The Indian government has notified the Digital Personal Data Protection Rules, 2025 (DPDP Rules or Rules), marking a major step towards putting the Digital Personal Data Protection Act, 2023 (DPDP Act) into effect. Alongside the Rules, the government has also issued notifications to bring key provisions of the Act into force; and has set out phased implementation timelines over the next 18 months. Together, the DPDP Act and the Rules now describe what compliance will look like in practice – from notices and breach reporting, to children’s data, retention, cross-border transfers, and Significant Data Fiduciaries (SDFs) obligations. The final Rules are largely similar to the draft rules that were put out for consultation earlier this year, but with some changes and new obligations.
In this blog, we break down the Rules and their impact on businesses.
Breaking down the Rules
1. When will the Rules come into effect?
- · Provisions relating to the Data Protection Board (DPB) and certain procedural aspects take effect immediately on publication in the official gazette i.e. today.
- · Obligations relating to consent managers, and powers of the DPB start 12 months after publication.
- · Operational requirements – including notice, security safeguards, breach reporting, retention, children’s data, SDF obligations, international transfers, research exemption, and government information powers – kick in 18 months after publication, i.e., 13 May 2027.
This gives organisations a defined window to align governance, contracts, systems, and processes, though it is shorter than the two-year transition many stakeholders had hoped for.
2. How should businesses provide a notice for consent?
Businesses must provide clear, standalone notices to users about how their personal data will be handled (Rule 3). These notices must:
- · Include an itemised description of the personal data to be processed;
- · Provide the specified purpose or purpose(s) of processing; and
- · Offer a specific description of the goods, services, or uses that the processing enables;
- · Be presented independently of other information, in clear and plain language; and
- · Include links or other clear means to withdraw consent, exercise rights, and complain to the DPB.
A small but important change from the draft is that the Rules now refer to “specified purpose(s)”, which suggests that some degree of purpose bundling (for the consent) may be permissible. While this may offer some limited practical relief, actual market practice will need to develop through implementation and Board guidance.
3. Who are Consent Managers (CM)?
Consent Managers allow individuals to give, manage, review, and withdraw consent for processing personal data (Rule 4). To act as a consent manager, entities must:
- · Register with the DPB;
- · Be incorporated in India and meet minimum net-worth and governance requirements; and
- · Operate independently, avoiding conflicts of interest with data fiduciaries whose consents they manage.
Consent managers must adopt security safeguards, cannot read the content of personal data they handle, and must have processes for regular review and compliance. The final Rules mainly clarify when these obligations begin (12 months after notification); the core requirements are the same as in the draft.
4. How can government organisations process personal data?
Rule 5 and the Second Schedule set out how government bodies can process personal data when delivering subsidies, benefits, services, licences, or permits. Processing must be:
- · Lawful and necessary for the purpose;
- · Limited to what is needed; and
- · Supported by appropriate security safeguards and retention limits.
Government entities must also ensure data accuracy and inform individuals about how their data is being used.
5. What security safeguards should be adopted?
Data fiduciaries must, at the minimum:
- · Secure personal data using measures like encryption, obfuscation or masking, or virtual tokens;
- · Implement appropriate access controls and keep visibility on who accesses data;
- · Maintain access logs for at least one year;
- · Monitor and review logs regularly;
- · Put in place business continuity and recovery measures;
- · Flow down security obligations to data processors through contracts; and
- · Implement technical and organisational measures (Rule 6).
For many organisations, this will formalise practices they already follow, but they will still need to ensure that their logging, monitoring, and contractual arrangements match the minimum expectations in the Rules.
6. How should organisations report a data breach?
When a data fiduciary becomes “aware” of a personal data breach, it must:
- · Inform affected data principals “without delay”, with details such as a description of the breach, potential consequences, steps being taken, and what individuals can do to protect themselves; and
- · Notify the Data Protection Board in two stages:
- · A first intimation “without delay” describing the breach, its extent, timing, location, and likely impact; and
- · A detailed report within 72 hours (subject to extension by the Board), covering causes, impact, mitigation steps, remedial measures, and information about notifications to data principals (Rule 7).
There is no risk or harm threshold – all personal data breaches are treated the same, meaning all data breaches must be notified to both individuals and to the Board.
7. How long can you retain data?
The retention framework under Rule 8 has two layers.
(a) Specific rules for certain large platforms: Certain large fiduciaries (specifically e-commerce entities, online gaming intermediaries, and social media intermediaries above specified user thresholds) must erase personal data after three years of user inactivity, with a 48-hour pre-deletion notice, subject to exceptions for legal obligations or other grounds in the DPDP Act.
(b) New one-year minimum retention for all data fiduciaries: The Rules add a new requirement: all data fiduciaries must retain personal data, associated traffic data, and certain logs for at least one year for specified purposes (such as responding to lawful requests or supporting investigations), after which such data must be erased unless another law requires longer retention.
Entities outside the three specified classes will still need to determine when the specified purpose is no longer served and implement retention and deletion policies accordingly, while also respecting this one-year minimum data retention requirement.
8. How should data fiduciaries obtain parental consent for children’s data?
Under rule 10, the core structure for processing children’s data is: data fiduciaries must adopt appropriate technical and organisational measures to ensure that parental consent is obtained before processing any personal data of a child. In addition, fiduciaries must conduct due diligence to confirm that the individual identifying themselves as the parent or lawful guardian is in fact an adult. The Rules outline three pathways for this verification: using reliable information the fiduciary already holds, relying on identity or age details voluntarily provided by the parent, or using a token or credential issued by the government or an authorised entity on its behalf.
