Digital Personal Data Protection Rules, 2025 Notified; Enforcement Timelines Announced

On November 13, 2025, the Ministry of Electronics and Information Technology, Government of India (‘MeitY’) notified the Digital Personal Data Protection Rules, 2025 (‘DPDP Rules’) under the Digital Personal Data Protection Act, 2023 (‘DPDP Act’).

This is one amongst the series of notifications issued by the Central Government (‘Government’), which includes the staggered commencement dates of provisions of the DPDP Act and the DPDP Rules; and the establishment of the Data Protection Board of India (‘DPB’) and its constitution. Together these notifications mark the epochal and long-anticipated operationalization of India’s dedicated data protection regime.

The DPDP Act and the DPDP Rules set out the foundational requirements for India’s DPDP framework, including the legal bases for processing personal data, process and timeline for reporting personal data breaches, the consent manager framework, rights of data principals, mechanisms to obtain verifiable consent for processing children’s data, requirements relating to cross-border data transfers, data erasure timelines and the operational details in relation to the constitution, powers and functioning of the DPB.

I. Phased Enforcement of Data Protection Framework

1. MeitY has adopted a phased enforcement model, bringing different sets of provisions into force at three distinct stages. The DPDP Act and the DPDP Rules follow the same approach, with its commencement aligned to these staggered timelines to ensure that procedural and operational requirements become effective in a stepwise manner alongside the substantive obligations under the DPDP Act.

• Phase I – Effective November 13, 2025, the DPDP Act’s institutional provisions, primarily those establishing and empowering the DPB, conferring rulemaking powers on the Central Government, setting out the definitions and the corresponding procedural Rules have come into force. Additionally, provisions amending the Telecom Regulatory Authority of India Act, 1997 to recognize Telecom Disputes Settlement and Appellate Tribunal (‘TDSAT’) as the appellate authority under the DPDP Act, and provisions of the Right to Information Act, 2005 to exempt information relating to personal information from the scope of Indian citizens’ right to information have also been notified.
• Phase II – After one year, i.e., on November 13, 2026, provisions relating to registration of consent managers and the DPB’s power to inquire into breaches of these registration requirements and impose penalties, will take effect.
• Phase III – The final phase, effective May 13, 2027, operationalizes the substantive framework of the data protection regime, including the notice and consent standards, obligations of data fiduciaries, processing of children’s data, data principal rights, exemptions, cross-border transfer requirements. Further, the DPB’s substantive powers and procedures for conducting inquiries and imposing penalties also come into force, along with the powers and appellate procedures of TDSAT and the Central Government’s authority to call for information from data fiduciaries and intermediaries.

The extended transition period of 18 months offers businesses valuable time to build operational capacity, update data governance practices and associated technological framework, and prepare for compliance with the DPDP Act’s substantive obligations.

Our previous update on the key highlights of the DPDP Act can be accessed here.

II. Key Highlights of DPDP Rules

1. Notice: The DPDP Act requires a notice in prescribed form to accompany or precede a consent request. The DPDP Rules require the notice given by the data fiduciary (person who determines the purpose and means of processing of personal data) to the data principal (individuals to whom the personal data relates) to be clear, understandable and distinct from other information provided by such data fiduciary to enable the data principal to give specific and informed consent for processing of her personal data. Such notice should include:
   • an itemized description of the personal data processed;
   • the specified purpose or purposes of and specific description of the goods or services to be provided or uses to be enabled by, such processing; and
   • the link for the website/ app of the data fiduciary through which the data principal can withdraw her consent, exercise data principal rights and make a complaint to the DPB.

The DPDP Rules provide businesses greater clarity on the contents of the notice that would form the basis for data principals to provide consent for processing their personal data.

2. Intimation of Personal Data Breach:

• Preliminary Intimation: The data fiduciary, upon becoming aware of the personal data breach, must provide a preliminary notification to the DPB without delay with the description of the breach including its nature, extent, timing, location, and potential impact. At the same time, affected data principals must also be notified without delay and to the best of data fiduciary’s knowledge, through their user account or any other mode of communication opted by the data principal, providing details of the nature and extent of the breach, potential consequences for the data principal, the safety measures that they should implement to protect their interests, and business contact information of a person who can answer their queries.
• Updated Intimation: Thereafter, a more detailed intimation, needs to be made to DPB within 72 hours (or within such extended timeline as permitted by the DPB on a request made in writing) with updated information including measures implemented or proposed to mitigate risk, findings of the investigation and remedial measures undertaken and intimations given to the affected data principals.

Needless to mention, this reporting requirement is in addition to the reporting obligations under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 notified under the Information Technology Act, 2000, that require reporting of cyber security incidents (which includes data breaches and data leaks) to CERT-In, within six hours of knowledge, as well as other sectoral reporting requirements to be made to Securities and Exchange Board of India (‘SEBI’), Insurance Regulatory and Development Authority of India (‘IRDAI’), Reserve Bank of India (‘RBI’), as applicable.

