It’s October 2025, and the Indian digital ecosystem feels like it’s on the edge of its seat.
The passing of the much anticipated date of September 28, 2025, for the DPDP Rules, though initially a melody to ears, means the waiting continues as all eyes remain on the door for the final rules to arrive.
Why the wait?
India’s Digital Personal Data Protection (DPDP) Act, 2023, is already the law of the land but without teeth since it is still awaiting its enforcement. But, as any privacy professional will tell you, the real game begins when the rules arrive.
These yet to be released DPDP Rules are in fact the nuts and bolts of data privacy regime of India.
They will dictate how organisations collect consent, notify breaches, enable user rights, and meet compliance obligations. For now, everyone is left hanging, eager, anxious, and (let’s be honest) perhaps a little exasperated.
What is happening in the waiting room?
- Businesses are prepping but not finalising: They are mapping data, revising policies, and drafting compliance checklists that might need last minute edits, depending on what the rules actually say.
- SMEs and startups are crossing their fingers: Will the rules be a friend or foe to innovation? There’s hope, but also plenty of nail-biting.
- Privacy professionals are on high alert: It’s “privacy season,” and everyone’s inbox is flooded with “Are we ready?” emails.
- Time to implement : While the official notification dates are pending, the market consensus and regulatory signals strongly indicate a phased implementation. We expect a transition period of 12 to 18 months will be granted to allow organizations to achieve compliance, with specific provisions likely being rolled out based on the size, turnover, and existing data infrastructure of the respective Data Fiduciaries.
The Mindset: Suspense Meets Pragmatism
There’s a strange camaraderie in this limbo. Everyone from Big Tech to the neighbourhood shop collecting phone numbers for home delivery knows change is coming. Some are optimistic, some are wary, but all are keenly aware that the next notification (or Government press release) could mean a flurry of late night policy updates.
What should you do while you wait?
- Get your data house in order: Know what you collect and why.
- Educate your team: Make privacy part of the culture, not just a checkbox.
- Communicate with customers: Let them know you’re committed to their privacy, even as the rules evolve.
Final Word: The “waiting room” may feel endless, but it’s also a rare opportunity and a moment to reflect, prepare, and build trust before the compliance race truly begins.
It takes time.
It is not a flip of a switch but it is a process that requires:
- A new culture to be adopted company wide.
- The inculcation of new data habits across every team.
- Phased rollouts and consistent observation of policy-specific practices.
Don’t rush the process. Compliance is a journey of steady adoption.
So, grab another cup of chai, check your emails (again), and rest assured when the DPDP Rules finally drop, you’ll be ready to step out of the waiting room and into the new era of Indian data privacy.
Finally, it is a matter of few days !
This newsletter is an academic initiative brought to you by the Data Privacy Pro team of AMLEGALS. Subscribe – Stay updated, Stay compliant.