ARTICLE
21 November 2025

Operationalising India's Data Protection Regime: Analysing The Newly Notified DPDP Rules, 2025

HA
HSA Advocates

Contributor

HSA Advocates logo
HSA is a leading law firm that leverages its deep regulatory expertise and sectoral knowledge to provide practical, implementable, and enforceable advice. With its full-service capabilities and four offices across India, the firm is well known for its proactive approach to comprehensive risk mitigation and seamless cross-jurisdictional support while advising clients on their multifaceted requirements.
Explore Firm Details
The Ministry of Electronics and Information Technology has notified the Digital Personal Data Protection Rules, 2025 on November 13, 2025, thereby operationalising the Digital Personal Data Protection Act, 2023.
India Privacy
Armin Pardiwala,Annapurna Sreehari, and Kermina Patel
Your Author LinkedIn Connections
Armin Pardiwala’s articles from HSA Advocates are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in India
  • with readers working within the Accounting & Consultancy, Banking & Credit and Media & Information industries

I. Executive Summary

The Ministry of Electronics and Information Technology ("MeitY") has notified the Digital Personal Data Protection Rules, 2025 ("DPDP Rules") on November 13, 2025, thereby operationalising the Digital Personal Data Protection Act, 2023 ("DPDP Act"). The DPDP Rules lay down the procedural, technical and governance framework necessary for implementing India's new data protection regime and introduce detailed requirements relating to notice, consent, security safeguards, grievance redressal, data retention, children's data, processing outside India, and the functioning of the Data Protection Board of India ("DPBI").

The implementation of the DPDP Act and DPDP Rules is envisaged in a phased manner, beginning with the immediate enforcement of definitional and institutional provisions, registration obligations for Consent Managers from November 2026, and full operational compliance, including core fiduciary obligations, rights of Data Principals, adjudication, penalties and cross-border data processing, from May 2027.

While structurally consistent with the Draft Rules issued in January 2025, the notified DPDP Rules incorporate several incremental refinements. These include softened notice disclosures (from "itemised" to "specific"), mandatory one-year retention of personal and traffic data for defined State purposes, introduction of grievance redressal timelines, expanded exceptions for processing children's data, and calibrated security safeguard requirements based on the principle of ejusdem generis. The Rules also provide further clarity on the registration, governance and conflict-avoidance obligations of Consent Managers.

From a corporate and compliance standpoint, the DPDP Rules introduce both operational opportunities and regulatory challenges. Organisations must prepare for a significantly more structured data governance environment, including: (i) strengthened breach response protocols; (ii) stricter retention and erasure obligations; (iii) enhanced transparency and accountability measures; (iv) readiness for data protection impact assessments by Significant Data Fiduciaries; and (v) the prospect of future government restrictions on cross-border data transfers. At the same time, several areas remain ambiguous, particularly the timelines for legacy consent notices, scope and methodology of Data Protection Impact Assessments, and the regulatory treatment of data collected in the unorganised sector. These gaps underscore the need for further subordinate legislation and regulatory guidance.

Overall, the DPDP Rules mark a substantial step toward establishing a modern, technology-aligned data protection framework in India. Organisations should proactively evaluate their data lifecycle practices, contractual arrangements, security frameworks and cross-border transfer mechanisms to ensure readiness ahead of phased enforcement in 2026–2027.

II. Background & Introduction

The Ministry of Electronics and Information Technology had released the draft Digital Personal Data Protection Rules, 2025 (the "Draft DPDP Rules") on January 03, 2025, for public consultations and inviting feedback or comments from various stakeholders. After considering the feedback from the stakeholders, MeitY has now notified the Digital Personal Data Protection Rules, 2025 (the "DPDP Rules") on November 13, 2025.

The DPDP Rules operationalise the Digital Personal Data Protection Act, 2023 by prescribing the procedural, technical and governance mechanisms necessary for its implementation. They introduce detailed requirements relating to notice, consent, security safeguards, data retention, breach reporting, processing data of children and persons with disability and the functioning of the Data Protection Board of India.

A summary of the implementation timeline, key changes from the Draft DPDP Rules previously released for public consultation, and the key provisions of the DPDP Rules are provided below.

III. Implementation Timeline

MeitY has envisaged a phased implementation of the DPDP Act and the DPDP Rules.

