QRC Assurance And Solutions Pvt. Ltd.
Free Consultation

India’s Digital Personal Data Protection Rules, 2025

India’s Digital Personal Data Protection Rules, 2025

India has entered a defining phase in its data privacy journey. With the notification of the Digital Personal Data Protection Rules, 2025 (DPDP Rules), the country now has a fully actionable framework that operationalises the Digital Personal Data Protection Act, 2023 (DPDP Act). Together, the Act and the Rules establish India’s first comprehensive digital privacy regime—one that places citizens at the centre while enabling responsible innovation across the digital economy.
Notified by the Ministry of Electronics and Information Technology (MeitY) in November 2025, the Rules were developed through an extensive public consultation process. Over 6,900 inputs were received from startups, industry bodies, civil society groups, government departments, and individual citizens across seven cities. The result is a practical, phased, and innovation-friendly framework that balances regulatory rigour with operational flexibility.
Why the DPDP Rules Matter
The DPDP Act of 2023 laid out the broad principles of data protection—consent, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability. However, it was the Rules that provide the operational detail organisations need to actually comply. From how notices must be drafted and served, to how breaches must be reported, how consent must be obtained, and how children’s data must be safeguarded—the Rules translate high-level obligations into concrete, enforceable requirements. For businesses, this means the era of ambiguity is over. The DPDP Rules provide clear timelines, defined responsibilities, and specific standards that every Data Fiduciary—any entity that determines the purpose and means of processing personal data—must meet.
Key Provisions at a Glance
  1. Consent and Notice Requirements :  Consent remains the cornerstone of India’s data protection framework. Data Fiduciaries must obtain clear, specific, and informed consent from individuals before collecting or processing their personal data. Every consent notice must be written in plain, accessible language and must clearly state what data is being collected, why it is being collected, and how it will be used.
    The Rules also introduce itemised notices, meaning organisations can no longer hide behind vague privacy policies. Each purpose of data processing must be individually disclosed, giving individuals genuine visibility and control over their data.
  2. The Consent Manager Framework :  A distinctive feature of the DPDP regime is the introduction of Consent Managers—registered intermediaries that serve as a bridge between individuals and organisations for managing consent. These entities must be incorporated in India, maintain a minimum net worth, demonstrate technical and operational capacity, and comply with strict governance and transparency requirements.
    Consent Managers are required to maintain consent records for a minimum of seven years, provide user-facing dashboards for consent management, and remain free from conflicts of interest. They cannot sub-contract their core functions. This framework creates a new consent orchestration layer that will influence product design, user experience, and backend data management across the ecosystem.
  3. Security Safeguards and Breach Notification :  Every Data Fiduciary is required to implement reasonable security safeguards, including encryption, access controls, logging, monitoring, breach response protocols, and audit trails. These are not aspirational guidelines—they are enforceable standards.
    In the event of a personal data breach, organisations must notify both affected individuals and the Data Protection Board within 72 hours. Notifications must include details of the breach’s nature, its potential impact, and the mitigation steps being taken. This places a premium on organisational readiness and incident response capability.
  4. Data Retention and Erasure :  The Rules introduce a structured approach to data retention. All Data Fiduciaries must retain personal data and associated logs for a minimum of one year. Beyond that, data must be erased once the purpose for which it was collected has been fulfilled, unless another law requires longer retention. For large digital platforms—specifically e-commerce entities, online gaming intermediaries, and social media intermediaries above prescribed user thresholds—a three-year inactivity-based deletion rule applies. If a user has not engaged with the platform for three years, their personal data must be erased, with a 48-hour pre-deletion notice sent to the user.
  5. Protection of Children’s Data :  The Rules impose heightened protections for data belonging to children (individuals under 18). Processing such data requires verifiable parental or guardian consent. Data Fiduciaries are prohibited from using children’s data for profiling, behavioural tracking, or any purpose that could be detrimental to a child’s welfare. Reliable age verification mechanisms must also be in place. Similar protections extend to persons with disabilities who have lawful guardians.
  6. Rights of Individuals :  The framework empowers individuals with strong, actionable rights over their personal data. Data Principals (individuals) can request access to their data, seek corrections or updates, request the erasure of data that is no longer needed, and nominate a representative to exercise these rights on their behalf. Organisations must provide clear, accessible channels for exercising these rights and must resolve grievances within a reasonable timeframe.
  7. Obligations of Significant Data Fiduciaries (SDFs) :  Organisations classified as Significant Data Fiduciaries face elevated compliance obligations. These include conducting annual Data Protection Impact Assessments (DPIAs), undergoing independent audits, performing algorithmic fairness assessments to ensure their systems do not infringe on user rights, and appointing a dedicated Data Protection Officer (DPO). SDFs may also face restrictions on transferring certain categories of personal data outside India, based on recommendations from a government-appointed committee.
  8. Cross-Border Data Transfers :  India has adopted a pragmatic “blacklist” approach to cross-border data transfers. Personal data may be transferred outside India by default, unless the Central Government specifically restricts transfers to a particular country or entity. This approach offers significantly greater operational flexibility compared to the adequacy-based frameworks seen in other jurisdictions, reducing contractual and assessment burdens for businesses operating across borders. However, organisations must maintain up-to-date data flow mappings and be prepared to comply swiftly should new restrictions be notified.
The Data Protection Board of India
The Rules establish the Data Protection Board of India as a fully digital, four-member body. Citizens can file complaints online and track their cases through a dedicated portal and mobile application. The Board operates as a “born digital” office, designed for speed, transparency, and accessibility. Appeals against the Board’s decisions are heard by the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).

