Digital Personal Data Protection (DPDP) Rules 2025 Notified

Posted by Written by Melissa Cyrill Reading Time: 10 minutes

The DPDP Rules 2025 establishes a rights-based, consent-driven, security-focused approach to personal data protection—one that aligns India more closely with global privacy norms. Organizations must move quickly to assess compliance gaps, redesign their data architecture, retrain teams, and adopt privacy-by-design as a default practice. Early movers will benefit from reduced risk, better user trust, and alignment with international standards.

India has officially entered a new era of digital governance with the notification of the Digital Personal Data Protection (DPDP) Rules 2025, bringing into effect India’s first full-fledged digital privacy law. The move operationalizes the Digital Personal Data Protection Act, 2023, and introduces a comprehensive, consent-led, rights-based framework governing how organizations collect, process, store, and protect personal data.

Find Business Support
Build Your India Business with Turnkey Market Entry and Cross-Regional Support

Issued on November 14, 2025, the Rules provide the operational backbone for the Act – introducing phased obligations over the next 12–18 months, giving businesses a transition window, while mandating immediate changes for high-impact areas such as breach notifications and the establishment of India’s new Data Protection Board.

India’s DPDP in the global data protection landscape

India’s DPDP Act and Rules arrive in a world where major economies are rapidly tightening data protection norms and rethinking governance frameworks in response to platform dominance, cross-border data flows, and the accelerating adoption of artificial intelligence.

  • European Union – GDPR as the benchmark: The EU’s General Data Protection Regulation (GDPR) has set the global standard for comprehensive data protection – anchored in strong data subject rights, explicit consent requirements, data breach notification, and significant penalties. Many multinational companies have already built GDPR-aligned architectures for consent, data minimization, and cross-border transfers. India’s DPDP framework, while tailored to domestic realities, adopts a similar rights-based and accountability-driven approach, making it easier for GDPR-ready firms to extend their compliance programs to the Indian market.
  • China – PIPL and strict data sovereignty: China’s Personal Information Protection Law (PIPL) combines elements of data protection and data sovereignty, imposing strict conditions on cross-border transfers, heightened duties for “important” and “large-scale” processors, and tough penalties for violations. Like PIPL, India’s DPDP regime layers additional obligations on Data Fiduciaries and introduces concepts such as significant fiduciaries, localization requirements for specified categories of data, and detailed security and breach response obligations.
  • Other emerging regimes and AI-driven pressure
    Jurisdictions across Asia, the Middle East, and the Americas are updating or introducing privacy laws, often borrowing from GDPR while adding local specificities – particularly around state access, data localization, and sectoral rules (finance, health, telecoms). At the same time, the rapid adoption of AI and machine learning in advertising, customer analytics, credit scoring, HR, and healthcare has intensified scrutiny of how training data is collected, labelled, shared, and retained. Regulators are increasingly focused on:

    • lawful bases for large-scale data processing and profiling;
    • transparency around automated decision-making; and
    • guardrails to prevent misuse or discrimination arising from AI models.

Against this backdrop, the DPDP Act and Rules position India as a major digital economy with its own robust privacy architecture – one that is broadly compatible with global norms but calibrated for domestic priorities such as inclusion, innovation, and state capacity.

Find Business Support
De-Risk Your Business with Multi-Disciplinary Review and Legal Advisory

For multinational companies, this means privacy and AI governance can no longer be treated as a purely EU- or US-centric issue: India now sits alongside the EU’s GDPR and China’s PIPL as a jurisdiction where data protection and AI-related risks must be addressed at the board and group-compliance level.

Key constructs under India’s DPDP framework

The DPDP Rules govern how fiduciaries collect, process, secure, transfer, retain, and erase personal data, with additional safeguards for children and persons with disabilities.

  • Data Principal: The individual whose personal data is collected or processed.
  • Data Fiduciary: Any organization, company, or individual that determines the purpose and means of processing personal data. This includes government entities, private platforms, and digital service providers.

Key provisions of the DPDP Rules 2025

Mandatory security safeguards for all Data Fiduciaries

Fiduciaries must implement strong, “reasonable” security controls to prevent breaches, including:

  • Encryption, masking, obfuscation, or tokenization
  • Strict access controls
  • Continuous logging and monitoring
  • One-year log retention
  • Verified backup and continuity systems
  • Mandatory security clauses in processor contracts

In case of a breach:

  • Affected users must be informed immediately.
  • The Data Protection Board must be notified within 72 hours.

