DPDP Rules 2025 Explained: Full Overview and Practical Summary

The Government of India notified the Digital Personal Data Protection Rules, 2025, on 13th November 2025, marking a significant step in bringing the Digital Personal Data Protection Act, 2023, into full effect. The rules, following an extensive period of public consultation, now set out the procedures and operational obligations that organisations must follow when collecting, processing, storing, sharing, or reporting incidents involving personal data in India. They clarify the roles and responsibilities of data fiduciaries and consent managers, establish timelines for responding to data breaches, and specify how notices, consent requests, and withdrawal mechanisms must be structured. 

Introduction 

India’s data protection landscape has entered a pivotal phase with the issuance of the Digital Personal Data Protection Rules, 2025, on 13th November 2025. This landmark development advances the Digital Personal Data Protection Act 2023 from a legislative framework to an operational reality, profoundly altering the way organisations across various sectors manage, process, secure, and govern personal data within India’s rapidly growing digital economy. The rules embody the culmination of comprehensive stakeholder consultations, with 6,915 contributions moulding the final framework and establishing a consent-driven, rights-based architecture that positions India among global privacy leaders while addressing distinctive domestic priorities.  

The DPDP Act and its associated regulations represent India’s inaugural comprehensive data protection framework, delineating explicit standards for data fiduciaries (entities responsible for collecting and processing personal data), data processors (entities that handle data on behalf of fiduciaries), consent managers (registered intermediaries facilitating consent management), and significant data fiduciaries (large-scale or high-risk processors). Together, they establish a comprehensive set of regulations that encompass procedures for informing individuals and obtaining their consent, safeguarding data, reporting intrusions, managing data retention periods, transferring data across borders, protecting children’s information, and ensuring robust enforcement by the Data Protection Board of India. 

Why These Rules Matter to Businesses and Individuals 

For enterprises functioning within India’s digital landscape, including e-commerce platforms, fintech firms, healthcare providers, IT service providers, and social media intermediaries, the DPDP Rules 2025 serve both as a strategic necessity and a key differentiator in maintaining competitive advantage. Organisations that incorporate privacy-by-design principles, transparent data governance, and comprehensive security architectures will realise substantial benefits: increased consumer trust, strengthened brand reputation, diminished regulatory risk, alignment with international standards (supporting global collaborations), and enhanced operational resilience against data breaches and security incidents. The financial implications are significant. The Data Protection Board of India has the authority to impose penalties of up to ₹250 crore for severe infringements such as non-compliance. The regulations encompass appropriate security measures, prescribe a penalty of ₹200 crore for failures in breach notification or violations of children’s data protection provisions, and establish a sanction of ₹150 crore for substantial non-compliance by data fiduciaries. These penalties are not solely punitive; they are intended to encourage proactive compliance and foster a culture of accountability across India’s digital economy. From a marketing standpoint, the regulations profoundly redefine approaches to customer engagement.  

The compulsory consent framework obliges organisations to reconfigure digital interactions, converting data collection from a passive, frequently opaque process into an active engagement with users. Organisations are now required to demonstrate the exchange of value by explicitly delineating the data collected, the necessity of such data, and the benefits or services that rely on this processing. This transparency obligation, initially regarded as a limitation, presents progressive organisations with an opportunity to cultivate stronger customer relationships based on trust, autonomy, and responsibility.  For data principals, as defined by the language of the Act, the Rules establish enforceable rights and accessible mechanisms for data governance. Citizens now have the ability to access summaries of their personal data, rectify inaccuracies, request deletion once the purposes have been fulfilled, withdraw consent with ease, and lodge complaints with the Data Protection Board in cases of rights violations. The regulations stipulate that organisations must respond to such requests within 30 days and furnish written explanations should the requests be unfulfilled. This empowerment signifies a paradigm shift: individuals are no longer passive subjects of data collection but active participants in data governance, with legal recourse available when their rights are infringed. 

Notice and Consent 

The DPDP Rules establish firmer standards for consent and notice. The Draft allowed consent notices to be integrated within broader documents. A data fiduciary must provide a notice to the Data Principal before or at the time of requesting consent (Rule 3). This notice must be clear and transparent, and it should be presented as a separate communication rather than bundled with other information. It should be written in simple language that an average person can understand and should allow the Data Principal to make an informed choice. 

The notice must set out, in an itemised manner, the categories of personal data collected, the specific purposes for which the data will be processed and the goods, services or functions that rely on such processing (Rule 3(b)). It must also include a particular communication link for accessing the Data Fiduciary’s website or mobile application, along with a straightforward explanation of how the Data Principal can withdraw consent, submit grievances, exercise their rights under the Act and file complaints with the Data Protection Board of India (Rule 3(c)). 

