The Government of India has formally brought private limited companies under the ambit of the new Digital Personal Data Protection (DPDP) Act, 2023, marking a significant shift in the regulatory landscape for corporate data handling. Effective June 15, 2025, all private firms collecting or processing personal data—including customer, employee, or vendor information—must comply with the core obligations of the DPDP Act, such as lawful data processing, user consent, grievance redressal, and breach notification protocols. The Ministry of Electronics and Information Technology (MeitY) clarified that the move ensures uniform data protection standards across all business sizes and sectors.

Under the new framework, private companies are required to appoint a Data Protection Officer (DPO) if classified as a Significant Data Fiduciary (based on volume and sensitivity of data), and maintain updated privacy notices, purpose limitation disclosures, and user consent records. Further, any cross-border transfer of personal data must now meet specified adequacy conditions, and firms must implement reasonable security safeguards to prevent data breaches. Companies failing to comply may face penalties up to ₹250 crore, depending on the severity of the violation.

Legal and tech experts have urged private entities to review their current data management practices, assess data risks, and update internal policies accordingly. Smaller firms, though less exposed, must still comply with the basic requirements, such as data minimization, consent tracking, and user access rights, to avoid regulatory scrutiny. The government is expected to issue detailed operational rules and sector-specific compliance timelines soon. This inclusion underscores India’s broader commitment to enhancing digital trust and safeguarding personal information in the evolving business ecosystem.