Este artigo está disponível apenas em inglês no momento.
AI Governance for Indian Businesses: DPDP Act, IT Act, and What SMEs Need to Do Now
Indian businesses using AI face obligations under the DPDP Act 2023 and IT Act — without the complexity of a comprehensive AI-specific law. Here is the practical starting point for Indian SMEs.
Key Takeaways
India's Digital Personal Data Protection Act 2023 applies to all businesses processing digital personal data of individuals in India — regardless of the business size or whether the business is incorporated in India.
Consent under the DPDP Act must be free, specific, informed, unconditional, and unambiguous. Bundled consents — one checkbox covering multiple AI use purposes — are unlikely to satisfy the specificity requirement.
The DPDP Act's Data Protection Officer requirement applies to all organisations that collect personal data. The DPO must be registered with the Data Protection Board once it is operational.
Indian businesses using AI in financial services must comply with RBI model risk management guidance and Fair Practices Code requirements for credit decision explanations, regardless of DPDP Act obligations.
The IT Act 2000 and its amendments apply to data security and cybersecurity obligations for Indian businesses — including AI systems that process sensitive personal data defined under the Sensitive Personal Data and Information Rules 2011.
The most immediate practical steps: audit what AI tools you use, identify which process personal data of Indian individuals, review what consent or lawful basis exists, and update your privacy notice to cover AI use.
"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."
The Indian AI governance landscape for businesses
India does not have a dedicated AI Act. The primary legal frameworks relevant to businesses using AI are: the Digital Personal Data Protection Act 2023 (DPDP Act) for personal data processing, the Information Technology Act 2000 and its rules for data security and cybersecurity, and sector-specific regulations from RBI (banking), SEBI (securities), and IRDAI (insurance) for businesses in regulated financial sectors.
The DPDP Act is the most significant new obligation. The DPDP Rules 2025 were notified on 13 November 2025, with substantive compliance obligations taking effect from 13 May 2027. Organisations processing personal data of Indian individuals — including through AI systems — need to be building compliance infrastructure now.
DPDP Act: your core obligation
If your AI tools process personal data of individuals in India — customer data, employee data, user accounts — the DPDP Act applies. Core obligations: obtain specific, informed consent before collecting personal data for each purpose (including AI training or profiling); tell individuals what data you collect and for what purposes; limit use to the stated purposes; implement reasonable security safeguards; and respond to access and correction requests from individuals.
The consent requirement is particularly significant for AI. You cannot rely on general terms of service consent to cover use of personal data in AI systems for purposes individuals would not reasonably expect. Each AI use purpose that was not disclosed at the time of data collection requires either new consent or must fall within the DPDP Act's limited lawful use exceptions.
IT Act obligations
The IT Act's Sensitive Personal Data and Information (SPDI) Rules 2011 apply to Indian companies processing sensitive personal data — including biometric data, health information, financial data, and other categories. AI systems processing SPDI must: collect with consent; use only for the stated purpose; maintain reasonable security practices; and allow individuals to review, amend, and withdraw consent for their SPDI. These obligations exist now and are enforceable regardless of DPDP Act implementation status.
Sector-specific obligations
Financial services businesses: RBI's model risk management guidance applies to AI used in credit, underwriting, and fraud detection. The Fair Practices Code requires specific reasons for credit rejections — including AI-driven ones. SEBI's algorithmic trading framework applies to AI in securities. IRDAI guidance covers AI in insurance underwriting and claims.
Practical starting point for Indian SMEs
Map your AI tools: list every AI tool you use commercially that touches personal data of Indian individuals. Assess lawful basis: for each AI use, identify whether adequate consent exists or whether a DPDP Act lawful use exception applies. Update privacy notice: ensure your privacy notice discloses AI use, what data the AI processes, and for what purposes. Register your DPO: once the Data Protection Board is operational, your Data Protection Officer must be registered. Plan for individual rights: build processes to respond to access, correction, and erasure requests from individuals — including access to data used in AI-assisted decisions.