Phased Implementation Timeline
Recognising the scale of change required, the DPDP Rules introduce an 18-month phased compliance schedule:
  • Immediate - Provisions relating to the Data Protection Board, procedural and administrative aspects
  • 12 Months -  Consent Manager registration and related requirements powers of the Data Protection Board
  • 18 Months -  Full compliance: consent, notice, data principal rights, grievance redressal, security safeguards, breach notification, retention and erasure obligations, and all remaining provisions
Penalties and Enforcement
Non-compliance carries substantial financial consequences. Penalties under the DPDP Act range from approximately USD 6 million to USD 30 million, depending on the nature and severity of the violation. This creates a strong incentive for organisations to invest in compliance infrastructure now, rather than risk enforcement action later.

Who Must Comply?
The DPDP Act has extraterritorial reach. Compliance is required from any organisation that has a presence in India and processes personal data, as well as any organisation outside India that processes personal data in connection with offering goods or services to individuals located in India. This means domestic companies, foreign fintech apps with Indian users, and multinational corporations with Indian operations all fall within scope.

What Organisations Should Do Now
With the clock ticking on phased enforcement deadlines, businesses should take concrete steps immediately:
  • Conduct a comprehensive data audit to map all personal data collection, processing, and storage activities.
  • Review and update privacy notices and consent mechanisms to meet the new itemised notice standards.
  • Evaluate existing security controls against the mandated safeguards—encryption, access controls, logging, monitoring, and breach response protocols.
  • Establish or strengthen incident response plans to meet the 72-hour breach notification requirement.
  • Assess whether the organisation is likely to be classified as a Significant Data Fiduciary and prepare for enhanced obligations accordingly.
  • Update vendor and processor contracts to incorporate DPDP-specific obligations, including data processing agreements with breach reporting timelines and data erasure provisions.
  • Plan for Consent Manager integration—decide whether to build around or integrate with registered Consent Manager platforms.
  • Implement data retention and erasure policies aligned with the new timelines.
  • Align DPDP compliance with existing frameworks such as ISO 27001 and SOC 2 to avoid duplication and create an integrated governance structure.
Looking Ahead
The DPDP Rules, 2025 represent a landmark moment for data governance in India. They move the conversation from principle to practice, from aspiration to accountability. For organisations, the message is clear: data protection is no longer a future concern—it is an operational imperative that demands immediate attention, cross-functional coordination, and sustained investment.
For individuals, the framework promises greater transparency, stronger rights, and meaningful control over personal data in an increasingly digital world.

As enforcement timelines approach and the Data Protection Board becomes fully operational, the organisations that move early and decisively will be best positioned—not only to comply, but to build the kind of digital trust that drives long-term growth.

Top Featured Posts
Related Blogs

Copyright 2026 @ QRC Assurance And Solutions Pvt Ltd. | All Rights Reserved.

LinkedIn Youtube

We use cookies to enhance your user experience. By continuing to browse, you hereby agree to the use of cookies. Know more Privacy Policy & Cookies Policy.

X