Strict parental consent for processing children’s data

  • Mandatory verifiable parental consent for all data of children under 18.
  • Verification must rely on reliable identity documents or Digital Locker-verified credentials.
  • Exemptions apply for healthcare, safety, and education-related processing.

Verifiable consent for data of persons with disabilities

  • Data Fiduciaries must verify that anyone giving consent as a lawful guardian of a person with disability is legally appointed under Indian law.
  • Verification may involve confirming appointment by a court, designated authority, or local-level committee.
  • These rules apply to individuals who cannot make legally binding decisions due to long-term physical, mental, intellectual, or sensory impairments, or conditions such as autism, cerebral palsy, or severe multiple disabilities.
  • The aim is to ensure that the personal data of vulnerable individuals is processed only with consent from an authorized and verified guardian.

Transparent consent and notice requirements

Every entity collecting personal data must:

  • Provide clear, plain-language notices explaining what data is collected and why.
  • Display purposes prominently and avoid ambiguous language.
  • Offer a dedicated link for withdrawal of consent.
  • Publish contact details of an authorized person for any queries.

This ensures users understand their rights before sharing data and can exit the relationship just as easily.

Data localization with conditional cross-border transfers

  • Certain categories of data must be stored in India (to be notified).
  • Transfers outside India are permitted but subject to government-prescribed conditions.

Additional obligations for Significant Data Fiduciaries

Find Business Support
Navigate India's Legal Landscape with Expert Guidance. Reach Our Professionals Here

Significant Data Fiduciaries (SDFs) – category designated by the government based on the volume and sensitivity of data processed, as well as potential risks – are subject to enhanced compliance responsibilities under the DPDP Rules 2025.

  • Annual Data Protection Impact Assessment (DPIA) and Audit: Every SDF must conduct a comprehensive DPIA and an independent data protection audit at least once every 12 months. These assessments are intended to evaluate whether the organization is effectively meeting its obligations under the DPDP Act and Rules.
  • Mandatory reporting to the Data Protection Board: The independent professional conducting the DPIA and audit must submit a report to the Data Protection Board, highlighting key findings and any significant observations.
  • Due diligence for technical and algorithmic systems: SDFs must ensure that any technical systems they deploy, including algorithmic tools used for hosting, displaying, uploading, modifying, publishing, transmitting, storing, updating, or sharing personal data, do not create risks to the rights of Data Principals. This places explicit accountability on organizations using AI-driven or automated data-processing technologies.
  • Restrictions on transfers of specified personal data: SDFs must comply with additional localization requirements for certain categories of personal data that the central government may identify. Such data, along with its related traffic data, must not be transferred outside India. These classifications will be based on recommendations from a government-constituted committee.
  • Committee oversight: The committee advising on such data categories will include officials from the Ministry of Electronics and IT and may include representatives from other ministries or central government departments.

Data retention and mandatory erasure

The DPDP Rules introduce clear and strict data minimization obligations.

  • Personal data cannot be stored beyond one year of user inactivity (unless legally required).
  • Users must receive a 48-hour advance notice before their data is erased due to inactivity.

This pushes companies to clean up legacy systems, realign retention calendars, and prevent uncontrolled data accumulation.

Illustrative scenarios provided in the DPDP Rules 2025:

Example 1:

When a user purchases an e-book on a digital platform, the platform may complete the delivery and fulfil the stated purpose of processing. However, the Rules require that the platform retain the relevant personal data – such as order details, payment information, and system logs – for at least one year from the date of the transaction, even if the user subsequently deletes their account. This ensures traceability and accountability for past processing activities.

Example 2:

In situations where a company uses a cloud service provider to store or process customer records, the company remains responsible as the Data Fiduciary. It must ensure that its Data Processor also retains the customer data and associated logs for a minimum of one year before erasure, unless a longer retention period is mandated under another applicable law. This obligation reinforces the fiduciary’s responsibility to oversee processor compliance throughout the data lifecycle.

Consent managers

A new regulated category – Consent Managers – is introduced to assist users in managing permissions across digital platforms.

  • Individuals or organizations may apply for registration with the Data Protection Board.
  • They act as intermediaries enabling users to grant, withdraw, track, or review consent across different services. Simply put, they can manage user permissions and rights (e.g., data access, correction, deletion).
  • Consent Managers must follow strict obligations relating to security, record-keeping, user authentication, and grievance management.

This is expected to reduce friction and streamline user control over personal data.

