Get in Touch

Digital Personal Data Protection Rules, 2025

Corporate Law Firm in Ahmedabad, India > Digital Personal Data Protection Rules, 2025

Digital Personal Data Protection Rules, 2025: Everything Businesses Need to Know

India’s shift from fragmented privacy practices to a structured data protection regime is now underway. The Digital Personal Data Protection Act, 2023 (“DPDP Act”) set the foundation. With the notification of the Digital Personal Data Protection Rules, 2025 (“DPDP Rules 2025”) in November 2025, the operational contours of this framework are now clear. The Rules come into force in phases, and organisations have a maximum window of 18 months to realign their systems.

Together, the Act and Rules create enforceable obligations for those who handle personal data, recognise the rights of individuals, and introduce the Data Protection Board of India as the central enforcement authority.

This note explains the DPDP Rules 2025 from the perspective of business leadership, compliance teams, counsel and CIOs who must prepare their institutions for the coming regulatory cycle.

1. Scope and Applicability

The Act and Rules apply to:

  • Processing of digital personal data within India; and

  • Processing carried out outside India when it relates to offering goods or services to, or profiling of, individuals located in India.

Key definitions

  • Data Principal: the individual to whom the data relates, including parents or guardians in the case of children or certain persons with disabilities.

  • Data Fiduciary: an entity that decides why and how personal data will be processed.

  • Data Processor: an entity that processes data on behalf of a Data Fiduciary.

  • Significant Data Fiduciary (SDF): a classification notified by the Government, based on factors such as volume, sensitivity, risks to individuals, and national interest.

Practical view: Any entity—domestic or foreign—that engages with individuals in India must assume that the DPDP framework applies to its digital operations.

2. Effective Date and Phased Roll-Out

The Rules take effect in three stages:

  1. Immediately (November 2025):
    Definitions, institutional provisions relating to the Data Protection Board and procedural aspects.

  2. After 12 months:
    Obligations governing Consent Managers (Rule 4).

  3. After 18 months:
    The full set of business obligations, including notices, consent, security safeguards, breach reporting, retention, rights management, children’s data, SDF obligations, exemptions and cross-border transfer conditions.

Business impact: Organisations effectively have a maximum of 18 months, from the date of notification, to become DPDP-ready. Complex organisations should begin without delay.

3. Guiding Principles

The DPDP framework must be read in line with the Act’s principles:

  • Fair and transparent processing

  • Clear and lawful purposes

  • Limiting data to what is necessary

  • Maintaining accuracy

  • Storing data only as long as required

  • Implementing reasonable security safeguards

  • Demonstrating accountability through evidence

These principles are the touchstone against which compliance will be judged.

4. Consent, Notices and Consent Managers

4.1. Consent Notices

A valid consent notice must:

  • Stand alone and not be buried in lengthy terms;

  • Be written in plain, comprehensible language;

  • Describe the categories of data collected;

  • State each purpose of processing;

  • Explain the goods, services or benefits linked to such processing;

  • Specify that consent is voluntary and can be withdrawn;

  • Describe how to withdraw consent;

  • Provide details of rights, grievances and escalation.

No forced consent: Non-essential processing cannot be bundled with essential services.

4.2. Consent Managers

The Rules make Consent Managers a regulated layer in India’s privacy ecosystem.

  • They must be incorporated in India and registered with the Data Protection Board.

  • They must provide an interoperable platform for giving, managing and withdrawing consent.

  • They must operate independently and cannot use personal data for their own purposes.

  • They must maintain strong security and governance.

Implication: Organisations, particularly those dealing with large consumer bases, should anticipate integration with one or more Consent Managers and plan contractual and technical arrangements accordingly.

5. Security Safeguards and Breach Management

5.1. Security Safeguards

Every Data Fiduciary must implement safeguards proportionate to the nature and volume of data processed. This includes:

  • Encryption, masking, tokenisation or similar measures;

  • Access controls and role-based permissions;

  • Logging of access and processing for at least one year;

  • Ongoing monitoring and testing;

  • Business continuity and disaster recovery arrangements;

  • Ensuring Data Processors adopt equivalent safeguards.

Failure to follow these standards attracts some of the highest penalties under the Act.

5.2. Data Breach Notification

Once a personal data breach comes to notice:

To affected individuals:
A Data Fiduciary must inform Data Principals “without delay”, giving details of the incident, the type of data involved, potential risks, remedial steps, and any steps the individual may take.

To the Data Protection Board:
The Rules require:

  1. An initial intimation without delay, and

  2. A detailed report within 72 hours, unless extended.

The detailed report must include the root cause, scope, containment measures, and communication undertaken. The Rules do not introduce a “materiality” threshold—any breach triggers reporting.

Expectation: Organisations should maintain a tested incident response plan aligned to these timelines.