Following is an overview of the phase-wise implementation of the provisions of the DPDP Act and the DPDP Rules:

Phase of Implementation Relevant Provisions
Enforceable as on date of notification of the relevant provisions of DPDP Act1 and the DPDP Rules (November 13, 2025) Initial provisions such as the legal definitions and the framework for the DPBI are in force. The DPBI is established as a digital institution with the power to receive breach notifications, conduct inquiries, and impose penalties. Similarly, provisions pertaining to establishment of the Appellate Tribunal, by way of amendment to Section 14(c) of the Telecom Regulatory Authority of India Act, 1997, are also effective. In addition, the provisions enabling the Central Government to implement further rules to enact various aspects of the DPDP Act and DPDP Rules, are also effective.
Enforceable from one year after notification of the relevant provisions of DPDP Act and the DPDP Rules (November 12, 2026) The framework for the registration and obligations of Consent Managers becomes operational.2 Consent Managers are entities that help individuals manage their data permissions in a transparent and interoperable platform.
Enforceable from one and a half years after notification of the relevant provisions of DPDP Act and the DPDP Rules (May 12, 2027)

The majority of core operational and compliance rules will come into effect. These include:

  • The applicability of the DPDP Act and DPDP Rules;3
  • Obligations of Data Fiduciary;4
  • Notice issued to the Data Principal for collection of data and the consent of the Data Principal;5
  • Legitimate uses for collection of data by Data Fiduciary;6
  • Rights and duties of Data Principals;7
  • Power and functions of the DPBI;8
  • Dispute resolution, adjudication and penalties;9 and
  • Security standards to be maintained by Data Fiduciaries;10
  • Obligations of Significant Data Fiduciary; 11 and
  • Obligations pertaining to processing of personal data outside the territory of India.12

IV. Marginal changes between the Draft and the Notified Rules

While the overall architecture of the DPDP Rules remains similar to the Draft DPDP Rules, the final DPDP Rules incorporate certain incremental changes as follows:

  1. Data Fiduciary's notice requirements modified: The Draft DPDP Rules required an "itemised description" of the goods or services to be provided by the Data Fiduciary,13 in the notice issued to the Data Principal14 for processing of their personal data.15 The DPDP Rules replace "itemised" with "specific",16 thereby softening the granularity of disclosure by the Data Fiduciary in their notice, whilst retaining the underlying requirement to map categories of personal data with the corresponding purposes and the goods or services to be provided by the Data Fiduciary, which will be enabled through such processing of personal data of the Data Principals.
  2. New data retention and erasure timelines: A notable development in the DPDP Rules is the new retention obligation applicable upon all Data Fiduciaries, to retain personal data, associated traffic data and other logs of personal data processed by them (or their Data Processor) for a minimum period of one year, even after the fulfilment of the purpose specified in the Third Schedule of the DPDP Rules.
    The personal data retained in accordance with Rule 8 (3) of the DPDP Rules is applicable only for use by the State or its instrumentalities for the following purposes specified in the Seventh Schedule of the DPDP Rules: (i) for national security and sovereignty and integrity of India; (ii) for performance of any function or disclosure of any information for fulfilling any obligation under any law in force in India; and (iii) undertaking assessment for notifying any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary.17
  3. Timeline for grievance redressal of the Data Principal: The Draft DPDP Rules were silent on timelines for responding to grievances of the Data principal.18 The DPDP Rules address this by mandating that all grievances raised by the Data Principals must be resolved within a reasonable period, not exceeding ninety days.19
  4. Addition to exceptions to obligations relating to children's data: The provisions governing children's personal data have been refined. While the Draft DPDP Rules under Part B of the Fourth Schedule, identified limited purposes for which monitoring or tracking could be permitted, the DPDP Rules expands this list to allow:
    1. processing necessary for determining a child's real-time location;20 and
    2. monitoring or tracking to restrict access to harmful services or advertisements that may adversely affect a child's well-being.21
  5. Greater flexibility in security safeguard requirements: Rule 6(a) and Rule 6(d) of the Draft DPDP Rules defined security safeguards to be implemented by a Data Fiduciary through an inclusive and prescriptive list of technical measures and used the expression "including" prior to enumerating the compliance requirements to be followed by the Data Fiduciary. The DPDP Rules, under Rule 6(a) and Rule 6(d), replace the term "including" with "such as", thereby incorporating the principle of ejusdem generis while interpreting the compliance requirements to be undertaken by the Data Fiduciary.