Under the DPDP Rules 2025, the notice must follow the prescribed format, be available in the languages required by the Act (the Act provides language access; Section on Notice in the Act), include layered and accessible versions where necessary and be provided in a form suitable for individuals with disabilities (Rule 3 and Act provisions on notice and language). These requirements are intended to promote transparency, accessibility and accountability while personal data is being processed. 

Consent for Minors and Persons with Disabilities 

For a child’s data to be processed, the Data Fiduciary must obtain verifiable parental consent and exercise due diligence to verify that the individual identifying themselves as the parent is an adult and identifiable (Rule 10 – Verifiable consent for processing the personal data of a child). Verification may rely on reliable identity and age information already available with the data fiduciary, voluntarily provided by the parent, or a virtual token mapped to such details issued by an authorised entity (Rule 10(1)). 

For persons with disabilities, consent provided by a guardian must be verified to ensure that the guardian is legally recognised. Verification may be based on court appointments, authorisation by a competent authority, or recognition under applicable guardianship laws, and the data fiduciary must observe due diligence in such verifications (Rule 10 and the Fourth Schedule for related classes and exemptions). 

The Rules require Data Fiduciaries to maintain documentation supporting the verification process and to use secure methods that are proportionate to the level of risk associated with the processing activity (Rule 10 and obligations under security safeguards in Rule 6). They also prohibit behavioural monitoring, targeted advertising, and profiling children in applicable contexts, reflecting the Act’s focus on safety and responsible data handling (Fourth Schedule and related rules). 

These requirements ensure that the personal data of children and persons with disabilities is processed only with lawful, authenticated consent and that additional protections are in place to prevent misuse within digital environments. 

Consent Manager 

A registered Consent Manager is responsible for enabling Data Principals to grant, manage and withdraw consent across Data Fiduciaries without gaining access to the underlying personal data (Rule 4 and First Schedule Part B). They must maintain consent logs for at least seven years (First Schedule, Part B, item on record retention), employ robust security measures, ensure independent operation and undergo regular audits as prescribed in the Rules. Consent Managers must also follow the interoperability and technical standards notified by the Board/Government to ensure that consent flows function consistently across platforms (Rule 4 and First Schedule). 

Under the First Schedule (Part A), applications may be submitted only by Indian companies that demonstrate strong technical, operational and financial capability. Applicants must have a minimum net worth of ₹2 crore and must provide extensive disclosures regarding promoters, directors, key managerial personnel and significant shareholders (First Schedule, Part A). They are also required to show that their governance structure supports integrity, transparency and operations free from conflicts of interest. The registration authority (the Board) may request additional information during evaluation and is empowered to suspend or cancel registration in cases of non-compliance, inaccurate disclosures, governance failures or security breaches, after giving an opportunity to be heard (Rule 4(2)–(6)). Consent Managers and Data Fiduciaries must also put in place clear and verifiable processes for Data Principals to exercise their rights. This includes specifying authentication methods, providing accessible dashboards and ensuring timely resolution of grievances (First Schedule Part B). 

Data Retention and Deletion 

The DPDP Rules 2025 set defined retention periods for certain classes of Data Fiduciaries specified in the Third Schedule (rule 8(1) / Third Schedule). For example, e-commerce entities and social media intermediaries with not less than two crore registered Indian users, and online gaming intermediaries with not less than fifty lakh registered users, must retain specified personal data for three years from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercised her rights, or from the commencement of the Rules, whichever is later (Third Schedule). 

At least forty-eight hours before completion of the applicable retention period, the Data Fiduciary must inform the Data Principal that such personal data will be erased unless the Data Principal logs into her user account or otherwise initiates contact for the specified purpose or exercises her rights (Rule 8-Time period for specified purpose to be deemed as no longer being served). This requirement promotes transparency, ensures that retention is purpose-driven, and affords users direct control over whether their data is stored. 

Without prejudice to the above, a Data Fiduciary must retain, in respect of any processing undertaken by it or on its behalf by a Data Processor, such personal data, associated traffic data and other logs of the processing for a minimum period of one year for the purposes specified in the Seventh Schedule, after which the Data Fiduciary shall cause such personal data and logs to be erased, unless further retention is required for compliance with any other law (Rule 8(3)). This one-year log/traffic data retention is a general obligation and is not limited only to government bodies or instrumentalities (Rule 8(3)). 

The Rules also require data fiduciaries to ensure that deletion requests are authenticated, to document erasure actions and to retain deletion logs for verification. Retention beyond the prescribed period is permitted only when strictly necessary and lawful, reinforcing the principles of purpose limitation, data minimisation and accountable processing (Rule 8 and related provisions). 