6. Data Retention, Deletion and Inactivity

6.1. One-Year Minimum Retention

Data Fiduciaries must retain personal data, associated traffic data and logs for at least one year, subject to other laws that may require longer retention. After the purpose is achieved, data should be erased unless a statutory obligation applies.

6.2. Three-Year Inactivity Rule for Large Platforms

Specific categories of large platforms (such as major e-commerce or social media intermediaries meeting user thresholds) must:

  • delete personal data after three years of continuous inactivity, and

  • give advance notice to the Data Principal before deletion.

6.3. Erasure on Request

A Data Principal may seek erasure when the purpose of processing is complete or when consent has been withdrawn and no other legal basis remains.

Operational needs:
Organisations should map their retention obligations, create clear schedules, and implement automated deletion or anonymisation with audit trails.

7. Children’s Data and Persons with Disabilities

7.1. Children

Processing a child’s personal data requires:

  • verifiable parental or guardian consent; and

  • appropriate age-assurance mechanisms, which may include identity verification or government-notified instruments.

The Act restricts tracking, behavioural monitoring and targeted advertising directed at children if it may harm their well-being, with limited exceptions for beneficial purposes such as health or education.

Organisations dealing with children must carefully review product design and avoid profiling or advertising practices that may undermine these protections.

7.2. Persons with Disabilities and Nomination

Where a person with a disability is unable to exercise their rights even with assistance, their lawful guardian may act on their behalf. The Rules also permit Data Principals to nominate a representative who can exercise their rights in the event of death or incapacity.

8. Rights and Response Timelines

The DPDP framework recognises the following rights:

  • To be informed about the processing of personal data

  • To access a summary or copy of personal data

  • To correct or update inaccurate or outdated data

  • To request erasure in appropriate circumstances

  • To raise grievances

  • To nominate another person

All rights requests and grievances must be resolved within 90 days.

Organisations should implement a centralised rights management process, supported by trained personnel and internal deadlines shorter than the statutory period.

9. Significant Data Fiduciaries

Entities notified as SDFs must comply with enhanced controls, including:

  • Appointment of a senior, India-based Data Protection Officer;

  • Conduct of Data Protection Impact Assessments for high-risk processing and new technologies;

  • Independent annual audits;

  • Algorithmic risk assessments;

  • Regular reporting to the Data Protection Board;

  • Compliance with any notified localisation or retention requirements.

Enterprises that are data-heavy or operate in sensitive domains should prepare for possible SDF designation.

10. Cross-Border Transfers

Cross-border transfers are permitted unless restricted or prohibited by the Central Government. For SDFs, the Government may specify categories of data or traffic data that must be retained or processed within India.

Organisations that rely on international service providers or group companies should:

  • map their data flows;

  • maintain contractual clauses that allow compliance with future restrictions;

  • ensure regulators can access required information.

11. Data Protection Board and Enforcement

The Data Protection Board functions predominantly through a digital office, with electronic filings, hearings and orders. It may issue directions, require remedial steps and impose penalties.

Penalty exposure includes:

  • up to ₹250 crore for failures relating to security safeguards;

  • up to ₹200 crore for breach notification failures or violations concerning children’s data;

  • up to ₹50 crore for other contraventions.

Appeals lie before the designated Appellate Tribunal.

12. A Practical Roadmap for Organisations

Phase 1: Governance and Assessment

  • Map data flows and processing activities;

  • Review consent, notices and existing policies;

  • Establish a DPDP implementation lead and cross-functional governance structure.

Phase 2: Notices, Consent and Rights

  • Update notices and consent wording;

  • Build or revise consent mechanisms;

  • Implement rights request workflows and publish clear procedures.

Phase 3: Security, Breach and Retention

  • Upgrade organisational and technical safeguards;

  • Prepare and test breach response processes;

  • Create retention schedules and automate deletion or anonymisation.

Phase 4: Vendors and Cross-Border

  • Review and renegotiate vendor contracts;

  • Insert DPDP-specific clauses on security, sub-processing, audits and breach reporting;

  • Map cross-border transfers and anticipate localisation requirements.

Phase 5: Children, Special Regimes and SDF Preparation

  • Deploy parental consent and age-verification mechanisms if required;

  • Pilot DPIAs and annual audits for likely SDFs;

  • Document algorithmic risk assessments.

13. Conclusion

The DPDP Rules 2025, notified in November 2025 with enforcement extending through an 18-month calendar, represent a decisive shift in India’s privacy landscape. Compliance under this regime is not a one-time exercise but an ongoing governance responsibility. Organisations that start early, strengthen internal structures, and align their systems to the Act and Rules will mitigate risk and build trust in a data-dependent economy.

Get In Touch

AMLEGALS supports organisations across sectors in developing end-to-end DPDP readiness assessment, governance, implementation, breach response, et al. You can reach us on dataprivacy@amlegals.com or call  board line at 91-8448548549.

 

Disclaimer & Confirmation

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:

    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.

However, the user is advised to confirm the veracity of the same from independent and expert sources.

I Agree I Disagree