V. Synopsis of Key Provisions Under the DPDP Act and DPDP Rules

Following are the key provisions covered under the DPDP Rules:

1. Notice for collecting personal data of the Data Principal

The cornerstone of the DPDP Act remains the requirement for the Data Fiduciary to issue a clear notice to the Data Principal before collecting their personal data. Rule 3 of the DPDP Rules mandates that the notice given by the Data Fiduciary must:

  1. be understood by the Data Principal independently; 22
  2. be provided in clear and plain language, with details necessary for the Data Principal to provide their informed consent.23
  3. include a communication link to the Data Fiduciary's website or app and also provide information on how the Data Principal may withdraw their consent, exercise their statutory rights, or make complaints to the DPBI.

2. Registration and governance of Consent Managers

The DPDP Act states that the Consent Manager24 should be registered with the DPBI. Rule 4 of the DPDP Rules establishes a formal registration process for Consent Managers and sets out the obligations that govern their functioning.

Part A of the First Schedule of the DPDP Rules provides for the conditions for registration of the Consent Manager with the Board, including that the Consent Manager should be a company incorporated in India; should have sufficient capacity, including technical, operational and financial capacity, to fulfil its obligations; have a net worth not less than INR two crores, etc.

Part B of the First Schedule of the DPDP Rules provides for the obligations of the Consent Manager, which state that the Consent Manager, (i) should provide a platform (a website or an app, or both) that enables Data Principals to give consent on their behalf for the processing of their personal data by a Data Fiduciary; (ii) should function in such a manner that they are technologically incapable of viewing the contents of the personal data exchanged through their platform; (iii) are legally required to operate in a fiduciary capacity in relation to the Data Principal; (iv) should take reasonable security safeguards to prevent personal data breach; (v) prevent any conflict of interest with Data Fiduciaries, which includes avoiding situations where their directors, key managerial personnel, or senior management have a directorship, financial interest, employment, beneficial ownership or a material pecuniary relationship with a Data Fiduciary, etc.

3. Reasonable security safeguards for protection of personal data and data breach notification

Sections 8(4) and 8(5) of the Act require a Data Fiduciary to implement technical and organisational measures for protecting all personal data that is in the possession and control of itself and any Data Processor, on its behalf. Rule 6 of the DPDP Rules imposes detailed security obligations on Data Fiduciaries to prevent personal data breaches. These obligations cover a full spectrum of technical and organisational measures. Rule 6 requires Data Fiduciaries to: (i) implement data security measures, such as encryption, obfuscation, masking or use of virtual tokens; (ii) access controls for computer resources used by the Data Fiduciary or a Data Processor for processing the personal data; (iii) have logging, monitoring and review mechanisms to detect unauthorised access; (iv) have measures for continued processing, (e.g., backups) to ensure integrity and availability of the personal data; (vi) contractual measures ensuring that Data Processors adopt reasonable safeguards, etc.

Further, Section 8(6) of the Act requires a Data Fiduciary to intimate the DPBI and the affected Data Principals about any breach of personal data. In this context, Rule 7 of the DPDP Rules sets out a two-tiered breach notification mechanism. A Data Fiduciary must: (i) intimate affected Data Principals without delay, through their user account or registered communication details and (ii) notify the DPBI, an initial intimation without delay, and a detailed notice of the breach of the personal data within 72 hours.

4. Retention and erasure of data

Section 8(7)(a) of the DPDP Act states that a Data Fiduciary is required to erase the personal data upon the earlier of: (i) withdrawal of consent of the Data Principal; or (ii) as soon as it is reasonable to assume that the specified purpose for processing the personal data is no longer being served. Only exception to this is when data retention is necessary for compliance with any law. In this context, Rule 8 read with the Third Schedule of the DPDP Rules provide a three-year time period for retention of data, for class of Data Fiduciaries, such as e-commerce platforms, gaming platforms and social media platforms, after the lapse of which the data must be erased. Rule 8(2) further specifies that the Data Fiduciary is required to intimate the Data Principal within 48 hours of expiry of the three-year time period that the personal data in their database will be so duly erased in the next 48 hours.

5. Data Principal's rights and Data Protection Officer

Rule 14(1) read with Rule 9 of the DPDP Rules requires the Data Fiduciaries and Consent Managers (where applicable) to prominently publish the details of the Data Protection Officer and the manner in which a Data Principal can exercise its rights under the DPDP Act. In addition, the Data Fiduciary and Consent Managers are also required to furnish the identifiers, such as username or other identifiers, pertaining to the Data Principal.