Minimum Security (Encryption, Logging, Breach Notifications) – 

According to DPDP Rule 6, data fiduciaries must put strong technical and organisational protections in place that are appropriate for the size and sensitivity of the data they handle. Some of the most important requirements are:  

• Encryption (both when the data is at rest and when it is moving), masking, and tokenisation are all ways to keep someone from getting into your system. 

• Role-based access controls and multi-factor authentication ensure that only authorised individuals can access personal data. 

• Regular monitoring, detailed records of all data processing activities, and keeping these records for a year so that they may be looked at by regulators or during breach investigations.  

• Protocols for responding to a breach are documented, which include promptly notifying users and the Data Protection Board and delivering a comprehensive report within 72 hours.  

• Conduct regular security testing, such as penetration tests and audits, and promptly address any discovered flaws. 

• Contracts with processors must incorporate the same security safeguards and mandate prompt notification of any breaches.  

• Policies for business continuity and backups are required to ensure that data stays safe in case of attacks or other problems. 

Security Safeguards 

The data-retention framework has also been sharpened. The Draft proposed various approaches for inactive accounts, whereas the DPDP Rules require mandatory erasure after three years for classes in the Third Schedule, unless the user re-engages, along with 48 hours’ advance notice prior to erasure (Rule 8 and the Third Schedule). Data Fiduciaries are expected to implement technical and organisational safeguards proportionate to the sensitivity and volume of data processed. These safeguards include encryption, obfuscation, masking, the use of virtual tokens mapped to personal data, role-based access controls that restrict access to authorized personnel only, and other reasonable security measures (Rule 6: Reasonable Security Safeguards). 

Data Fiduciaries must maintain continuous monitoring systems along with detailed logging and review mechanisms to identify, investigate and prevent security incidents. They are also required to maintain resilient backup arrangements and business continuity processes to ensure that confidentiality, integrity anintegrity, and data availabilityored without undue delay. Security logs and related records must be retained for at least one year to support breach investigations and regulatory inquiries (Rule 6(1)(e)). 

The Rules further require Data Fiduciaries to conduct periodic testing, audits and assessments of their security infrastructure and to document the results as part of ongoing compliance. Contracts with Data Processors must contain mandatory security requirements, including incident reporting timelines, technical safeguards and minimum compliance standards set by the Board/Government (Rule 6 and First Schedule Part B). Data fiduciaries must also ensure that processors follow the same level of protection and are subject to oversight and verification. These obligations create a disciplined security environment in which risks are mitigated through preventive controls, regular validation, and clear accountability across the data processing chain. 

Data Breach 

Incident reporting has been significantly tightened. Under the Draft, organisations were required to make prompt reports; the DPDP Rules now require immediate communication with impacted individuals. On becoming aware of any personal data breach, the Data Fiduciary must, to the best of its knowledge and without delay, intimate each affected Data Principal in a concise, clear and plain manner through her user account or any registered mode of communication (Rule 7 – Intimation of personal data breach). Notices must describe the nature, extent, timing, and likely consequences of the breach, as well as the measures being implemented or to be implemented to mitigate the risk, steps the data principal can take, and contact details for an authorized representative. 

Simultaneously, the Data Fiduciary must intimate the Board without delay with an initial description and then provide a detailed report within seventy-two hours of awareness (or within such longer period as the Board may allow on written request), containing updated facts, circumstances and reasons leading to the breach, mitigation measures, findings about the cause/person responsible (if any), remedial steps to prevent recurrence and a report regarding notifications sent to affected Data Principals (Rule 7(2)). The Rules also require preservation of evidence, cooperation with Board investigations and support from data processors during the response. 

These obligations promote timely disclosure, effective containment and transparent handling of personal data breaches. 

Data Protection Board of India 

The DPDP Act requires the establishment of the Data Protection Board of India, which is responsible for adjudicating complaints, issuing directions, imposing penalties and ensuring overall compliance with the Act and the DPDP Rules 2025. The Rules outline the Board’s composition and appointment process, including Search-cum-Selection Committees for recommending the Chairperson and Members (the Rules dealing with Board constitution and appointment). The committees’ constitution and the criteria for appointment are provided in the Rules. The Rules that govern the Board’s appointment and functioning (including rule-making on meetings, quorum, digital functioning and inquiry timelines) are among those provisions that are in force as notified. 

The Board may enquire into personal data breaches, act on complaints made by Data Principals and issue binding directions after providing an opportunity to be heard. It has powers akin to a civil tribunal for the purposes of the Act, and inquiries are to be completed within six months unless extended for reasons recorded in writing (Rules concerning Board powers and inquiry timelines). Appeals from Board orders lie before the Appellate Tribunal, which is intended to operate digitally (Act and Rules on Appellate Tribunal). The Central Government may require Data Fiduciaries or intermediaries to furnish information for purposes specified in the Seventh Schedule and may restrict disclosure of such requests where national security or sovereignty considerations arise (Rule 23). 

