Driven by excellence, focused on strategies for the longer term.

This is the crux of who we are. It is an articulation of precision in purpose, from the Firm’s beginnings to where we are today. Our collective eye is unerringly trained on tomorrow.

Deep sectoral expertise across services and industries.

Our insistence on strategic advisory exacts an in-depth understanding of and involvement with our clients’ businesses and industries. We engage not just individual businesses, but also contribute to the country’s legal and regulatory frameworks.

Personal commitment supported by experience and grit.

We commit early. We pull together internally for greater support. Every effort is sincere, every individual deeply dedicated to their task, their role, to the Firm.

Our undertakings for long-term impact are an organic extension of our purpose.

They are to employ our deep knowledge of the law beyond the business, the transaction, the deal. To use the opportunities and skills we possess, to reflect on the culture we’re creating. Individually and collectively, these are our efforts to help shape the thinking of our future generations, and arm them with strategies for true, sustainable growth.

Knowledge-sharing is intrinsic to equity and inclusivity.

This is a repository of thought leadership, deep insights and strong viewpoints, legal and other news and events and how they impact the industry and our clients.

Relevance is critical to growth. It necessitates a firm that is dynamic and responsive.

Amplifying intrinsic talent, sharpening skills, expanding knowledge, is vital to leading. It defines every aspect of how our firm functions and transacts. This is how we create new benchmarks and set industry standards.

  • Connect
Nov 14, 2025

India’s Digital Personal Data Protection Act: Phased Rollout and Key Compliance Milestones

The Government has formally operationalized India’s new data protection framework through a series of notifications dated November 13, 2025.

These include: (i) staggered commencement dates of provisions of the Digital Personal Data Protection Act, 2023 (‘DPDP Act’) and the Digital Personal Data Protection Rules, 2025 (‘DPDP Rules’); (ii) the Notification of the DPDP Rules; and (iii) the establishment of the Data Protection Board of India (‘DPB’) and its constitution.

Together, these notifications will result in phased implementation of the DPDP Act and DPDP Rules over a period of next 18 months i.e., May 12, 2027.

DPDP Rules Notified

The Government has notified the DPDP Rules, following the publication of the draft version of these rules in January 2025, and the subsequent public consultation process. While the overall structure and the framework contemplated in the draft version of these rules has been retained, the published DPDP Rules introduce clarifications and additions on certain procedural, technical and compliance aspects.

 Staggered Implementation of DPDP Act and DPDP Rules

The Government of India has adopted a phased implementation model under Section 1(2) of the DPDP Act, bringing the provisions into force in three distinct stages.

The DPDP Rules mirror this structure, with their commencement dates aligned to the respective staggered timelines under the DPDP Act to ensure that procedural and operational requirements become effective in a stepwise manner, as summarized below:

Sr. No. Timeline for Enforcement DPDP Act DPDP Rules
1. With immediate effect (November 13, 2025)

 

 Sections 1(2), 2, 18-26, 35, 38-43, and 44(1) & (3).

These cover:

i.    Definitions;

ii.    institutional provisions relating to the setting up of the DPB;

iii.  protection of actions taken by the Government or DPB under this law in good faith;

iv.   overriding effect of DPDP Act in case of a conflict;

v.    bar on civil court jurisdiction of proceedings under the DPDP Act; and

vi.   Government’s rule-making powers.

 Rule 1, 2 and 17-21.

These provisions establish:

i.    Procedural framework for implementation of the DPDP Act, namely the staggered commencement dates for the various rules;

ii.   definitions; and

iii.  the rules governing the constitution, functioning and operations of the DPB.
2. After one year of Notification

(November 12, 2026)

 

 Sections 6(9) and 27(1)(d)

These provisions relate to:

i.    registration requirements for consent managers; and

ii.   DPB’s jurisdiction over breach of conditions of registration by consent managers.

 Rule 4

This relates to registration and obligations of consent manager.

 

 
3. After eighteen months of Notification (May 12, 2027)

 

 

 Sections 3 – 5, 6(1) – (8) & (10), 7-17, 27 (except 27(1)(d)), 28-34, 36-37, and 44(2).

This will bring into force all remaining aspects, including:

i.    Notice and consent requirements;

ii.   legitimate uses;

iii.  general and additional obligations of data fiduciaries;

iv.   processing of children’s data;

v.    data principal rights, duties, exemptions;

vi.   cross-border transfer restrictions;

vii.  information-seeking powers of the Central Government;

viii.  blocking powers; and

ix.    power & functions of the DPB.

 Rule 3, 5-16, 22 and 23

These provisions contain all remaining substantive and operational requirements under the DPDP Rules, including:

i.    The manner in which notice should be provided to data principals;

ii.   reasonable security safeguards to be complied by data fiduciaries;

iii.  personal data breach-notification requirements;

iv.   data-retention and erasure timelines;

v.    verifiable parental consent;

vi.   exemptions relating to processing of children’s data;

vii.  obligations of significant data fiduciaries;

viii.  cross-border personal data transfer requirements;

ix.   provisions for exercise of data principal rights;

x.    filing of appeal before the Appellate Tribunal, and

xi.       Central Government’s power to call for information from data fiduciaries and intermediaries.

Data Protection Board of India Established

The Government has also issued a Notification establishing the DPB as the statutory enforcement body under the DPDP Act, with its head office located in the National Capital Region.

The DPB is designed to function as a digital-first authority regulating processing of personal data and is empowered to receive breach notifications, conduct inquiries, issue directions, accept voluntary undertakings and impose monetary penalties for non-compliance. A further Notification confirms that the DPB will comprise four members at inception. Appointments to these positions are expected to follow the statutory selection process laid out under the DPDP Rules.

Way Forward

The Government has taken into account the fact that transitioning to DPDP Act and DPDP Rules will require time and has laid down an 18 month roadmap leading up to the substantive implementation of the DPDP Act and the DPDP Rules. Companies should use this time to align their policies, systems and contracts to ensure compliance with the statutory obligations.

TAGS

SHARE

Subscribe

DISCLAIMER

These are the views and opinions of the author(s) and do not necessarily reflect the views of the Firm. This article is intended for general information only and does not constitute legal or other advice and you acknowledge that there is no relationship (implied, legal or fiduciary) between you and the author/AZB. AZB does not claim that the article's content or information is accurate, correct or complete, and disclaims all liability for any loss or damage caused through error or omission.

RELATED READING

Client alert

India’s Digital Personal Data Protection Act: Phased Rollout and Key Compliance Milestones
Nov 14, 2025 | Data Privacy & Protection
Client alert

Employment Law Update (Karnataka) | Paid Menstrual Leave
Nov 13, 2025 | Employment Labour & Benefits
Client alert

Delhi High Court Upholds Validity of Provident Fund Law Provisions on International Workers
Nov 12, 2025 | Employment Labour & Benefits