India’s Digital Personal Data Protection Act, notified in November 2025, has moved into implementation, with different parts of the rules coming into force on different dates. For organisations with operations, suppliers, teams or customers connected to India, this has become a practical compliance issue.
For UK organisations, this is not simply a question of what Indian law requires. It is also about whether your business is sharing personal data with Indian vendors, giving Indian support teams access to UK systems, or operating through an Indian branch or group company. In those cases, UK GDPR transfer rules can still apply, even where data is only being accessed rather than physically sent. The ICO’s guidance uses exactly this kind of India outsourcing example to explain when a restricted transfer may arise.
Why this matters to UK businesses
A lot of UK businesses have a real India data footprint, even if they do not think of themselves that way.
You may rely on India for customer support, software development, payroll, HR administration, compliance operations or other outsourced services. You may have an Indian subsidiary, branch office or regional team. You may also be serving customers, recruits or contractors in India directly.
That creates a dual compliance challenge.
On the UK side, you need to understand whether personal data is being transferred or made accessible overseas, and whether the right safeguards are in place. On the India side, you need to understand whether the DPDP framework applies to the way personal data is collected, processed, retained and managed in or in connection with India.
India’s privacy regime is now entering practice
The significance of the DPDP Rules is that they operationalise the Act. The Indian government said in its November 2025 announcement that the Rules marked the full operationalisation of the DPDP Act, 2023. The Rules also set out phased commencement, with some provisions taking effect immediately, some after one year, and others after eighteen months.
That means organisations should not treat compliance as something to think about later. Even where deadlines are staggered, the direction of travel is clear. Businesses need to map their data, review contracts, understand processing roles, and prepare their internal governance now.
The common UK scenarios where risk appears
This is relevant if your organisation:
- uses Indian vendors or sub-processors
- allows Indian teams to access UK-hosted systems
- employs staff in India or handles applicant data there
- has an Indian branch, subsidiary or parent company
- sells services into India and processes personal data linked to that activity
In all of these cases, the assumption that GDPR compliance alone is enough can leave gaps. UK businesses may still need to assess transfer mechanisms and governance under UK law, while also understanding how India’s own framework applies to local operations and data handling.
India’s Digital Personal Data Protection Act: New guide
To help organisations make sense of the change, VinciWorks has published a new guide to India’s Digital Personal Data Protection Act. The guide breaks down India’s Digital Personal Data Protection Act and what it means for global organisations handling personal data. It explains the shift to a consent-led, rights-based framework, outlines key obligations, and provides practical steps to prepare for phased enforcement through to 2027.
The guide covers:
- Clear overview of the DPDP Act and its scope for Indian and global organisations
- Core principles including consent, transparency, data minimisation and accountability
- Practical compliance requirements for consent, rights handling and breach response
- Key timelines and phased implementation through to May 2027
- Guidance on cross-border transfers, retention and vendor management
- Step-by-step actions businesses should take now to prepare