3. Verifiable Consent for Processing Personal Data of Children or Person with Disabilities: The data fiduciary is required to:

• In Case of a Child – (a) adopt appropriate technical and organizational measures to ensure that verifiable parental consent is obtained; and (b) observe due diligence to verify that the individual identifying herself as the parent is an adult who is identifiable, if required, in connection with compliance with applicable law by using either: (x) existing data of such parent available with the data fiduciary; or (y) details voluntarily provided by the individual or through a virtual token mapped to such details issued by an authorized entity.

Such authorized entity may either be: (a) an entity empowered by law or by the Government with issuance of details of identity and age or token mapped to such details; or (b) a person permitted by the entity empowered under (a) above, and includes a digital locker service provider notified by the Central Government under the relevant rules under the Information Technology Act, 2000.

• In Case of a Person with Disability Who has a Lawful Guardian – observe due diligence while obtaining verifiable consent to verify that the individual identifying herself as the lawful guardian of a person with disability has been so appointed by the Court or competent authority under the applicable guardianship law.

 The DPDP Rules segregate the requirements relating to children and persons with disabilities into two separate rules. Also, while the clarifications introduced in the illustrations provided under DPDP Rules seem to address instances where a child or a parent proactively identify themselves (as a child, or a parent, respectively) for the purpose of triggering the verifiable consent mechanism, they do not appear to envisage requirements for data fiduciaries in scenarios where the child and parent do not so identify themselves.

4. Cross-Border Transfers: The DPDP Act allows free transferability of personal data to any country or territory outside India, except to the countries, which are specifically restricted by the Government through a notification. However, the DPDP Rules introduces new restrictions on outward transfer of personal data.

• SDFs: In the context of significant data fiduciaries (‘SDF(s)’), the Government, based on recommendations of a committee it constitutes, may specify certain personal data sets and the traffic data pertaining to its flow that cannot be transferred outside India. In other words, SDFs may be subject to data localization requirements for certain types of their customer / user data.
• All data fiduciaries: Further, the Government may also prescribe requirements (by way of a general or special order) for disclosure of certain personal data by data fiduciaries to any foreign State or a person / entity under the control of or any agency of such a foreign State.

The draft version of the DPDP Rules that were released by the Government for public consultation contemplated this restriction on disclosure of personal data to foreign government or law enforcement agencies where the cross-border transfer of personal data was connected to the offering of goods or services to data principals in India. However, given this condition has been removed under the DPDP Rules, this restriction would apply to all cross-border transfer of personal data, regardless of the context.

In context of the above requirement, multinational organizations may need to analyze the operational impact of these localization requirements (when prescribed) and their ability to comply with foreign laws that mandate the foreign Government’s access to data handled by such entities in respect of their Indian operations.

5. Additional Obligations of SDFs: SDFs must conduct Data Protection Impact Assessments and comprehensive audits to ensure compliance with the DPDP Act once a year. SDFs also need to ensure that technical measures including algorithmic software adopted by them for hosting, upload, modification, transmission, storage or sharing of personal data do not pose a risk to data principal rights.

 The DPDP Rules require SDFs’ to assess the technical measures they adopt, which may include security tools, access controls, databases, configurations, etc., to ensure that they do not pose a risk to data principal rights.

6. Deemed End of Specified Purpose & Erasure Timelines: The DPDP Act imposes an obligation to erase personal data when the data principal withdraws consent or when the specified purpose is deemed to no longer be served, i.e., the data principal neither approaches such data fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing, unless such retention is required for the data fiduciary to comply with its legal obligations.

 The DPDP Rules now prescribe two types of data retention requirements:

• Universal minimum retention: All data fiduciaries must retain personal data, associated traffic data and processing logs for at least one year from the date of processing for the following purposes – (a) for Government to use such personal data in the interest of sovereignty and integrity of India, or security of State, (b) for Government to use for performance of any State function or fulfillment of any legal obligation, and (c) for MeitY to carry out assessment for notification of SDFs. After this period of one year expires, such personal data would need to be erased by the data fiduciary unless it is required to be retained for a longer period for compliance with applicable law.
• Retention period applicable to specified classes of data fiduciaries: E-commerce entities with more than 20 million registered Indian users, online gaming intermediaries with more than five million registered Indian users and social media intermediaries with more than 20 million registered Indian users, must erase personal data after 3 years from their last engagement with the data principal or these DPDP Rules coming into effect, whichever is later, unless such personal data is required for the data principal to access her user account or any virtual token issued to redeem money, goods or services. Before erasure of personal data, the data fiduciary must notify the data principal at least 48 hours in advance and offer an opportunity to re-engage with the data fiduciary to prevent such erasure.

Depending on the class of data fiduciary, businesses would need to update their data retention schedules, deletion workflows, and account-reengagement mechanisms, and verify that any retention beyond the prescribed periods is supported by grounds permissible as per the DPDP Act.

7. Exemptions:

• Exemption from requirements relating to children’s data: Certain class of data fiduciaries such as clinical and mental health establishments, healthcare professionals, allied healthcare professionals, educational institutions, individual childcare providers and transportation service providers engaged by such persons, and certain prescribed purposes such as creation of user account, determination of real time location, etc., observing due diligence requirements relating to children, etc., have been exempt from specific provisions such as verifiable parental consent and restriction on behavioral monitoring, as long as their processing of personal data is limited to activities like healthcare, education, ensuring safety, which are necessary for the well-being and safety of the child.

