For two decades, the closest thing India had to a data protection law was a patchwork built on the Information Technology Act, 2000 and the 2011 SPDI Rules. The DPDP Act represents a decisive break from that regime, and understanding the change clarifies why so much new work is required.
Organisations that built their data practices around the old SPDI Rules cannot simply assume those practices still suffice. The DPDP Act broadens the scope, adds rights, creates a regulator, and raises the stakes dramatically.
At the same time, some of the old foundations — particularly the emphasis on reasonable security practices — carry forward in spirit, so the transition is not starting from zero for organisations that took the SPDI regime seriously.
This guide compares the old and new regimes, explains what specifically changed, and sets out what the shift means for organisations adapting from the IT Act era to the DPDP Act.
The old regime: Section 43A and SPDI
Under the IT Act, Section 43A required body corporates handling 'sensitive personal data or information' to implement reasonable security practices, and to compensate individuals for negligence causing wrongful loss. The 2011 SPDI Rules fleshed this out.
The SPDI Rules focused on a narrow category of sensitive data — passwords, financial information, health, biometrics and a few others — and imposed requirements around consent, disclosure and security for that category.
It was a limited regime: narrow in scope, light on individual rights, and without a dedicated regulator. Enforcement in practice was sparse, which left both individuals and businesses with limited clarity.
The practical effect of this limited regime was that, for many organisations, data protection was treated as a minor compliance footnote. The DPDP Act ends that complacency by making personal data handling a board-level legal obligation.
| Aspect | IT Act Section 43A and SPDI Rules (old) | DPDP Act, 2023 (new) |
|---|---|---|
| Data covered | Only narrow 'sensitive personal data' | All digital personal data of identifiable individuals |
| Individual rights | Minimal, largely absent | Access, correction, erasure, grievance and nomination |
| Regulator | No dedicated data protection authority | Data Protection Board of India |
| Financial consequence | Compensation for negligence, rarely enforced | Public penalties up to Rs 250 crore |
| Security basis | Reasonable security practices (e.g. ISO 27001) | Reasonable security safeguards, detailed by 2025 Rules |
| Breach reporting | No specific personal-data breach regime | Two-tier notice to the Board within 72 hours |
| Status | Section 43A omitted by the DPDP Act | In force, with the 2025 Rules operationalising it |
Broader scope under the DPDP Act
The most fundamental change is scope. Where the SPDI Rules covered only sensitive personal data, the DPDP Act applies to all digital personal data about an identifiable individual, with no separate sensitive category.
This dramatically widens the net. Processing that fell outside the old regime because the data was not 'sensitive' is now squarely within the DPDP Act, so organisations must account for far more of their data than before.
The shift from a narrow, category-based law to a broad, comprehensive one is the single biggest conceptual change organisations must absorb. Reassessing your data against the broader definition is an early step in dpdp compliance.
The breadth of the new scope means the first task for most organisations is simply to re-survey their data against the wider definition. Information that was comfortably outside the old rules — ordinary contact details, behavioural data — now falls squarely within the law.
New rights for individuals
The old regime gave individuals little in the way of enforceable rights. The DPDP Act introduces a genuine rights framework: access to a summary of one's data and sharing, correction and erasure, grievance redressal, and the right to nominate.
These rights turn data protection from a largely security-focused obligation into a relationship in which individuals have real, exercisable control. Organisations must now build the operational machinery to honour these requests.
This is a substantive new burden that simply did not exist under Section 43A, and it requires workflows, not just policies.
Building the operational machinery for these rights is often the most unfamiliar work for organisations coming from the SPDI era, because the old regime asked for almost nothing comparable. Rights handling is a genuinely new capability, not an upgrade of an existing one.
A dedicated regulator
Perhaps the most significant institutional change is the creation of the Data Protection Board of India. The old regime had no specialised data protection authority; enforcement depended on general mechanisms and was rarely exercised.
The Board changes the enforcement calculus entirely. There is now a body whose job is to investigate breaches and complaints and to impose penalties, backed by an appellate tribunal — a far cry from the largely unenforced SPDI regime.
For organisations, this means the era of treating data protection as a low-enforcement-risk area is over.
The credible threat of enforcement is, in many ways, the change that most alters behaviour. Obligations that were technically present but rarely enforced under the old regime now sit behind an active regulator with real powers and large penalties.
Bigger, differently framed penalties
Section 43A centred on compensation to affected individuals for negligence, with no fixed ceiling but, in practice, limited enforcement. The DPDP Act replaces this with a system of public penalties up to ₹250 crore, payable to the State.
The shift from individual compensation to large public penalties, imposed by a dedicated regulator, transforms the financial risk. Non-compliance is now a matter of potentially enormous, enforceable fines rather than occasional, hard-to-obtain compensation claims.
The DPDP Act also omits Section 43A, removing the old compensation route and consolidating the consequences of poor data handling under the new penalty regime.
For finance and risk teams, this reframing is significant: data protection moves from a low-probability compensation risk to a quantifiable, potentially very large penalty exposure that belongs on the enterprise risk register.
What carries forward
Not everything changes. The old regime's emphasis on reasonable security practices — under which compliance with standards like ISO 27001 was treated favourably — carries forward in spirit into the DPDP Act's requirement for reasonable security safeguards.
Organisations that took the SPDI security obligations seriously, and built ISMS-style controls, therefore have a foundation to build on rather than starting fresh. Their existing security investments map usefully onto the new safeguards.
The continuity in security expectations is the main thread connecting the two regimes, even as almost everything around it expands.
Organisations should audit their existing security documentation with this continuity in mind. Much of the ISMS work done for SPDI or ISO purposes can be repurposed as evidence of the reasonable security safeguards the DPDP Act now requires.
Free resource
The Ultimate Guide to the DPDP Act
A practical, plain-English handbook to the DPDP Act & 2025 Rules — scope, roles, consent, safeguards and a readiness path.
Wider legal ripples
The DPDP Act's arrival also has effects beyond replacing the SPDI regime. For example, it amends the exemption under the Right to Information Act concerning personal information, reflecting how a comprehensive data protection law interacts with other statutes.
These ripples are a reminder that the DPDP Act is not an isolated addition but a foundational law that reshapes how personal data is treated across the legal system.
Organisations and advisers need to read the Act in this wider context, recognising that it interacts with, and in places overrides, earlier provisions.
These wider interactions are easy to overlook but matter in practice, especially for organisations that handle requests under other statutes. Reading the DPDP Act alongside related laws avoids surprises where its provisions reshape existing obligations.
Adapting from the old regime
For organisations moving from the IT Act era, the practical task is to recognise how much wider their obligations now are. Data that was out of scope is now in scope; rights that did not exist must now be honoured; and a real regulator now stands behind the law.
The sensible approach is to treat the DPDP Act as a fresh, comprehensive programme that nonetheless builds on any genuine security foundation you already have. Reuse what you can from the SPDI era, but do not assume old compliance equals new compliance.
Framed that way, the transition is demanding but logical: the same instinct to protect data, scaled up to a far broader, rights-based, enforceable regime.
Free consultation
Need help getting DPDP-ready?
Talk to our compliance team — we’ll map your gaps against the Act and the 2025 Rules.