Cross-border Transfer 

Cross-border data transfers follow a defined mechanism under Section 16 of the DPDP Act and Rule 15 of the DPDP Rules, 2025. Any personal data processed by a Data Fiduciary may be transferred outside the territory of India subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.  

The approach adopted is not a “black-list” mechanism but rather a discretionary framework, in which the Central Government retains the authority to specify requirements on a case-by-case or general basis for cross-border transfers. This approach maintains national discretion over geopolitical or security-related considerations while ensuring that transfers are subject to Government oversight and specified conditions 

Phased Enforcement 

One of the most visible changes lies in implementation timelines. While the Draft Rules offered only a general indication of a phased rollout, the DPDP Rules introduce a defined schedule: Rules 1, 2 and 17–21 come into force on notification; registration for Consent Managers (Rule 4) begins after one year; and the remaining provisions (Rules 3, 5–16, 22 and 23) come into force after eighteen months from notification. The notification date is 13th November 2025 (Rule 1 — Commencement). 

Phase I (Immediate effect) 

Rules 1, 2 and 17–21 came into force on 13th November 2025. Stakeholders must now familiarise themselves with the scope and terminology of the Act and the Rules so that compliance planning can begin without delay; the Rules that provide for the Board’s constitution and core procedural elements are among those in force as of that date. 

Phase II (Within one year)
Rule 4 (registration and obligations of Consent Managers) comes into force one year after publication — i.e., 13th November 2026. Entities seeking to function as Consent Managers should prepare to apply and meet the First Schedule requirements within this timeframe (Rule 4 and First Schedule Part A). 

Phase III (Within eighteen months)
Rules 3, 5–16, 22 and 23 come into force eighteen months after publication  i.e., 13th May 2027. This phase activates the bulk of compliance obligations (including notices to Data Principals, breach reporting, consent standards, retention and deletion rules, security safeguards, rights of Data Principals, cross-border transfer conditions and provisions related to the Appellate Tribunal). Organisations must treat May 13, 2027, as the target date for full operational compliance under these Rules. The staggered enforcement timeline provides data fiduciaries, Data Processors, government bodies and other regulated entities with lead time to strengthen operational preparedness. Organisations can use this period to train personnel, revise internal privacy policies, implement role-based access controls, enhance breach response systems, and align all processing activities with the provisions of the DPDP Act (2023) and the DPDP Rules (2025). The intention is to ensure a smooth, accountable and well-supported transition to the new data protection regime once all provisions are fully effective. 

Consent and Data Collection Operational Requirements 

Notice Standards for Data Fiduciaries 

The DPDP Rules 2025 elevate consent from a mere checkbox exercise to a substantive and transparent communication process. Rule 3 requires that each data fiduciary provide a clear and easy-to-understand privacy notice that is simple, transparent, and accessible, written in plain language that an average person can understand without needing legal or technical knowledge. This is a big change from the past, where consent was often hidden in long terms of service documents or mixed in with other contract details. The notice must be organised to facilitate informed decision-making by including detailed, itemised descriptions rather than ambiguous generalisations. Specifically, it must  

(i) the categories of personal data being collected (such as demographic information, contact details, financial data, health records, biometric identifiers, etc.),  

(ii) the particular purposes for which each category will be processed, and  

(iii) the goods, services, or functions that rely on such processing.  

This detailed disclosure requirement guarantees that data principals clearly comprehend the specific data being collected and the purpose behind its collection, allowing them to evaluate whether the value exchange services received in return for shared data are appropriate. 

Furthermore, the notice must include explicit instructions for the exercise of data principal rights. This encompasses procedures for withdrawing consent (with the same ease as providing consent), mechanisms for submitting grievances to the data fiduciary’s grievance redressal system, methods for accessing, rectifying, or deleting personal data, and information on lodging complaints with the Data Protection Board should grievances remain unresolved. The notice must also incorporate direct communication channels, such as dedicated URLs, email addresses, or in-app interfaces, to enable prompt access to these rights-exercise mechanisms. From a language accessibility standpoint, the Rules mandate that notices be provided in the languages outlined in the Eighth Schedule of the Constitution (the 22 official languages), thereby enabling linguistic minorities to access privacy communications in their preferred language. For individuals with disabilities, notices must be delivered in accessible formats, such as screen-reader-compatible text, audio versions, or simplified visual representations, to eliminate barriers that have historically prevented disabled persons from providing meaningful consent. 