Obligations during data breaches

Organizations must follow a strict, two-tier notification process when a personal data breach occurs. Once a Data Fiduciary becomes aware of a breach, it must immediately notify each affected individual in a concise, clear, and plain manner, using the individual’s registered communication channel or user account.

This communication must include:

  • A description of the breach, including its nature, extent, and the timing of the incident.
  • The likely consequences that may affect the individual.
  • The mitigation measures already implemented or underway by the Data Fiduciary.
  • Recommended safety steps the individual may take to protect their interests.
  • Business contact details of an authorized person who can respond to any user queries.

Simultaneously, the Data Fiduciary must notify the Data Protection Board. This involves:

  • An initial intimation without delay, outlining the nature, extent, timing, location, and likely impact of the breach.
  • A detailed follow-up report within 72 hours (or a longer period, if formally permitted), containing:
    • Updated and comprehensive information about the breach;
    • The broader facts, circumstances, and reasons that led to the incident;
    • Mitigation measures implemented or proposed;
    • Any findings regarding the individual or entity responsible for the breach;
    • Steps taken to prevent future occurrences; and
    • A confirmation report summarizing notifications issued to affected Data Principals.

Experts caution that the requirement to assess and disclose “likely impact” during an ongoing incident may significantly increase operational burden, especially for SMEs.

Implementation timeline: Staggered roadmap

Immediate (effective now)

  • Establishment and appointment of Chairperson and members of the Data Protection Board.
  • Select provisions of the Act relating to definitions, powers, and enforcement.

12 months

  • Registration and functioning rules for Consent Managers.
  • Specific provisions such as Section 6(9) and Section 27(1)(d).

18 months

  • Core compliance requirements for businesses and government departments, including:
    • Consent notices
    • Purpose limitation
    • Data processing restrictions
    • Children’s data requirements
    • Data retention and erasure workflows
    • Security safeguards
    • System-level operational changes

For large technology companies, the full force of obligations may extend into 2027, particularly regarding DPO disclosures and the operationalization of the Consent Manager ecosystem.

Penalties for non-compliance

Penalties under the Act can go up to INR 2.5 billion (US$28 million) per breach, depending on severity and type of violation. The system is graded to protect MSMEs.

Key penalty triggers include:

  • Failure to protect personal data
  • Breach notification delays
  • Violation of children’s data requirements
  • Non-compliance with erasure and retention rules
  • Failure to register as a Consent Manager when required

The Data Protection Board will oversee inquiries and impose penalties.

Industry impact: Marketing, AI, and MSMEs face major shifts

Impact on targeted advertising

Experts note that:

  • Large-scale personalized campaigns will require explicit, purpose-specific consent.
  • Over 70 percent of MSMEs that rely on targeted ads on platforms like Google, Amazon, and WhatsApp will need to overhaul practices.
  • Companies must re-engineer AI-driven marketing pipelines to embed consent and purpose limitation.

Impact on operational workflows

Firms must:

  • Build or upgrade consent architecture.
  • Map data flows across all touchpoints (cookies, CRM, WhatsApp, ad-tech).
  • Re-draft vendor contracts.
  • Train teams in privacy-by-design approaches.

Burden on SMEs

SMEs may struggle due to:

  • Limited internal compliance teams
  • Lack of existing cyber maturity
  • Cost of audits, legal work, and technical integrations

Preparing for DPDP compliance: What companies should do now

The introduction of the DPDP Rules represents a fundamental reset in India’s approach to data governance.

Companies must now shift from broad data collection to purpose-specific, consent-driven processing and redesign digital journeys to embed user rights, consent withdrawal, and transparency.

They will also need to implement strong cybersecurity measures and breach readiness frameworks, while mapping end-to-end data flows across systems, touchpoints, and third-party partners.

Further, businesses must revisit contracts with cloud providers, ad-tech partners, outsourcing firms, and analytics vendors, and prepare for heightened scrutiny around children’s data and sensitive personal information.

Organizations will also be required to re-architect retention and erasure systems to ensure automatic deletion for inactive users.

Experts note that the 18-month compliance timeline is particularly tight, especially for SMEs with limited cyber maturity and legacy workflows.

Key actions for businesses and digital platforms

Begin enterprise-wide data mapping

Identify:

  • All data touchpoints
  • Categories of personal data
  • High-risk data flows
  • Locations of storage and third-party processors

Refresh consent architecture

  • Redesign consent messages using clear, plain language.
  • Implement simple opt-in/opt-out mechanisms.
  • Build withdrawal links into apps, websites, and communications.

