The Ministry of Electronics and Information Technology (MeitY) is likely to formally categorize “Significant Data Fiduciaries” in 2026, after the announcement of the Digital Personal Data Protection (DPDP) Rules in late 2025. Companies with a substantial number of users (usually between 5 and over 20 million) in areas like e-commerce, social media, and online gaming will have to participate in a “race to readiness.” These companies are now bound by law to perform Data Protection Impact Assessments (DPIAs) on an annual basis, have a Data Protection Officer (DPO) residing in India, and undergo periodic audits. The Data Protection Board of India (DPBI) has the power to temporarily halt data processing operations or levy heavy fines for non-compliance.