Verifying and Withdrawing Consent 

The DPDP Rules set forth stringent criteria for the validity of consent, underscoring that consent must be voluntary, specific, informed, unconditional, and unequivocal, demonstrated through a distinct affirmative action. “Free” signifies that consent must be given without coercion or through deceptive practices; “specific” necessitates purpose limitation, meaning consent for one purpose does not authorise processing for unrelated purposes; “informed” demands clear disclosure as described above; “unconditional” prohibits making services contingent upon consent for non-essential processing; and “unambiguous” requires explicit action rather than pre-ticked boxes or implied consent. Critically, the regulations stipulate that mechanisms for withdrawing consent must be equally accessible and simple as the process for granting consent. Organisations must avoid implementing barriers, such as mandatory phone calls, physical correspondence, or intricate menu navigation, to withdraw consent when it was initially obtained via a straightforward online click. This principle of “consent symmetry” guarantees that individuals maintain effective control over their data throughout the entire processing lifecycle, not solely at the point of initial collection. Data fiduciaries are required to maintain detailed consent logs that record the timing of consent acquisition, the purposes for which consent was given, the notices presented at the time, any changes to consent over time, and the instances of consent withdrawal. These logs serve various purposes: allowing data principals to examine their consent history, supporting regulatory audits conducted by the Data Protection Board, and furnishing evidence of lawful processing in the event of complaints or investigations.

Children’s Data and Special Categories 

The DPDP framework protects children’s data more since it knows that they are more likely to be exploited, manipulated, and harmed in the long term by collecting data on them when they are young. Rule 10 says that you need to be able to prove that the child’s parents gave their permission before you can process any of their personal data. “Verifiable” means that data fiduciaries must employ age-verification methods to check if the user is a child and parent-authentication methods to make sure that the person giving consent is the child’s parent or legal guardian. Depending on the level of risk and how sensitive the data is, verification may use more than one approach. These are:  

(i) reliable information about the person’s identity and age that the data fiduciary already has (like from past verified transactions),  

(ii) documentation that the person voluntarily provides (like government-issued ID cards, birth certificates, or school records), or  

(iii) virtual tokens issued by authorised entities that link to verified identity credentials without giving away personal information.  

The rules say that data fiduciaries must be careful when verifying information and use methods that are appropriate for the level of risk involved in processing. Activities that are more dangerous, like collecting health data or tracking someone’s whereabouts, need more thorough authentication than activities that are less dangerous, like opening an email account for school communication. In addition to needing permission, the laws place severe limits on how children’s data can be used. Data fiduciaries are not allowed to do the following:  

(i) behavioural monitoring (keeping track of children’s online activities, app usage, or browsing patterns that aren’t necessary for providing a service),  

(ii) targeted advertising (using profiling or behavioural data to send personalised commercial messages to children), and  

(iii) certain types of profiling (making automated decisions about children’s traits, preferences, or future behaviours).  

These bans are based on kids’ inability to think about the long-term effects of privacy and their susceptibility to misleading marketing. For people with disabilities, the Rules say that consent given by legally recognised guardians must be checked by court appointments, authorisations from competent authorities, or recognition under applicable guardianship legislation. This protection makes sure that data about vulnerable people is only processed with real, legally legitimate permission from people acting in their best interests.

The Data Protection Board of India – Role & Functions 

Digital Governance and Enforcement Powers 

The Data Protection Board of India serves as the fundamental institutional pillar of India’s personal data protection framework, operating as an independent adjudicatory authority headquartered in the National Capital Region. The Board represents the government’s idea of digital governance, using technology to handle tasks like filing complaints, submitting evidence, conducting enquiries, and sharing decisions, all in line with the goals of modernising Digital India. The Board consists of a Chairperson and Members appointed through Search-cum-Selection Committees that utilise merit-based evaluation criteria. This appointment process, as described in the Rules, highlights the need for independence, technical knowledge in law, information technology, and data protection, as well as proven integrity, which are essential for effectively enforcing advanced regulatory standards.  

Core Institutional Functions:  

• Adjudication of Rights-Based Complaints: The Board considers and resolves grievances submitted by data principals alleging violations, including denial of access rights, refusal to rectify inaccuracies, failure to honour erasure requests, or obstruction of consent withdrawal. Proceedings adhere to the principles of natural justice, providing parties with the opportunity to present evidence and arguments prior to the issuance of reasoned orders. Enquiries must be concluded within six months, unless documented justification for an extension is provided, to ensure prompt resolution and prevent procedural delays. 

• Breach Investigation and Response: Upon notification of personal data breaches, the Board may issue directives for immediate containment or mitigation actions, undertake forensic investigations to identify root causes and contributing factors, evaluate the sufficiency of security safeguards established by data fiduciaries, establish accountability for negligence or misconduct, and impose proportionate penalties commensurate with the severity of the violation and its impact on affected individuals.