6. Children's data and verifiable consent

Section 9 of the DPDP Act requires a Data Fiduciary to obtain the consent of the lawful guardian of a child prior to processing its data. In that connection, Rule 10 of the DPDP Rules states that before processing a child's personal data, a Data Fiduciary must adopt appropriate technical and organizational measures to ensure verifiable consent from a parent is obtained. Due diligence is required to verify that the person identifying as the parent is an adult (completed eighteen years of age).

Verification of the adult's identity and age can be done by reference to:

  1. Reliable identity and age details available with the Data Fiduciary.
  2. Identity and age details voluntarily provided by the person or through a virtual token mapped to such details, issued by an authorized entity (e.g., an entity entrusted by law or the Central Government to issue such details, including a Digital Locker service provider)25.

Rule 12 of the DPDP Rules waives the requirement of obtaining the verifiable consent of the lawful legal guardian of children26 and prohibition of monitoring of children's activities subjecting them to targeted advertisements27 under the DPDP Act for certain class of Data Fiduciaries such as those who are healthcare professionals, educational institutions or those involved in running creches and transportation of children to and from such centres.28

7. Data Protection Impact Assessment by Significant Data Fiduciaries

Under Section 10(2)(c) of the DPDP Act, a Significant Data Fiduciary must undertake periodic Data Protection Impact Assessment ("DPIA"), which include: (i) a description of the rights of the Data Principals and purpose for processing their data; (ii) assessment and management of the risks and rights of the Data Principals; (iii) periodic audits and other such procedures. However, the DPDP Act does not provide any timeline for undertaking such DPIA. In this context, Rule 13(1) of the DPDP Rules provides that a Significant Data Fiduciary is required to undertake periodic DPIA at least once every twelve months from the date of notification of this provision. However, the detailed procedure on how and when the DPIA is required to be conducted has not yet been notified.

8. Transfer of Personal Data outside India

Section 16(1) of the DPDP Act allows the Central Government to restrict Data Fiduciaries from processing personal data in certain countries outside India. Rule 15 of the DPDP Rules expands on this concept, allowing Data Fiduciaries to share the personal data with any person or entity under the control of a foreign State, subject to the rules notified by the Central Government from time to time. Such rules are yet to be notified by the Central Government.

9. Data Protection Board of India - Constitution, Procedure and Digital Functioning

Sections 18 till 26 (Chapter V) of the DPDP Act provides for the establishment and composition of the DPBI, along with the qualifications of the Chairman and its Members, their remuneration, manner of appointment, procedural powers of the DPBI etc. Rules 17 to 21 of the DPDP Rules provide the manner of implementing the above sections. Chapter V of the DPDP Act and Rules 17 to 21 of the DPDP Rules pertaining to establishment of the DPBI have been notified as on November 13, 2025. In addition, vide another notification dated November 13, 2025, the Central Government declared that the DPBI would comprise of four members.29

Section 28(1) of the DPDP Act allows for the DPBI to function as a digital office and in that regard empowers the DPBI to adopt techno-legal measures to conduct proceedings without requiring the physical presence of an individual. Rule 20 of the DPDP Rules is the implementing provision to Section 28(1) of the DPDP Act. Although Section 28 of the DPDP Act is the enabling provision and Rule 20 of the DPDP Rules is the implementing provision, the latter has become effective prior to the former, resulting in a clerical discrepancy.

VI. Our Analysis

Although the DPDP Rules clarify a number of questions raised at the time of public consultation of the Draft DPDP Rules in January 2025, a number of questions and discrepancies need to be addressed:

  1. Rule 7(1) of the DPDP Rules requires the Data Fiduciary to intimate the Data Principal regarding any personal data breach "without delay". However, there is no stipulated time period within which intimation of the personal data breach is to be given to the Data Principal who has been affected. This creates an opportunity for Data Fiduciaries to set their own arbitrary timelines vis-à-vis the affected Data Principals.
  2. Section 5(2), which requires Data Fiduciaries to provide notice to the Data Principals (who have given consent for collection and processing of their data before the commencement of the DPDP Act) regarding the processing of their data is still ambiguous regarding the timeline of providing such notice. The words 'as it is reasonably practicable' do not provide clarity and the statement continues to appear contentious.
  3. Section 16(1) of the DPDP Act, read with Rule 15 of the DPDP Rules, inter alia, provide for the transfer to any country or territory outside India, the personal data processed by a Data Fiduciary, subject to the restriction that the Data Fiduciary will meet the requirements of the Central Government while making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State. The DPDP Act and DPDP Rules still do not clearly specify: (i) the circumstances under which personal data may be transferred outside India; (ii) impact of laws of a foreign jurisdiction where the personal data is processed for the activity, goods or services offered to Data Principals in India. The legal implications of the cross-border transfer of personal data needs to be further examined and appropriately regulated.
  4. There continues to be a lack of clarity on the scope of a DPIA and the procedure for conducting it, including timelines and qualifications for the person supervising or conducting such DPIA. A leaf can be taken from the General Data Protection Regulation (the "GDPR") of the European Union, which recognizes DPIA as a part of the "protection by design" principle. The GDPR mandates that organisations should conduct a DPIA when they undertake data processing activities that are likely to result in a high risk to the rights and freedoms of individuals, particularly in cases where systematic and extensive profiling occurs, when there is processing of special categories of data (e.g., health, racial, or genetic data), when new technologies or large-scale data processing are involved, that may impact privacy. The Central Government can examine the principles of GDPR and consider enacting similar provisions while notifying the remaining provisions of the DPDP Act and DPDP Rules.
  5. The DPDP Act and the DPDP Rules continue to predominantly regulate the data collation and processing by entities in the organized sector. The personal data that is collated in the unorganized sector, such as by the employees and agents of real estate brokers, SIM card providers, delivery companies, etc., in such cases there is no mechanism to protect the identity and privacy of the Data Principals. Oftentimes, data is collected without the consent of the Data Principals and they are subject to fraud and identity thefts. In addition to addressing this gap, the Central Government can also examine ways to streamline the applicability of criminal laws to control the onslaught of identity theft and online frauds that originate from the theft of such personal data or information.

Footnotes

1. MeitY had issued a notification on November 13, 2025 providing timelines for enforceability of various provisions of the DPDP Act. This notification was issued on the same date on which the DPDP Rules were notified.

2. See Section 6(9) of the DPDP Act read with the First Schedule of the DPDP Rules.

3. See Section 3 of the DPDP Act.

4. See Section 4 of the DPDP Act.

5. See Sections 5 and 6 of the DPDP Act read with Rules 3, 10, 11 of the DPDP Rules.

6. See Section 7 of the DPDP Act read with Rules 5,

7. See Chapter III of the DPDP Act.

8. See Chapter VI of the DPDP Act.

9. See Chapters VII and VIII of the DPDP Act.

10. See Rules 6, 7, 8 of the DPDP Rules.

11. See Section 10 of the DPDP Act read with Rule 13 of the DPDP Rules.

12. See Section 16 of the DPDP Act read with Rule 15 of the DPDP Rules.

13. Section 2(i) of the DPDP Act defines "Data Fiduciary" as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

14. Section 2(j) of the DPDP Act defines "Data Principal" as the individual to whom the personal data relates and where such individual is - (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.

15. Rule 3(b)(ii) of the Draft DPDP Rules

16. Rule 3(b)(ii) of the DPDP Rules

17. "Significant Data Fiduciary" means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under Section 10 of the DPDP Act. Section 10 of the DPDP Act will be effective from May 12, 2027 onwards.

18. See Rule 13(3) of the Draft DPDP Rules.

19. See Rules 14(3) of the DPDP Rules.

20. Sr. No. 4 under Part B of the Fourth Schedule of the DPDP Rules

21. Sr. No. 5 under Part B of the Fourth Schedule of the DPDP Rules.

22. Rule 3(a) of the DPDP Rules.

23. Rule 3(b) of the DPDP Rules.

24. Section 2(g) of the DPDP Act defines "Consent Manager" as a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

25. Rule 10(2)(c) of the DPDP Rules defines "Digital Locker service provider" as an intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000.

26. Section 9(1) of DPDP Act.

27. Section 9(3) of the DPDP Act.

28. See Fourth Schedule of the DPDP Rules.

29. See https://www.meity.gov.in/static/uploads/2025/11/f6c0837972422cf79d890bfe84cc04d6.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Armin Pardiwala
Armin Pardiwala
Person photo placeholder
Annapurna Sreehari
Photo of Kermina Patel
Kermina Patel
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More