Quick Answer
Yes. As of 2026, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, commonly known as the SPDI Rules, remain technically in force. The DPDP Act 2023 does not explicitly repeal them. SPDI is expected to be effectively superseded once all DPDP Act provisions are notified and the Draft DPDP Rules are finalised, but until that transition is complete both regimes co-exist. What the SPDI Rules cover The SPDI Rules were issued under Section 43A of the Information Technology Act, 2000. They require any body corporate that collects, receives, possesses, stores, deals with, or handles "sensitive personal data or information" (SPDI) to implement reasonable security practices and procedures. SPDI is narrowly defined and includes passwords, financial information such as card and bank account details, physical and mental health condition, sexual orientation, medical records, and biometric information.
Free VAPT
CERT-In aligned VAPT and DPDP Act-ready reporting.
ApplyYes. As of 2026, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, commonly known as the SPDI Rules, remain technically in force. The DPDP Act 2023 does not explicitly repeal them. SPDI is expected to be effectively superseded once all DPDP Act provisions are notified and the Draft DPDP Rules are finalised, but until that transition is complete both regimes co-exist.
What the SPDI Rules cover
The SPDI Rules were issued under Section 43A of the Information Technology Act, 2000. They require any body corporate that collects, receives, possesses, stores, deals with, or handles "sensitive personal data or information" (SPDI) to implement reasonable security practices and procedures. SPDI is narrowly defined and includes passwords, financial information such as card and bank account details, physical and mental health condition, sexual orientation, medical records, and biometric information.
Key SPDI obligations include:
- Publishing a privacy policy on the website that handles SPDI
- Obtaining written consent before collection of SPDI, with the option to withdraw consent
- Permitting data principals to review and correct their information
- Restricting disclosure to third parties without prior consent, with limited exceptions
- Implementing reasonable security practices, with ISO/IEC 27001 cited as a recognised standard
Where DPDP and SPDI overlap and differ
| Dimension | SPDI Rules, 2011 | DPDP Act, 2023 |
|---|---|---|
| Statutory basis | IT Act Section 43A | Standalone DPDP Act |
| Data scope | Sensitive personal data only | All digital personal data |
| Regulator | None; civil compensation via adjudicating officer | Data Protection Board of India |
| Penalty model | Compensation to affected individuals | Administrative penalties up to schedule ceilings |
| Cross-border transfer | Permitted if same level of protection is ensured and necessary | Permitted unless country is restricted by government notification |
| Data Principal rights | Review and correction | Access, correction, erasure, grievance, nominee |
| Breach notification | Implicit via reasonable security practices | Express duty to notify the Data Protection Board and affected Data Principals |
Need help with cloud?
Book a free 30-minute meeting with one of our cloud specialists. We'll analyse your needs and provide actionable recommendations — no obligation, no cost.
Current status in 2026
The DPDP Act was published in the Gazette in August 2023, but its provisions take effect on dates notified by the Central Government. The MeitY-issued Draft DPDP Rules went out for public consultation, and rolling notifications are bringing different sections of the Act into force. Until the entire DPDP regime is operational and Section 44(3) repeal-and-savings effects are clear, SPDI remains the binding text under IT Act Section 43A. Practitioners therefore treat both as live and design controls to the higher standard.
Practical compliance approach
- Align to DPDP today. Build consent capture, notices in multiple Indian languages, rights workflows, retention automation, and breach notification playbooks against the DPDP Act now.
- Retain SPDI controls. Keep your ISO/IEC 27001 certification, written consent for SPDI, and published privacy policy because Section 43A liability has not gone away.
- Map both regimes. Maintain a control matrix showing which control satisfies which obligation. When DPDP fully replaces SPDI, the matrix becomes the basis for retiring duplicative controls.
- Watch the notifications. Track MeitY notifications and the final DPDP Rules. The repeal or amendment of Section 43A and SPDI will be a defined moment, not a gradual fade.
Common pitfalls
Some Indian organisations have already removed SPDI-style consent forms and ISO 27001 references in favour of DPDP-only language. This is premature. Until SPDI is formally retired, dropping its specific consent and security artefacts can leave gaps that an adjudicating officer can still act on under Section 43A. Equally, building only to SPDI and ignoring DPDP leaves you unprepared for Data Protection Board scrutiny.
How Opsio helps
Opsio's India compliance team builds a single control set that satisfies both SPDI and DPDP obligations, supported by ISO/IEC 27001 alignment and SOC 2 compliance for Indian IT vendors where customer contracts demand it. Through our cybersecurity services we operate SOC, MDR, and VAPT functions that map to both the SPDI "reasonable security practices" standard and DPDP Section 8 safeguard obligations.
Frequently Asked Questions
Has IT Act Section 43A been repealed?
Not as of 2026. The DPDP Act includes a savings and consequential amendments clause, and Section 43A is widely expected to be modified or repealed in step with full DPDP rollout. Track the official notifications for the actual effective date.
Do I still need a privacy policy under the SPDI Rules?
Yes. The SPDI Rules require a published privacy policy covering the type of information collected, purpose, disclosure practices, and security practices. The DPDP Act adds further notice requirements but does not eliminate the SPDI obligation while SPDI remains in force.
Does ISO 27001 satisfy the "reasonable security practices" requirement?
Yes. The SPDI Rules expressly recognise ISO/IEC 27001 as a reasonable security standard. It is a defensible baseline, and aligns naturally to DPDP Section 8 expectations.
What happens to consents collected under SPDI when DPDP takes full effect?
The Central Government is expected to clarify transition arrangements through the DPDP Rules and supporting notifications. Conservative practice is to refresh notices and re-anchor lawful basis under the DPDP framework as it comes into force, particularly for high-volume consumer platforms.
Which regulator enforces SPDI today?
SPDI Rules do not have a dedicated regulator. Affected individuals can seek compensation before the Adjudicating Officer designated under the IT Act. Once the Data Protection Board is fully operational under the DPDP Act, enforcement of personal data obligations will shift to the Board for matters within DPDP scope.
Written By
Country Manager, Sweden
Johan leads Opsio's Sweden operations, driving AI adoption, DevOps transformation, security strategy, and cloud solutioning for Nordic enterprises. With 12+ years in enterprise cloud infrastructure, he has delivered 200+ projects across AWS, Azure, and GCP — specialising in Well-Architected reviews, landing zone design, and multi-cloud strategy.
Editorial standards: This article was written by cloud practitioners and peer-reviewed by our engineering team. Content is reviewed quarterly for technical accuracy and relevance to Indian compliance requirements including DPDPA, CERT-In directives, and RBI guidelines. Opsio maintains editorial independence.