AI Governance for Indian Businesses: DPDP Act, IT Act, and What SMEs Need to Do Now

The Indian AI governance landscape for businesses

India does not have a dedicated AI Act. The primary legal frameworks relevant to businesses using AI are: the Digital Personal Data Protection Act 2023 (DPDP Act) for personal data processing, the Information Technology Act 2000 and its rules for data security and cybersecurity, and sector-specific regulations from RBI (banking), SEBI (securities), and IRDAI (insurance) for businesses in regulated financial sectors.

The DPDP Act is the most significant new obligation. The DPDP Rules 2025 were notified on 13 November 2025, with substantive compliance obligations taking effect from 13 May 2027. Organisations processing personal data of Indian individuals — including through AI systems — need to be building compliance infrastructure now.

DPDP Act: your core obligation

If your AI tools process personal data of individuals in India — customer data, employee data, user accounts — the DPDP Act applies. Core obligations: obtain specific, informed consent before collecting personal data for each purpose (including AI training or profiling); tell individuals what data you collect and for what purposes; limit use to the stated purposes; implement reasonable security safeguards; and respond to access and correction requests from individuals.

The consent requirement is particularly significant for AI. You cannot rely on general terms of service consent to cover use of personal data in AI systems for purposes individuals would not reasonably expect. Each AI use purpose that was not disclosed at the time of data collection requires either new consent or must fall within the DPDP Act's limited lawful use exceptions.

IT Act obligations

The IT Act's Sensitive Personal Data and Information (SPDI) Rules 2011 apply to Indian companies processing sensitive personal data — including biometric data, health information, financial data, and other categories. AI systems processing SPDI must: collect with consent; use only for the stated purpose; maintain reasonable security practices; and allow individuals to review, amend, and withdraw consent for their SPDI. These obligations exist now and are enforceable regardless of DPDP Act implementation status.

Sector-specific obligations

Financial services businesses: RBI's model risk management guidance applies to AI used in credit, underwriting, and fraud detection. The Fair Practices Code requires specific reasons for credit rejections — including AI-driven ones. SEBI's algorithmic trading framework applies to AI in securities. IRDAI guidance covers AI in insurance underwriting and claims.

Practical starting point for Indian SMEs

Map your AI tools: list every AI tool you use commercially that touches personal data of Indian individuals. Assess lawful basis: for each AI use, identify whether adequate consent exists or whether a DPDP Act lawful use exception applies. Update privacy notice: ensure your privacy notice discloses AI use, what data the AI processes, and for what purposes. Register your DPO: once the Data Protection Board is operational, your Data Protection Officer must be registered. Plan for individual rights: build processes to respond to access, correction, and erasure requests from individuals — including access to data used in AI-assisted decisions.