Implementation of India’s Data Protection Framework: Key DPDP Rules Outlined

November 14, 2025: The operational framework for India’s data privacy legislation has formally been established by the Ministry of Electronics and Information Technology (MeitY) through the notification of the Digital Personal Data Protection (DPDP) Rules, 2025. This notification was issued after the Digital Personal Data Protection Act, 2023, was passed by Parliament. The rules were framed following a public consultation process, where objections and suggestions from stakeholders were considered and incorporated.

Phased Implementation Schedule

The implementation of the DPDP Act is being carried out in a staggered manner to allow companies sufficient time for compliance.

• Certain foundational rules, including those pertaining to general duties and grievance redressal, were put into effect immediately.
• A period of one year has been provided for the registration and governance of Consent Managers (Rule 4). Consent Managers are to be registered by the newly constituted Data Protection Board (DPB) and will be held accountable for managing user consent.
• The remaining, more detailed operational requirements, such as those concerning notice formats, security measures, and data retention norms, will be applied after an 18-month transition window. Full compliance by large tech firms is expected by May 2027.

Key Obligations and Protections

Specific and rigorous obligations have been laid down for entities that collect and process personal data, known as Data Fiduciaries.

• Privacy Notices: Clear and standalone privacy notices must be issued by Data Fiduciaries. In these notices, the itemised personal data collected and the specific purposes of processing must be detailed in plain language. Communication links for the withdrawal of consent and the exercise of user rights must also be provided.
• Data Principal Rights: Mechanisms for filing requests, grievance redressal, and authentication must be published by every Data Fiduciary. Responses to these requests must be given within a reasonable period, not exceeding 90 days.
• Children’s Data: Verifiable parental consent is required for processing the personal data of a child (under 18). Technical and organisational measures must be adopted by fiduciaries to ensure consent is obtained from an identifiable adult parent or guardian.
• Security and Breaches: Strong security safeguards, such as encryption and controlled access, must be maintained. In the event of a data breach, the newly notified Data Protection Board must be informed within 72 hours, and the affected users must also be notified without delay.
• Significant Data Fiduciaries (SDFs): Entities classified as SDFs are subjected to deeper scrutiny. They are required to undertake annual Data Protection Impact Assessments and audits. Restrictions on the cross-border flow of certain personal data must also be complied with, as specified by the government.

The Data Protection Board

A four-member Data Protection Board (DPB) has been established under the Act. The DPB’s structure, powers, and functioning have been detailed in the rules. The Board will operate as a digital office, and it is empowered to hold inquiries and impose penalties in case of data breaches or non-compliance. Appeals against the Board’s orders can be filed digitally before the Appellate Tribunal.

With these rules, India’s regulated data governance ecosystem is now entering a structured implementation phase, where stronger protections are guaranteed for users, and clearer responsibilities are set for organisations.