While these exemptions ease compliance for essential service providers, they apply only when processing is strictly limited to child-welfare functions, requiring careful segregation of exempt and non-exempt activities.

• Exemption from certain provisions of the DPDP Act: Exemptions from the provisions of the DPDP Act for research, archiving and statistical purposes is available subject to implementation of appropriate technical and organizational measures to ensure effective observance of standards including lawful processing; data minimization; data accuracy, completeness and consistency; restricting retention until fulfilment of purpose; implementation of reasonable security safeguards to prevent personal data breaches; accountability of data fiduciaries for processing in accordance with the standards, etc.

While this eases compliance for entities engaged in genuine research and statistical activities, the DPDP Rules provide no clarity on whether activities such as AI model training qualify as “research,” leaving uncertainty for industry stakeholders who were seeking to relying on this exemption.

8. Call for Information: Data fiduciaries or intermediaries may be called for information by the Government for purposes including national security, legal compliance or assessment of their status as SDF. Further, the competent authorities are required to specify the timeline for furnishing such information. Where disclosure of information might affect the sovereignty and integrity of India or security of India, the competent authorities may restrict disclosure by the data fiduciaries of such requests for information to affected data principal or any other person, without prior permission.

Businesses must be prepared for Government information requests by maintaining strong data-handling and escalation processes and ensuring their contracts with vendors and customers clearly allocate responsibilities, require timely cooperation, and address confidentiality restrictions on disclosing such requests.

9. Mechanism to Exercise Data Principal Rights: Data fiduciaries must prominently publish on their website and or app, the details of the mechanism using which data principals may exercise their rights and any particular information such as the username or other identifiers including file number, customer identification number, email address or mobile number etc., which may be required to establish their identity. The data fiduciary must also provide clear and reasonable timelines for responding to the grievances, subject to an outer timeline of 90 days, which has been newly introduced in the DPDP Rules.

While the 90-day outer timeline brings clarity, it may pose operational challenges for businesses that receive high volumes of grievances or require cross-functional coordination, necessitating stronger internal processes and resource planning to ensure timely responses.

10. Reasonable Security Safeguards: Data fiduciaries must implement reasonable security safeguards to protect personal data they process directly or through data processors. At a minimum, this includes: (i) using techniques such as encryption, masking or tokenisation; (ii) enforcing access controls; (iii) maintaining logs and monitoring for unauthorised access; (iv) ensuring backup and continuity measures; (v) retaining logs and relevant data for one year to support detection, investigation and remediation of breaches; (vi) incorporating security obligations into contracts with data processors; and (vii) adopting appropriate technical and organisational measures to ensure effective implementation of these safeguards.

 The notable change from the requirements proposed under the draft version of the DPDP Rules is the shift from “including” to “such as” in clauses listing examples of security safeguards (e.g., encryption, obfuscation, masking, backups). This change clarifies that the listed safeguards are illustrative examples, not an exhaustive or prescriptive list. This change provides greater flexibility for data fiduciaries by allowing them to tailor security measures based on their activities, technology stack and risk profile, rather than treating the listed safeguards as mandatory in all circumstances.

11. Consent Manager: Similar to the framework issued by the RBI applicable to account aggregators to operate their consent management platform for financial data, the DPDP Rules prescribe the requirements for registration as a consent manager and their obligations.

• Key conditions: The conditions for registration as a consent manager include incorporation of a company in India, minimum net worth requirements, adequacy of capital, earning capacity, independent certification regarding the conformity of its platform to data protection standards as may be published by the DPB, etc.
• Key obligations: The obligations of consent managers include providing an interoperable platform to enable data principals to give and manage consents, being data-blind, restrictions on subcontracting or assigning its obligations, maintaining records and logs of consents for at least seven years, conducting audits, ensuring no conflict of interest arise due to any interest held by their directors and senior management in any of the data fiduciaries, disclosure of its shareholding in excess of two percent and obtaining approval from the DPB for a change of control.

Currently, there appears to be no guidance on the operational aspects of the consent manager framework such as the division of liability between consent managers and data fiduciaries, permitted commercial models, interoperability standards and other implementation related matters on which the industry stakeholders had sought clarity during the consultation.

III. Way Forward

With the notification of the DPDP Rules and the enforcement timeline for the DPDP Act now firmly established, the period for preparatory deliberation has concluded and the time for concrete compliance action has begun. Organisations must proceed on the basis of the framework currently in force and initiate the necessary steps to ensure readiness. This includes instituting data governance mechanisms, undertaking comprehensive data-mapping and gap-assessment exercises, updating notices and consent processes, reviewing contractual arrangements with data processors, enhancing security safeguards, establishing clear protocols for breach reporting, the exercise of data-principal rights and undertake technological enhancements to ensure compliance with the DPDP Act and the DPDP Rules. Timely and diligent implementation would be critical to achieve compliance with the substantive obligations that come into effect by May 2027.