India's New Privacy Regime is Here but What Does it Mean in ANZ?
For many New Zealand and Australian organisations, privacy programmes have traditionally been built around the New Zealand Privacy Act, Australia's Privacy Act and Europe's GDPR.
India's Digital Personal Data Protection (DPDP) Act, enacted in 2023, is now moving into its implementation phase following the notification of the DPDP Rules in late 2025. The requirements come into force in stages with consent manager provisions commencing in November 2026 and the core operational obligations becoming enforceable from May 2027.
The significance of this legislation extends well beyond India's borders. Like the GDPR, the DPDP Act has an explicit extraterritorial reach. It applies not only to organisations established in India, but also to businesses anywhere in the world that process the digital personal data of individuals in India in connection with offering goods or services to them. For example, a software company with Indian subscribers, a university recruiting Indian students, a tourism operator marketing directly to Indian travellers, or a professional services firm providing digital services into the Indian market may all find themselves within scope. in light of the recent trade agreement between New Zealand and India more businesses are likely to be affected by the DPDP as trade links expand between the two countries.
While there are familiar concepts for organisations already operating under GDPR, assuming existing compliance programmes will automatically satisfy India's requirements is unwise. The DPDP framework places consent and transparency at the centre of its regulatory model which includes the introduction of centralised Consent Managers. Organisations are going to need to make changes to respond to requests from Consent Managers at a minimum.
Perhaps the most significant implication for organisations is that compliance cannot be addressed solely through updated privacy policies and statements. The legislation requires organisations to understand exactly what personal data they collect, where it originates, why it is processed, where it is stored, which third parties have access to it, how long it is retained and how individuals can exercise their statutory rights.
Boards and executive teams should also recognise that India's regime forms part of a much broader global trend. Regulators are increasingly expecting organisations to demonstrate active governance over personal information, supported by documented processes, technical safeguards and executive accountability. Privacy is evolving from a compliance exercise into a core business capability that underpins customer trust, cyber resilience and digital transformation.
The DPDP Act should not be viewed simply as another overseas privacy law. It reflects the emergence of one of the world's largest digital economies as a major privacy regulator and signals that organisations engaging with Indian consumers will be expected to meet increasingly sophisticated standards of data stewardship. For businesses seeking long-term growth in India, privacy compliance is rapidly becoming not just a legal obligation, but a prerequisite for market access, customer confidence and sustainable international expansion.