Reconfigure children’s data workflows

  • Integrate parental identity verification mechanisms.
  • Evaluate if exemptions apply (health, safety, education).

Strengthen cybersecurity controls

  • Review encryption, tokenization, access control, log retention.
  • Establish breach response playbooks aligned with 72-hour reporting.

Update vendor and intermediary contracts

  • Insert DPDP-specific clauses.
  • Reassess ad-tech, analytics, and cloud partners.

Prepare for data erasure obligations

  • Build automated deletion workflows.
  • Create notification triggers for 48-hour advance alerts.

Budget for compliance costs

Legal, advisory, IT system upgrades, audits, and training must be planned, particularly for MSMEs.

Start internal training and awareness

Privacy compliance will cut across marketing, HR, IT, operations, and customer service functions.

What it takes to become a registered ‘Consent Manager’

To operate as a Consent Manager under the DPDP Rules 2025, an applicant must meet a rigorous set of criteria designed to ensure reliability, neutrality, and technical robustness. Only Indian-incorporated companies are eligible, and they must demonstrate strong technical, operational, and financial capacity, including a minimum INR 20 million (US$225,767) net worth. The applicant’s governance standards must be sound, with directors and senior management possessing a credible track record of integrity.

The company’s constitutional documents must explicitly embed its DPDP obligations, and any amendments to these commitments require prior approval from the Data Protection Board. Applicants must also show that their proposed operations serve the interests of Data Principals. Crucially, an independent certification is required to confirm that the Consent Manager’s interoperable platform meets the Board’s prescribed data protection standards and that appropriate technical and organizational controls are in place to uphold these obligations.

What are the obligations of a Consent Manager?

Consent Managers operate as trusted intermediaries that help individuals give, manage, review, and withdraw consent for the processing of their personal data across multiple Data Fiduciaries. Under the DPDP Rules 2025, they must meet a stringent set of operational, security, and governance requirements:

  • Enable secure consent flows: Consent Managers must allow users to give consent directly to a Data Fiduciary or route consent through another onboarded entity, without themselves reading or accessing the underlying personal data.
  • Maintain detailed consent records: They must keep comprehensive logs of all consents granted, denied, or withdrawn; notices linked to consent requests; and when data is shared with transferee Data Fiduciaries. These records must be accessible to users, exportable in machine-readable format, and stored for at least seven years unless a longer period is agreed or required by law.
  • Provide a dedicated user interface: A website or mobile app must serve as the primary platform through which users access Consent Manager services.
  • Ensure confidentiality and security: Consent Managers must implement strong safeguards to prevent personal data breaches and must not subcontract any of their statutory obligations.
  • Act as fiduciaries to users: They must operate solely in the interests of Data Principals and avoid any conflicts of interest with Data Fiduciaries, including ensuring that their leadership, promoters, and key personnel do not hold conflicting financial or managerial positions.
  • Maintain transparency: They must publicly disclose information about their promoters, directors, senior management, and major shareholders, along with any disclosures required by the Data Protection Board.
  • Undergo periodic audits: Consent Managers must maintain robust audit mechanisms to demonstrate ongoing compliance with DPDP obligations, technical and organizational safeguards, and the conditions of their registration.
  • Restrictions on ownership changes: Any transfer of control, such as through sale or merger, requires prior approval from the Data Protection Board.

These obligations ensure that Consent Managers remain neutral, secure, transparent, and fully accountable while facilitating user control over personal data across India’s digital ecosystem.

Conclusion

The notification of the DPDP Rules 2025 marks another transformational moment in India’s digital governance architecture. While the staggered compliance timeline offers breathing space, industry experts agree that 12–18 months will pass quickly, particularly for companies without mature privacy and cyber infrastructure.

The scale of change required is significant: organizations must now move from broad-based data exploitation models to a consent-driven, accountability-oriented regime that aligns with global privacy norms.

Businesses that act early by mapping data, redesigning consent, and strengthening internal governance will be better positioned to navigate India’s evolving digital economy and maintain customer trust.

(US$1 = INR 88.58)

About Us

India Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Delhi, Mumbai, and Bengaluru in India. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Vietnam, Indonesia, Singapore, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to India Briefing’s content products, please click here. For support with establishing a business in India or for assistance in analyzing and entering markets, please contact the firm at india@dezshira.com or visit our website at www.dezshira.com.