• Penalty Imposition and Graduated Sanctions: The Board holds significant authority to impose financial penalties, structured as follows: up to ₹250 crore for failure to implement adequate security measures leading to a breach; up to ₹200 crore for breaches related to notification failures or violations of children’s data protections; up to ₹150 crore for substantial Data Fiduciary non-compliance with enhanced obligations; and up to ₹50 crore for other statutory infractions. The penalties are decided based on how serious the violation is, how long it lasted, the damage done to the data owners, how quickly and effectively the problem was fixed, the organisation’s past compliance, and any factors that might make the situation better or worse. This graduated framework encourages voluntary adherence while reserving stringent sanctions for particularly serious violations. 

• Directive Authority and Voluntary Undertakings: The Board may issue binding instructions mandating specific corrective measures, such as ceasing unlawful processing, implementing enhanced security protocols, or correcting non-compliant practices. Furthermore, the Board may accept voluntary undertakings in which data fiduciaries commit to documented remediation plans, with formal proceedings being suspended contingent upon the diligent execution of such plans. This compliance pathway optimises the use of regulatory resources while promoting proactive corrective actions.  

• Standard-Setting and Interpretive Guidance: Although the primary authority for rule-making rests with the Central Government, the Board is authorised to establish technical standards, issue guidance documents, and publish interpretive clarifications that elucidate statutory and regulatory provisions. Such guidance fosters uniform industry standards, minimises compliance ambiguity, and delineates operational expectations for data fiduciaries across various sectors.  

• Consent Manager Oversight: The Board oversees the registration, supervision, and enforcement framework for Consent Managers, ensuring compliance with eligibility criteria, operational standards, independence requirements, and security obligations. The Board may suspend or revoke registrations due to non-compliance, governance deficiencies, or conflicts of interest, in accordance with established due process. 

The Board operates with powers analogous to civil courts under the Code of Civil Procedure, 1908, including the authority to summon and compel attendance of witnesses; require production and discovery of documents; examine witnesses under oath; issue commissions for evidence collection; and exercise ancillary powers necessary for effective inquiry. Appeals from Board determinations lie before the Telecom Disputes Settlement and Appellate Tribunal within 60 days, with further appellate recourse to the Supreme Court of India 

Updating notices, appointing DPOs, and audits 

Immediate Actions: Begin now and complete by May 2027.  

• Privacy Notices: Review and revise all privacy policies according to Rule 3: standalone, plain language, itemised, and accessible. Conduct user testing; provide multilingual translations and accessible formats. Deploy updates across all customer touchpoints. 

• DPO Appointment: Recruit or engage a qualified Data Protection Officer possessing legal expertise, technical competence, independence, and India-based status. 

• Audits: Schedule Data Protection Impact Assessments and independent audits within 12 months of SDF designation; establish annual audit cycles. 

• Board Reporting: Present compliance roadmaps to governance bodies; integrate privacy metrics into quarterly reports tracking compliance progress, breach incidents, rights requests, and regulatory developments 

Steps to Take to Become Ready for Compliance 

Checklists for organisations:

Governance and Accountability 

☐ Set up privacy oversight at the board level with C-suite responsibility  

☐ Create cross-functional Data Protection Working Groups  

☐ Hire a DPO in India (for SDFs)  

☐ Include privacy in enterprise risk management  

☐ Give enough money to compliance

Data Management:  

☐ Map data from start to finish  

☐ Make Records of Processing Activities  

☐ Sort data by how sensitive it is 

☐ Find processing activities that are high-risk  

☐ Reasons for keeping documents

Notice and Consent:  

☐ Use simple language to redesign privacy notices.
☐ Make notices stand-alone communications.
☐ Give itemised disclosures
☐ Use granular, purpose-specific consent
☐ Make it easy to withdraw consent
☐ Keep detailed consent logs
☐ Translate notices into the languages that are needed.

Security and Breach Response:
☐ Do security gap assessments
☐ Use encryption, access controls, and MFA
☐ Set up systems for continuous monitoring
☐ Keep tested backups and disaster recovery
☐ Write down how to respond to a breach
☐ Do breach simulation exercises
☐ Keep security logs for at least a year

Vendor and Third-Party:
☐ Check all contracts for data processing;
☐ Change contracts to include DPDP-compliant clauses;
☐ Look at data transfers between countries;
☐ Set up vendor risk management systems;
☐ Keep an eye on vendor compliance all the time; 

Frequently Asked Questions 

When do the DPDP Rules 2025 become fully effective? 