9. What exemptions apply to children’s data, and what has changed?
The Rules exempt only specific classes of entities and tightly defined purposes from the requirement to obtain parental consent and the restriction on tracking, monitoring, and targeted advertising (Fourth Schedule). These apply mainly to clinical and healthcare establishments, allied health professionals, educational institutions, and certain childcare and caregiving settings, and only when processing is for the listed purposes (such as delivering health services, education, or essential caregiving functions). Notably, there is an addition of two new permitted purposes: (i) determining a child’s real-time location for specified child-focused services, and (ii) tracking and monitoring where this is necessary to ensure that a service or advertisement is not likely to have a detrimental effect on the child’s well-being- potentially recognising that some personalisation is allowed to keep children safe online. These are narrow, purpose-specific carve-outs rather than a broad relaxation: entities must still check both that they fall within an exempt class and that a particular processing activity fits one of the enumerated purposes.
10. What are the obligations for Significant Data Fiduciaries (SDF)?
Per Rule 13, SDFs must:
- · Conduct a Data Protection Impact Assessment (DPIA) and an audit every 12 months;
- · Submit a report to the Board capturing significant observations from the DPIA and audit;
- · Verify that technical measures, including algorithmic software used to host, display, upload, modify, publish, transmit, store, update, or share personal data, do not pose likely risks to data principals’ rights; and
- · Comply with any Government directions that certain categories of personal data and associated traffic data must not be transferred outside India, based on the recommendations of a Committee.
The Rules still do not spell out a detailed process for SDF designation beyond the factors mentioned in the Act, nor do they clarify precisely how “verification” of technical measures, including algorithmic software should be carried out.
11. Can data be transferred outside India?
Data fiduciaries may transfer personal data outside India, but must comply with any conditions the Central Government may impose by general or special order – particularly around making such data available to foreign States or their agencies after transfer (Rule 15). This is largely unchanged from the draft. As noted above, for SDFs (Rule 13), the Government can, based on recommendations from a government appointed committee, specify categories of personal data and related traffic data that must not be transferred outside India. This leaves room for future transfer restrictions and conditions linked to foreign-government access, even though the DPDP Act itself took a more permissive default stance. The rules also provide broad details of the constitution of the committee, which will include officials from the IT Ministry and other ministries/departments.
12. How should data principals exercise their rights?
Rule 14 requires data fiduciaries and consent managers to publish clear and accessible information on how data principals can exercise their rights. This includes:
- · Procedures for submitting requests;
- · Identification or verification requirements (for example, use of customer IDs or account numbers); and
- · Details of grievance redressal mechanisms and timelines.
Data principals must be able to access, correct, and erase their personal data, and nominate another person to exercise their rights in case of death or incapacity. The final Rules stay close to the draft on this.
13. What about the Data Protection Board (DPB)?
Rule 17-21 cover the structure and functioning of the DPB:
- · The Central Government will set up search and selection committees for the Chairperson and Members, made up of senior officials and domain experts.
- · Appointees are expected to have expertise in areas like law, data governance, technology, or regulation.
- · The Board will function as a “digital office”, using techno-legal measures for electronic filings, hearings, and communications.
The main change from the draft is that these provisions now come into effect immediately, providing a clearer signal on when the Board can be operationalised.
14. What is the process for appeal?
Under Rule 22, appeals against DPB orders continue to lie to the Appellate Tribunal, which will also operate as a digital office. Aggrieved parties can file appeals electronically, with fees payable through digital channels (with possible waivers in appropriate cases); and expect procedures guided by principles of natural justice, with the tribunal having flexibility to manage its own process and powers to summon and examine individuals. This structure is carried forward from the draft Rules with minor drafting refinements.
15. What are the government’s powers to call for ‘information’?
Rule 23 preserves the government’s broad powers to call for information from data fiduciaries and intermediaries, as outlined in the Seventh Schedule. Authorised officers can require entities to furnish information for specified purposes, including national security and other public-interest grounds. The government may also direct that an entity must not disclose that it has furnished information, where such disclosure could prejudice interests like sovereignty and security.
16. Are there other exemptions (for research, archiving and statistics)?
Under rule 16, the research exemption focuses on processing that is “necessary for research, archiving or statistical purposes” and that complies with the safeguards in the Second Schedule. Key safeguards include ensuring processing is lawful and not used to make decisions about specific individuals; and implementing governance and security measures appropriate to the research context.
The path ahead
The notified DPDP Rules, 2025 convert the DPDP Act’s broad principles into operational requirements. In most areas, they confirm the direction set by the draft Rules, with a few important additions – particularly clear implementation timelines and a new one-year retention floor for all data fiduciaries along with some potential flexibility around linking of specified purpose with consent.
Businesses now need to move from “issue-spotting” to implementation: mapping data flows, updating notices and contracts, planning for breach reporting and retention, re-examining children’s data handling, and assessing the risk of being classified as an SDF. They should also closely track future government orders on cross-border transfers and SDF notifications, along with any guidance/enforcement by the Data Protection Board, which will shape how the Rules are applied in practice.
Image Credits: Unsplash
