REGULATORY UPDATES·DPO · Legal · Compliance

DPDP Regulatory Updates

A curated feed of regulatory developments under India's DPDP Act 2023 — Board actions, sectoral circulars from RBI, SEBI, IRDAI, and MeitY guidance. Updated as developments occur.

These updates are curated by the CreativeCyber DPO practice team. They are informational only and do not constitute legal advice. DPOs should verify primary sources before acting.
April 2026RulesHigh Impact

DPDP Rules 2025 — Final Notification

The Digital Personal Data Protection Rules 2025 were formally notified, prescribing obligations for Significant Data Fiduciaries including KMP-level DPO requirements, Annual Data Audit mandates, and Data Localisation provisions.

March 2026RBIHigh Impact

RBI Master Direction on IT Governance — Revised Data Protection Annex

The Reserve Bank of India released a revised IT Governance Master Direction with an expanded Data Protection annex, requiring banks and NBFCs to align data processing inventories with DPDP Act obligations and submit a compliance attestation to RBI by Q3 2026.

November 2025MeitYHigh Impact

Data Protection Board — Constitution and Appointment

The Data Protection Board of India was formally constituted with appointment of the Chairperson and Members. The Board has initiated its operational framework including complaint submission procedures and inquiry processes.

February 2026SEBIMedium Impact

SEBI Circular on Data Governance for Market Intermediaries

SEBI issued a circular requiring stock brokers, depositories, and mutual funds to document lawful bases for processing investor personal data and to establish a Data Principal grievance mechanism compliant with DPDP Act 2023.

January 2026MeitYMedium Impact

MeitY Draft Guidance on Consent Manager Framework

MeitY published draft guidance on the Consent Manager ecosystem, outlining how registered Consent Managers will act as intermediaries enabling Data Principals to give, review, and withdraw consent across multiple platforms.

December 2025IRDAIMedium Impact

IRDAI Data Protection Guidelines for Insurers

IRDAI issued data protection guidelines requiring insurance companies to classify policyholder data by sensitivity, implement data minimisation for underwriting analytics, and appoint a Data Protection Focal Point for DPDP compliance.

October 2025RulesLow Impact

Draft DPDP Rules 2025 — Public Consultation Closed

Public consultation on the Draft Digital Personal Data Protection Rules 2025 closed, with MeitY receiving over 500 submissions from industry, civil society, and regulators. Final rules expected Q1 2026.

Upcoming Horizon Items

Regulatory developments to watch over the next 6 months

Q2 2026
SDF Designation — First Notification
MeitY expected to issue the first schedule of Significant Data Fiduciary designations. Organisations meeting the data volume and sensitivity thresholds will be formally notified.
Q2 2026
Data Protection Board — First Enforcement Decisions
The Board is expected to process its first batch of complaints and may issue penalty orders. Initial enforcement focus is expected on consent notice violations and breach notification failures.
Q3 2026
Consent Manager Registration Window
MeitY expected to open registration for Consent Manager entities. Data Fiduciaries should assess whether they need to integrate with registered Consent Managers.
Q3 2026
Cross-Border Data Transfer Negative List
The Central Government is expected to notify the list of countries to which personal data transfers are restricted. Until this list is published, transfers are generally permissible with contractual safeguards.
Q4 2026
First SDF Annual Data Audit Cycle
Designated SDFs will be required to complete their first Annual Data Audit. DPOs should ensure Data Auditor engagement is initiated now — auditor capacity is limited.
Q4 2026
RBI DPDP Compliance Attestation Deadline
RBI's Q3 2026 deadline for bank and NBFC compliance attestations is expected to trigger significant regulatory scrutiny of DPDP programme maturity across the BFSI sector.
Need help building your DPDP horizon scanning programme? CreativeCyber's DPO advisory practice helps regulated enterprises track, triage, and respond to regulatory developments.
Talk to our team →
Share this article
LinkedInXFacebookWhatsApp