Rishikaa
Introduction
Nearly two years after the notification of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Ministry of Electronics and Information Technology (“MeitY”) has notified the Digital Personal Data Protection Rules, 2025.
The draft of these rules was published in January 2025 for public consultation. Following the consultation process, the final Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) were notified on November 13, 2025, marking India’s entry into a new era of structured data governance.
Along with the notification of the DPDP Rules, the MeitY also notified the establishment of the Data Protection Board of India (“DPB”) and set its membership at four. Further, the MeitY has also issued a notification for the phased implementation of the DPDP Act.
Enforcement details for the DPDP Act and the DPDP Rules:
| Enforcement Timeline | Provisions |
|---|---|
| 13 November 2025 | Establishment and functioning as well as powers of the DPB; the definitions |
| 13 November 2026 | Registration of Consent Managers and associated framework |
| 13 May 2027 | Overall implementation of the DPDP Act, grounds for processing personal data, and the provisions that impact a Data Fiduciary such as notice, consent, reasonable security safeguards, intimation of personal data breach, verifiable consent for children and persons with disabilities, obligations of Significant Data Fiduciary, rights of Data Principals, transfer of personal data outside India etc. |
Key Takeaways for Businesses:
- Review and update notices:
- Issue notices to Data Principals, including personal data for which consent has been collected before the DPDP Act.
- Ensure notice includes an itemised description of the personal data, the specific purpose of collection, a specific description of the goods/services to be provided by such processing, and a communication link for exercising the right to withdraw consent and other rights, as well as for making a complaint to the DPB.
- Present the notice clearly, in plain language, ensuring it’s understandable independently of any other information.
- Reviewing cookie consent banners.
- Update consent mechanisms: Enable Data Principles to give specific and informed consent for the processing of their personal data.
- Processing of children’s personal data:
- Implement technical and organisational steps to secure verifiable parental consent prior to processing a child’s personal data.
- Exercise due diligence to verify that the individual claiming to be the parent is an adult. Refer to reliable identity details available with the entity, those provided by the individual, or through a virtual token mapped to the details and verified by a DigiLocker service provider.
- Exemptions from certain obligations apply to only specific entities and for specified purposes.
- Processing of personal data of persons with disabilities:
- Obtain verifiable consent from the lawful guardian.
- Ensure that the lawful guardian is appointed by the court, designated authority or a local-level committee.
- Review security safeguards and technical and operational measures:
- Adopt at a minimum data security measures through encryption, obfuscation, masking, or using virtual tokens, monitor access, and appropriate logs, monitoring, and reviews must be in place to detect unauthorised access, investigate it, and remedy the situation to prevent recurrence.
- Retain logs and personal data for one year to aid in detecting and addressing unauthorised access, unless legal requirements dictate otherwise.
- Implement appropriate technical and organisational measures to ensure compliance with these safeguards.
- Review contracts with Data Processors to include provisions for these security safeguards.
- Personal data breach intimation:
- Inform the affected Data Principals through the user account or registered mode of communication and the DPB without delay.
- Provide a detailed account of the breach within 72 hours to the DPB, including a report regarding the intimations given to affected Data Principals, among other things.
- No risk threshold specified.
- Publication of contact information:
- Publish the Data Protection Officer (“DPO”) or the responsible officer’s contact details on the website or app.
- Include the details in all responses to rights-related communications.
- Data Retention & Erasure:
- E-commerce entities, online gaming intermediaries, and social media intermediaries that meet the specified threshold must retain the data for the time and purposes specified in the DPDP Rules. Data must be erased if no longer needed unless legally required. A notification should be sent to Data Principals at least 48 hours prior to the notification.
- Other entities are to determine when the specified period is no longer served. A one-year minimum retention period for all Data Fiduciaries.
- Significant Data Fiduciaries (“SDFs”):
- Conduct annual DPIA and audit.
- Ensure the report with significant observations on the DPIA and audit is furnished to the DPB.
- Observe due diligence to verify that technical measures, including algorithmic software, will likely not pose a risk to Data Principals’ rights.
- Appoint an India-based DPO and an independent data auditor.
- Cross-Border Transfers:
- Cross-border transfers are allowed, subject to requirements specified by the Central Government through a special or general order for making personal data available to a foreign State or a person/entity/agency under its control.
- Significant Data Fiduciaries must not transfer personal data specified by the Government based on recommendations from a government-appointed committee outside India
- Rights of Data Principals: Publish the following prominently on the website and/or app:
- Details of means to request exercising rights – access information, correction, erasure, completion, grievance redressal, and nomination.
- Particulars for identifying the user.
- Manner of grievance redressal and timelines.
- Review Data Processor contracts:
- Engage Data Processors under a valid contract
- Review contracts with vendors and Data Processors that will be engaged by the Data Fiduciaries for the processing of personal data.
- Contractually ensure that the provisions of the DPDP Act and the DPDP Rules are applied to such vendors and Data Processors.
- Include indemnification clauses.
Our View
The DPDP Rules provide operational clarity to India’s data protection landscape, translating the DPDP Act’s principle-based structure into actionable standards. By giving the granular requirements, the DPDP Rules create a streamlined compliance pathway.
The phased implementation gives organisations a runway to focus on gap assessments, revisiting data retention timelines, strengthening vendor and processor contracts, redesigning consent UX, and taking stock of budgets, timelines, and risks, if not done already.
However, this clarity comes with operational concerns. According to news reports, implementing the DPDP Rules could increase companies’ IT and tech budgets by 10-30%, depending on the work required to redesign notice and consent mechanisms, report personal data breaches, renegotiate vendor agreements, etc. This continues to be a concern for small and medium-sized businesses and early-stage companies.
The requirement for retention of personal data, associated traffic data & other data logs of processing was a period of one year was unexpected, given that the same was not mentioned in the draft rules. This requirement not only deviates from the principle of data minimisation, but also increases costs for companies, which must now invest in infrastructure to retain the personal data for one year, regardless of the size of the company or the nature of the personal data.
Despite the notification of the DPDP Rules, there is no clarity regarding the notification of SDFs, and whether such entities will also be given a similar runway to comply with the additional obligations once they are notified as SDFs.
Further, in June 2025, the Press Club of India, along with other news media organisations, contacted the MeitY to express their concerns about the DPDP Act’s gaps, which they believe infringe on freedom of speech and expression and impose burdensome obligations due to the unique nature of their work. Although the MeitY scheduled a meeting in July, the DPDP Rules the issues raised by the news media organisations, thereby including journalistic activities under the DPDP Act.
Despite the notification of the 18-month timeline for operationalizing most of the DPDP Rules, the Government is reportedly considering shortening the 18-month compliance timeline. This regulatory unpredictability creates unnecessary ambiguity, underlining the need for clarificatory guidance and a predictable enforcement structure.
Overall, the long-term success of the DPDP Act and the DPDP Rules will depend on continued regulatory clarity, industry readiness, and an enforcement approach that encourages compliance without constraining innovation.