The rules follow a phased implementation timeline. Core provisions establishing the Data Protection Board came into effect immediately on 13th November 2025. Consent Manager registration provisions become effective on 13th November 2026 (one-year post-notification). The majority of substantive compliance obligations including notice and consent standards, security safeguards, breach notification requirements, data retention and erasure rules, and data principal rights become effective on 13th May 2027 (eighteen months post-notification). Organizations must achieve full compliance by the May 2027 deadline; no grace period or phased enforcement is contemplated after that date. 

Who qualifies as a Significant Data Fiduciary? 

The Central Government will notify specific entities or classes as Significant Data Fiduciaries based on factors including volume and sensitivity of personal data processed, risks to individual rights, potential impact on national security or public order, and operational scale. While official notifications are pending, organisations processing large volumes of personal data (tens of millions of users), handling sensitive data categories at scale (health, financial, or biometric), or operating high-risk processing activities (extensive profiling, automated decision-making, and children’s services) should prepare for SDF designation. SDFs face additional obligations, including appointing India-based Data Protection Officers, conducting Data Protection Impact Assessments annually, and engaging independent data auditors. 

What are the penalties for non-compliance? 

The Data Protection Board may impose penalties up to ₹250 crore for failure to implement reasonable security safeguards resulting in a breach. Penalties up to ₹200 crore apply for failure to notify breaches or violations of children’s data protections. Significant Data Fiduciary non-compliance with additional obligations can attract penalties up to ₹150 crore. Other violations may result in penalties up to ₹50 crore. When determining penalty amounts, the Board considers violation severity, harm to data principals, remedial actions taken, and mitigating circumstances. Beyond financial penalties, the Board may issue directions ceasing unlawful processing, require data deletion, or in severe cases, recommend blocking access to non-compliant platforms. 

How should organisations respond to government data requests? 

Rule 23 empowers the Central Government to require data fiduciaries to furnish personal data for purposes including national security, law enforcement, public order, and delivering government services. Organisations should establish clear internal protocols for receiving and evaluating government requests, verify that requests are issued by authorized officials under proper legal authority, provide only specifically requested data (avoiding over-compliance), maintain detailed logs ogovernment data disclosures for accountability, and consult legal counsel when requests appear overly broad, legally questionable, or conflict with obligations under foreign data protection laws. Government may restrict disclosure of requests where national security or investigation integrity requires confidentiality. 

What exemptions exist for government data processing? 

Section 17 of the DPDP Act allows the Central Government to exempt its instrumentalities from Act provisions on grounds including national security, sovereignty, public order, and related considerations. These broad exemptions enable government agencies to process personal data without consent, maintain less stringent security standards, or avoid notice requirements in certain contexts. While necessary for legitimate government functions, these exemptions have raised concerns about potential surveillance overreach and lack of judicial oversight. Organisations should understand that when processing data for government purposes or responding to government directions, different standards may apply compared to commercial processing. 

How long should organisations keep personal data? 

Retention periods depend on processing purposes, legal requirements, and entity classification. For e-commerce platforms, social media intermediaries with at least 2 crore users, and online gaming intermediaries with at least 50 lakh users: three years from last user interaction or rules commencement, whichever is later. For all data fiduciaries: at minimum, traffic data and processing logs must be retained for one year. Beyond these specified periods, retention is permitted only when necessary for compliance with other laws or contractual obligations. Organisations must implement automated erasure mechanisms, provide 48-hour advance deletion notices to users, and document retention justifications. 

What rights do data principals possess? 

Data principals have rights to access summaries of their personal data and processing activities, including identities of data processors and other fiduciaries with whom data was shared; correct inaccurate or incomplete personal data; erase personal data when processing purposes are fulfilled (subject to legal retention requirements); withdraw consent at any time with equal ease as granting consent; nominate another individual to exercise rights on their behalf in case of death or incapacity; file grievances with data fiduciaries’ redressal mechanisms; and file complaints with the Data Protection Board if grievances remain unresolved or rights are violated. Organisations must respond to rights requests within 30 days, providing written explanations if requests cannot be honoured. 

Conclusion 

The Digital Personal Data Protection Rules, 2025 represent a major realignment of how organisations in India are expected to manage and protect personal data. These rules create a mandatory compliance structure that touches every stage of the data lifecycle, beginning with the issuance of clear and accessible notices (Rule 3), continuing through consent management and verifiable parental and guardian consent workflows (Rule 10 and First Schedule), data retention planning and 48-hour pre-deletion notices (Rule 8 and Third Schedule), security safeguards (Rule 6), grievance handling timelines, and breach reporting obligations to Principals and the Board (Rule 7). By adopting the Rules early, organisations signal that they are committed to fairness, reliability, and responsible data handling. This commitment not only boosts customer confidence but also enhances the organization’s reputation, thereby reducing long-term exposure to security incidents, disputes, and regulatory interventions. Once all phased provisions come into force, regulators will expect organisations to demonstrate readiness through clear documentation, well-defined accountability structures, and evidence that privacy measures have been embedded in business operations. 

