1. When do the DPDPA 2023 and DPDP Rules 2025 come into force?

The Rules follow a phased commencement. Provisions relating to the Data Protection Board came into effect immediately upon notification. The obligations governing Consent Managers commence 12 months after notification, and the primary business compliance obligations become enforceable after 18 months.

2. What are the major obligations under the DPDP Rules 2025?

The Rules operationalise the Act by setting out requirements for clear consent notices, security safeguards, breach reporting, retention and deletion processes, rights management, children’s data protection, duties of Data Fiduciaries and Significant Data Fiduciaries, and procedures relating to the Data Protection Board.

3. Who can be designated as a Significant Data Fiduciary (SDF)?

The Central Government may classify an organisation as an SDF based on the volume and sensitivity of data processed, risks to individuals’ rights, use of emerging technologies, potential impact on national interests, and any other factor considered relevant.

4. What must organisations do when a personal data breach occurs?

A Data Fiduciary must notify affected individuals without delay, providing details of the breach, possible consequences and mitigation steps. The Data Protection Board must receive an initial intimation immediately and a detailed report within 72 hours, unless extended. Every personal data breach triggers reporting; there is no materiality threshold.

5. What are the consent requirements under the DPDP Act and Rules?

Consent must be free, informed, specific and unambiguous. Consent notices must be standalone documents written in plain language and must describe the personal data collected, purposes of processing, associated benefits, rights, withdrawal processes and grievance redressal mechanisms. Consent Managers will provide interoperable digital platforms for managing consent.

6. How does the DPDP framework regulate children’s personal data?

Processing children’s personal data requires verifiable parental or guardian consent. Entities must use appropriate age-assurance mechanisms. Practices such as tracking, behavioural monitoring and targeted advertising directed at children are restricted where harmful, with narrow exemptions for beneficial purposes like health or education.

7. What rights do individuals (Data Principals) have?

Data Principals are entitled to information about how their data is processed, access to their data, correction and updating of inaccurate information, erasure when appropriate, grievance redressal, and the right to nominate a representative in case of death or incapacity. All rights requests and grievances must be resolved within 90 days.

8. What are the obligations regarding data retention and deletion?

Data Fiduciaries must retain personal data, related traffic data and logs for at least one year or longer if required by law. Once the purpose is fulfilled, data must be erased unless legally required to be retained. Certain large platforms must delete data after three years of continuous user inactivity and must provide advance notice before doing so.

9. Can personal data be transferred outside India under the DPDP framework?

Cross-border transfers are permitted unless specifically restricted or prohibited by the Central Government. Significant Data Fiduciaries may face additional localisation or retention obligations. Organisations should map their data flows and ensure their contracts support compliance with any future restrictions.

10. What practical steps should organisations take to comply with the DPDP Act and Rules?

Organisations should establish governance structures, conduct data mapping, update consent and notice mechanisms, strengthen security controls, build breach response processes, prepare data retention schedules, review vendor contracts, and plan for SDF obligations where relevant.