The Digital Personal Data Protection Rules, 2025 were notified in the Gazette on 13 November 2025 (G.S.R. 846(E)). Some provisions are already in force, while the core compliance obligations kick in over the next 12–18 months: Rules 1, 2 and 17–21 apply from publication; Rule 4 (Consent Managers’ registration) starts one year after publication; Rules 3, 5–16, 22 and 23 start 18 months after publication (i.e., on 13 May 2027).
Who is affected the most?
Data Fiduciaries and Data Processors: All entities that determine purposes/means of processing and their processors must comply with notice, security, breach, retention, children/guardian consent, rights and cross‑border rules.
Significant Data Fiduciaries (SDFs): When notified, SDFs face annual DPIA and audit duties, algorithmic risk diligence, and potential data transfer restrictions for Government-specified categories.
Consent Managers: A new licensed layer with registration conditions and ongoing obligations, becoming operational one year from notification.
Sector cohorts with explicit timelines for “purpose deemed served”: Large e‑commerce (≥ 2 crore users), online gaming intermediaries (≥ 50 lakh users), and social media intermediaries (≥ 2 crore users).
What has changed/been clarified vis‑à‑vis the Act’s framework?
Mandatory notice content and consent UX: Notices must be standalone, in clear language, itemise personal data collected, specify purposes and the goods/services enabled, and provide an easy withdrawal path and a link to complain to the Board.
Breach intimation mechanics and timelines: Notify each affected Data Principal without delay, and the Board without delay; then file an update within 72 hours with specified particulars (cause, scope, mitigation, remedial steps, findings).
Baseline security and minimum retention: Reasonable safeguards are codified (encryption / obfuscation / masking / virtual tokens, access control, logging, monitoring, backups, contract clauses) and logs and personal data must be retained for one year to enable breach detection/remediation and continued processing in adversity. Separately, a minimum one‑year retention of personal data, associated traffic data and processing logs is required for specific public‑interest purposes in the Seventh Schedule, after which erasure must follow unless a law requires longer retention.
Time-to-erasure and 48‑hour pre‑notice: For certain large platforms, if the Data Principal neither engages for the specified purpose nor exercises rights, the purpose is treated as no longer served after three years; at least 48 hours before erasure, a notice must be sent.
Children and persons with disability (PWD): “Verifiable consent” of a parent (child) or lawful guardian (PWD) is detailed, including acceptable identity/age checks and reliance on authorised entities/Digital Locker tokens.
Rights enablement and grievance timelines: Channels to exercise rights must be published; grievance redress must respond within a reasonable period not exceeding 90 days; Data Principals may nominate individuals to exercise rights; publish DPO/business contact in every rights response.
Cross‑border transfers: Permitted, subject to any requirements that the Central Government may later specify by order for transfers to a foreign State or entities under its control.
Government access/assessments and confidentiality: The Government may call for information for specified purposes and can direct confidentiality of such requests where disclosure may prejudice sovereignty or security.
Digital Board and appeals: The Board functions as a digital office; inquiries should complete within six months (extendable by three months at a time); appeals to the Appellate Tribunal are digital and fee‑linked to TRAI Act appeals, payable via UPI or other authorised systems.
Immediate actions for DPOs, founders and senior management
Stand up a DPDP programme with dates: Map commencement: operationalise Board/appeal and staffing rules now; plan Consent Manager integrations by 13 Nov 2026; achieve full operational compliance for Rules 3, 5–16, 22–23 by 13 May 2027.
Data inventory, flows and retention: Catalogue personal data, purposes, processors, storage, transfers. Implement the one‑year minimum retention for logs/personal data necessary for breach detection/remediation under Rule 6(e) and for the Seventh Schedule purposes; define erasure procedures thereafter unless a longer legal retention applies. If you are a large e‑commerce, online gaming intermediary or social media intermediary (thresholds above), configure “purpose deemed served” at three years with 48‑hour pre‑erasure notices and carve‑outs for account access/tokens.
Redesign notices and consent: Rewrite notices to meet Rule 3’s format and content; include a specific URL/app link for consent withdrawal, rights, and complaints to the Board; ensure withdrawal is as easy as giving consent. Prepare to interface with registered Consent Managers; their registration/obligations and Board‑published assurance frameworks come into effect after one year.
Breach readiness: Update incident response to meet Rule 7: templates for Data Principal notices and Board intimations “without delay” and the 72‑hour update with required particulars; establish logging, monitoring and investigation workflows to support those submissions.
Security controls and contracts: Implement encryption/obfuscation/masking/virtual tokens for personal data; strengthen access controls; maintain and review logs; ensure backups for continuity; embed security safeguard obligations into processor contracts per Rule 6(f).
Children and PWD processing: Build verifiable parent consent flows and adult/guardian verification using reliable identity/age details or authorised tokens/Digital Locker; set diligence to verify lawful guardianship for PWDs per applicable laws and authorities.
Rights handling, DPO presence and grievances: Publish DPO/business contact information; set up and publish rights request channels; configure nomination of individuals; ensure grievance redress resolves within a period not exceeding 90 days and is supported by technical/organisational measures.
SDF preparedness: If likely to be notified as SDF, schedule annual DPIA and audit; arrange to file significant observations to the Board; assess algorithmic/technical measures to ensure they pose no risk to Data Principal rights; prepare for possible in‑India processing/flow restrictions for categories that may be specified by Government on committee recommendations.
Risks to manage now
Regulatory enforcement: The Board can conduct digital inquiries (target six months) and issue directions; failure to meet notice, breach, security, retention and rights timelines will be visible and documentable under the Rules.
Operational disruption: The one‑year logging/retention duties and three‑year “purpose served” timelines require changes to data lifecycle tooling and storage planning.
Vendor exposure: Inadequate processor contracts or controls will be your liability; Rule 6 explicitly pushes safeguards into processor agreements.
Children/PWD flows: Weak verification can invalidate consent and trigger violations; build auditable checks per Rules 10 and 11.
Things to watch‑out for
Cross‑border specifics: Await Government orders specifying requirements (and any destination/state limitations) for overseas transfers under Rule 15.
SDF designation and data‑flow restrictions: Criteria and categories subject to in‑India processing/traffic‑data restrictions will follow committee recommendations; monitor notifications under Rule 13(4).
Consent Manager standards: The Board will publish certification standards/assurance frameworks and application particulars; plan for interoperability once Rule 4 commences in Nov 2026.
Conclusion
Treat the next 18 months as a build window. Lock in notice and consent designs, incident response, security and logging, children/PWD verification, retention/erasure, rights handling and vendor contracts now. Then phase in Consent Manager interoperability and be SDF‑ready where relevant. The Rules remove ambiguity and leadership now must remove latency.
Please reach out to us at rohit.lalwani@amlegals.com in case of any query.