Call to Action for Consultation or Privacy Audit 

Companies need to start obeying the guidelines right away. The deadline of May 2027 is only eighteen months away, and the changes are going to take a long time to make.  You have ample time to put your plan into action, uncover gaps, get ahead of the competition, and save money at the last minute if you act early.  

Get Assistance from Professionals: Tsaaro Consulting provides a full variety of compliance services, including developing privacy strategies, DPO-as-a-Service, compliance audits, security assessments, and training programmes.   

Set up a privacy check: do rigorous reviews to detect gaps in data governance, create compliance baselines, and give explicit processes for addressing concerns.  Plan out your strategy roadmaps:  Make detailed plans on how to do the project, including clear goals, who will be in charge of what, how resources will be used, and how success will be judged.  Invest in technology that makes things easier:  Get tools for compliance dashboards, breach detection, encryption, data finding, and managing consent.  

The DPDP Rules 2025 signify that India has fully moved to data protection that is complete and can be enforced.  Companies that are smart about following the rules are becoming leaders in India’s digital economy, which is booming.  Visit www.tsaaro.com to get started on your compliance journey with expert assistance that is tailored to your organisation’s needs. 

Important FAQs on the Updated DPDP Rules 

1. What is the purpose of the updated DPDP Rules?

The rules clarify how the Digital Personal Data Protection Act will work in practice. They set out duties for organisations and give clearer rights to individuals. 

2. What counts as personal data under these rules?

Under the DPDP Rules, 2025, personal data is defined as any data about an individual who is identifiable by or in relation to such data. This includes any information that can be used, directly or indirectly, to identify a person, such as their name, address, contact information, or other unique identifiers.   

3. Have consent requirements changed?

Yes. Consent must be free, specific, informed, unambiguous, and given by a clear affirmative action after a plain-language notice. For children and certain vulnerable persons the Rules require verifiable consent and technical/organisational measures to verify guardians. Withdrawal must be as easy as giving consent. 

4. Is notice to data principals now more detailed?

Yes. The Rules require plain language notices and an itemised description of the personal data and the specific purpose(s), plus communication links for exercising rights.  

5. Are children’s data protections stronger now?

Yes. The Rules require verifiable parental consent for anyone under 18, with limited exemptions for essential services (healthcare, education, safety). Also list the processes for verifying a parent like reliable ID, virtual token, Digital Locker, etc. 

6. What new duties do data fiduciaries have?

Rules require reasonable security safeguards like encryption, masking, access controls, logs, backups, accuracy, and deletion when no longer needed. 

7. What has changed for significant data fiduciaries?

Significant Data Fiduciaries must appoint a Data Protection Officer, conduct periodic Data Protection Impact Assessments and audits, implement enhanced safeguards for high-risk or algorithmic processing, and comply with any government-notified restrictions requiring certain categories of personal data to remain within India.  

8. What rights do individuals have under the updated rules?

Individuals can now request access to their data, ask for corrections, request deletion, and seek grievance redressal. 

9. Is grievance redressal now time bound?

Yes. Organisations must have a grievance redressal system and respond within a period not exceeding 90 days under that system. 

10. . Are data retention duties more defined?

Yes. Certain classes in the Third Schedule have fixed periods e.g., three years for some large platforms. Logs and processing records must be retained for at least one year; and Data Principals must be notified 48 hours before scheduled erasure under the time-limit rules 

11. . Do the rules say anything new about cross border transfers?

Yes. Data can be transferred abroad except to countries restricted by the government. The rules focus more on allowed transfers than strict blocks. 

12. . Have security requirements become stricter?

Yes. Yes. Data Fiduciaries must implement reasonable security safeguards, including encryption, access controls, logging, backups and one-year log retention, and must also intimate personal data breaches to affected individuals and the Board without delay and submit detailed breach information within the prescribed 72-hour timeframe. 

13. . Are there penalties for non-compliance?

Yes. The rules are linked with high monetary penalties under the Act. Penalties depend on the seriousness of the breach. 

14. . What is expected from data processors now?

Data Processors must process personal data only on documented instructions from the Data Fiduciary, implement the required technical and organisational security safeguards, and comply with contractual provisions mandating protection of the data they handle.  

15. . How do these changes affect ordinary users?

Individuals gain clearer rights to access, correction, erasure and grievance redressal, benefit from stricter security obligations on organisations, and receive stronger transparency and accountability in how their personal data is processed.