DPDP Compliance for AI Systems
India's data law now has teeth — and it's looking at your algorithms.
The DPDP Rules 2025 turned the DPDP Act 2023 into an operational compliance regime. If you process personal data at scale in India, the clock to 13 May 2027 has started.
Under the DPDP Rules 2025, every Significant Data Fiduciary must run an annual DPIA and independent data audit, prove its algorithmic software does not harm data principals, and report key findings to the Data Protection Board of India.
The Compliance Timeline
DPDP Act receives assent
The Digital Personal Data Protection Act, 2023 becomes law, awaiting operational rules.
DPDP Rules 2025 notified
MeitY notifies the DPDP Rules 2025, operationalising the Act — including Rule 13 for Significant Data Fiduciaries.
Rule 13 fully enforceable
Heightened SDF obligations — annual DPIA, independent audit, and algorithmic accountability — become fully enforceable.
Key Obligations Under the Rules
Annual DPIA + Independent Audit
Significant Data Fiduciaries must complete a Data Protection Impact Assessment and an independent data audit every 12 months.
Algorithmic Accountability
You must verify that algorithmic software processing personal data — scoring, fraud, recommendations — does not risk data-principal rights.
Board Reporting
Key findings from the DPIA and audit must be reported to the Data Protection Board of India.
Breach Response & Logging
Maintain logs and technical measures; intimate the Board without delay and with full detail within 72 hours of a breach.
Data Retention & Erasure
Large e-commerce, social media, and gaming platforms must erase inactive-account data on schedule and notify users 48 hours prior.
Cross-Border Transfer Limits
Personal data identified by the Government must not be transferred outside India, with related traffic-data restrictions.
DPDP Readiness Checklist
- Map every system that hosts, processes, or shares personal data
- Determine whether you are (or will be) a Significant Data Fiduciary
- Run a Data Protection Impact Assessment (DPIA)
- Bias-test and document your AI/algorithmic decision systems
- Verify consent, notice, and data-principal rights workflows
- Confirm breach-response logging and 72-hour intimation readiness
- Check data-retention timelines and erasure automation
- Assemble Board-reportable audit documentation
Frequently Asked Questions
India's Digital Personal Data Protection Act 2023 is the country's data-protection law. The DPDP Rules 2025, notified on 13 November 2025, provide the operational framework — including specific obligations for Significant Data Fiduciaries under Rule 13.
An organization notified by the Government based on the volume and sensitivity of personal data it processes and the risk it poses. Large banks, fintechs, telecoms, e-commerce, health-tech, social media, and gaming platforms are prime candidates.
The Rules were notified on 13 November 2025, and the heightened SDF obligations under Rule 13 become fully enforceable on 13 May 2027. The annual DPIA + audit cadence runs from the date you are notified as an SDF.
Rule 13 requires you to verify that algorithmic software processing personal data does not harm data principals. In practice that means bias/fairness testing, transparency documentation, and traceable model lineage for recommendation systems, scoring models, and AI decision engines.
Start with a DPDP-Ready AI Audit: map your data flows and models, run the DPIA and algorithmic risk assessment, close the gaps against Rule 13, and assemble Board-reportable documentation — ideally well before the 2027 deadline.
Get audit-ready before the deadline
Our DPDP-Ready AI Audit maps your AI and data systems to Rule 13 and hands you Board-reportable documentation in 3–5 weeks.
