DPDP vs IT Act

What changed from the IT Act 2000 and SPDI Rules 2011, and why your old compliance expires on 13 May 2027
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

DPDP vs IT Act: India's Data Rules Just Got a Complete Rewrite

For over a decade, Indian businesses handled personal data under one thin provision: Section 43A of the IT Act 2000, fleshed out by the SPDI Rules 2011. If you kept "reasonable security practices" and worried only about sensitive personal data, you were broadly covered. Comparing DPDP vs IT Act shows just how much that world has changed.

The DPDP Act, 2023 replaces that old regime entirely, and Section 43A is repealed on 13 May 2027. That means every compliance program built on SPDI Rules has an expiry date, and the replacement demands far more.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

SPDI Rules vs DPDP: The Side-by-Side Comparison

How the old IT Act regime stacks up against the DPDP Act on every dimension that matters.

DimensionIT Act 2000 / SPDI Rules 2011DPDP Act 2023
Core approachSection 43A "reasonable security practices"Consent-first, rights-based framework
Data coveredSensitive personal data onlyAll digital personal data
Remedy for individualsCompensation-based claimsEnforceable rights: access, correction, erasure, grievance
RegulatorNone dedicated, weak enforcementData Protection Board of India (DPBI), active since Nov 2025
PenaltiesCompensation, rarely enforcedUp to ₹250 Cr per violation
Breach reportingNo practical mandateEvery breach: users notified + Board report within 72 hours
StatusRepealed 13 May 2027Fully operational since 14 November 2025

The Old Regime: Why It Was Easy to Ignore

The Section 43A world had three big weaknesses that made data protection an afterthought for most Indian businesses:

  • Compensation-based: individuals had to prove loss and claim damages, so most never did
  • Weak enforcement: no dedicated regulator meant almost no real consequences
  • Sensitive-data-only focus: ordinary personal data like names, emails, and phone numbers largely escaped the rules

The New Regime: Why It Cannot Be Ignored

DPDP flips every one of those weaknesses:

  • Consent-first: clear, affirmative, revocable consent before collecting personal data
  • Rights-based: access, correction, erasure, and grievance redressal individuals can actually use
  • Dedicated regulator: the DPBI, a digital-office Board with a complaints portal, live since November 2025
  • Real penalties: up to ₹250 crore per violation, covering all digital personal data

Why Your Old IT Act Compliance Is Not Enough Anymore

If your privacy program was built for SPDI Rules, it covers a fraction of what DPDP demands. The new law adds working consent records, plain-language notices in English plus 22 Indian languages, user rights workflows, 72-hour breach reporting for every breach, vendor data protection agreements, and deletion schedules. None of that existed under Section 43A.

And the clock is specific: Section 43A disappears on 13 May 2027, consent rules become mandatory on 13 November 2026, and DPDP penalties have been live since November 2025. See the full rollout on our DPDP timeline page, and what each date means on the DPDP compliance deadline page.

Your SPDI Compliance Has an Expiry Date

Consent rules become mandatory on 13 November 2026 and Section 43A is repealed with full enforcement on 13 May 2027. Upgrading takes 2-6 months, so the window to switch is now.

Want the Complete DPDP Picture?

The IT Act comparison is one angle. Our main guide covers the full new law: deadlines, obligations, roles, rights, penalties, and the compliance journey.

Learn Everything About DPDP Compliance

DPDP vs IT Act: Frequently Asked Questions

What replaces Section 43A and the SPDI Rules?

The DPDP Act, 2023 replaces the old regime entirely. Section 43A and the SPDI framework built on it are repealed on 13 May 2027, the same day full DPDP enforcement begins.

Built for Section 43A? Time to Rebuild for DPDP.

One free audit shows exactly where your SPDI-era compliance falls short of the DPDP Act, and the fastest path to close the gap.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.