vendor processor agreements — DPDP-compliant data processing addenda
Build the breach-response playbook — Day 0 to Day 30, with named owners
Designate a contact for DPDP grievances and publish the contact on your website

The pairing

If this resonates and you want the working playbook, the DPDP Compliance Toolkit (₹1,499) gives you the templates — consent architecture, processor agreement, breach playbook, DPIA template — that the firm uses in its own client work.

To engage with the DPDP Act itself, the full Act PDF is in the Knowledge Centre Downloads.

What is in Edition #2

Edition #2 of The Tamvada Brief — Inside Due Diligence: What Indian VCs Actually Check Before They Wire the Cheque — publishes on 23 May 2026. It covers the operating layer of a Series A/B diligence — the legal items that get red-flagged, the questions every founder should be able to answer in 90 seconds, and the patterns that quietly kill deals.

Subscribe on LinkedIn — The Tamvada Brief — to receive it as soon as it publishes.

Disclaimer

This newsletter is informational and educational. It does not constitute legal advice. The Tamvada Brief is a fortnightly publication of Tamvada & Associates, Advocates and Solicitors, Bangalore. For matters specific to your business, please consult counsel.

— Sirish Tamvada, Managing Partner, Tamvada & Associates

Sources cited in this edition

Primary statute (source: indiacode.nic.in):
– Digital Personal Data Protection Act, 2023 — Act No. 22 of 2023

Subordinate legislation:
– DPDP Rules, 2025 (notified 14 January 2025) — MeitY portal

Regulator portal:
– Ministry of Electronics and Information Technology — meity.gov.in
– Data Protection Board of India (once operational, separate portal)

Cross-channel availability:
– LinkedIn Newsletter: original publication
– On-site archive: (this page)
– Instagram carousel version: @tamvadabriefs — (to be linked once cross-post is live)

Originally published 9 April 2026 · Archived on-site 15 May 2026 (planned).