

For over a decade, Indian businesses handled personal data under one thin provision: Section 43A of the IT Act 2000, fleshed out by the SPDI Rules 2011. If you kept "reasonable security practices" and worried only about sensitive personal data, you were broadly covered. Comparing DPDP vs IT Act shows just how much that world has changed.
The DPDP Act, 2023 replaces that old regime entirely, and Section 43A is repealed on 13 May 2027. That means every compliance program built on SPDI Rules has an expiry date, and the replacement demands far more.
No cost. No obligation. Get your compliance gap report.
How the old IT Act regime stacks up against the DPDP Act on every dimension that matters.
| Dimension | IT Act 2000 / SPDI Rules 2011 | DPDP Act 2023 |
|---|---|---|
| Core approach | Section 43A "reasonable security practices" | Consent-first, rights-based framework |
| Data covered | Sensitive personal data only | All digital personal data |
| Remedy for individuals | Compensation-based claims | Enforceable rights: access, correction, erasure, grievance |
| Regulator | None dedicated, weak enforcement | Data Protection Board of India (DPBI), active since Nov 2025 |
| Penalties | Compensation, rarely enforced | Up to ₹250 Cr per violation |
| Breach reporting | No practical mandate | Every breach: users notified + Board report within 72 hours |
| Status | Repealed 13 May 2027 | Fully operational since 14 November 2025 |
The Section 43A world had three big weaknesses that made data protection an afterthought for most Indian businesses:
DPDP flips every one of those weaknesses:
If your privacy program was built for SPDI Rules, it covers a fraction of what DPDP demands. The new law adds working consent records, plain-language notices in English plus 22 Indian languages, user rights workflows, 72-hour breach reporting for every breach, vendor data protection agreements, and deletion schedules. None of that existed under Section 43A.
And the clock is specific: Section 43A disappears on 13 May 2027, consent rules become mandatory on 13 November 2026, and DPDP penalties have been live since November 2025. See the full rollout on our DPDP timeline page, and what each date means on the DPDP compliance deadline page.
Consent rules become mandatory on 13 November 2026 and Section 43A is repealed with full enforcement on 13 May 2027. Upgrading takes 2-6 months, so the window to switch is now.
The IT Act comparison is one angle. Our main guide covers the full new law: deadlines, obligations, roles, rights, penalties, and the compliance journey.
Learn Everything About DPDP ComplianceThe DPDP Act, 2023 replaces the old regime entirely. Section 43A and the SPDI framework built on it are repealed on 13 May 2027, the same day full DPDP enforcement begins.
The old regime was compensation-based, sensitive-data-only, and weakly enforced. DPDP is consent-first and rights-based, covers all digital personal data, has a dedicated regulator, and carries penalties up to ₹250 crore per violation.
No. SPDI compliance covered basic security for sensitive data only. DPDP adds consent systems, multi-language notices, user rights handling, 72-hour breach reporting for every breach, and vendor contracts. You need an upgrade, not a certificate from the past.
On 13 May 2027, alongside full DPDP enforcement. DPDP penalties, however, have already been legally live since November 2025, so the risk did not wait for the repeal.
One free audit shows exactly where your SPDI-era compliance falls short of the DPDP Act, and the fastest path to close the gap.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.