ARTICLE
20 April 2026

From Draft To Reality: Key Changes In India's DPDP Rules 2025

DD
Dhir & Dhir Associates

Contributor

Dhir & Dhir Associates logo
Dhir & Dhir Associates, founded in 1993, is a full-service law firm with offices in New Delhi and Mumbai. The firm works closely with clients and partners across India, offering legal expertise across diverse sectors. Key practice areas include Restructuring & Insolvency, Corporate/M&A, Real Estate, Banking & Finance, Litigation & Arbitration, Capital Markets, AI & Tech Governance, TMT, Infrastructure & Energy, White Collar Crime, ESG, Labour & Employment, and more. Its clients span business houses, MNCs, banks, PSUs, NGOs, and government bodies. Dhir & Dhir has been recognized for excellence in Restructuring & Insolvency, Dispute Resolution, Banking & Finance, Capital Markets, TMT, Environment, and Private Equity by leading publications like Chambers & Partners, Legal 500, IFLR1000, India Business Law Journal, Benchmark Litigation, and more.
Explore Firm Details
India's DPDP Rules 2025 operationalize the Digital Personal Data Protection Act 2023, creating a balanced framework for privacy and data use. Notified on November 14, 2025, after extensive consultations, these rules emphasised citizens' rights alongside business compliance.
India Privacy
Sonal Verma and Abhijeet Kashyap
Your Author LinkedIn Connections
Sonal Verma’s articles from Dhir & Dhir Associates are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel
  • in United States
  • with readers working within the Technology, Metals & Mining and Retail & Leisure industries

India's DPDP Rules 2025 operationalize the Digital Personal Data Protection Act 2023, creating a balanced framework for privacy and data use. Notified on November 14, 2025, after extensive consultations, these rules emphasised citizens' rights alongside business compliance. The Ministry of Electronics and Information Technology (MeitY) finalized the rules following public consultations across seven cities, receiving 6,915 inputs from start-ups, MSMEs, civil society, and citizens. This process shaped a practical, innovation-friendly system using plain language under the SARAL approach: Simple, Accessible, Rational, and Actionable. The framework rests on seven principles like consent, data minimization, and accountability.

1775140a.jpg

  • Core Act Provisions

The DPDP Act 2023, enacted August 11, 2023, defines key roles: Data Fiduciaries decide data processing purposes; Data Principals are individuals (or guardians for children/disabled persons); Data Processors handle data on behalf. Penalties can reach up to ₹250 crore for security failures, ₹200 crore for breach of non-notification or child data violations, and ₹50 crore for others. The independent Data Protection Board oversees enforcement, with appeals to TDSAT.

Rules mandate phased 18-month compliance, clear consent notices specifying purposes, and India-based Consent Managers. Data Fiduciaries must notify breaches promptly in plain language, display contact info (e.g., Data Protection Officer), and for Significant Data Fiduciaries, conduct audits and impact assessments. Special protections apply to children (verifiable parental consent except for essentials like healthcare) and disabled persons.

  • Comparative Analysis of DPDP Draft Rules and Final DPDP Rules

SECTION

DPDP RULES

DRAFT RULES

DESCRIPTION OF CHANGES

1. Short title and commencement.

(2) Rules 1, 2 and 17 to 21 shall come into force on the date of their publication in the Official Gazette. (3) Rule 4 shall come into force one year after the date of publication of this Gazette. (4) Rules 3, 5 to 16, 22 and 23 shall come into force eighteen months after the date of publication of this Gazette.

(2) Rules 3 to 15, rule 21 and rule 22 shall come into force with effect from __________. (3) These rules, except rules 3 to 15 and rules 21 and 22, shall come into force on the date of their publication in the Official Gazette.

Change in timelines.

2. Definitions

(1) In these rules, unless the context otherwise requires, – (a) "Act" means the Digital Personal Data Protection Act, 2023 (22 of 2023); (b) "techno-legal measures" means as referred to under rules 20 and 22; (c) "user account" means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary; and (d) "verifiable consent" means a consent as specified in rule 10 or 11. (2) The words and expressions used in these rules and not defined, but are defined in the Act, shall have the same meanings respectively assigned to them in the Act.

Unless the context otherwise requires, all expressions shall have the meaning assigned to them in the Digital Personal Data Protection Act, 2023 (22 of 2023) (hereinafter referred to as "Act").

Explicitly provides for definitions of various terms.

3. Notice given by Data Fiduciary to Data Principal.

    

No change from draft.

4. Registration and obligations of Consent Manager.

    

No change from draft.

5. Processing for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities

(1) Processing the personal data of a Data Principal under this rule shall be done following the standards specified in Second Schedule. (2) In this rule and the Second Schedule, the reference to any subsidy, benefit, service, certificate, licence or permit that is provided or issued (...)

(1) The State and any of its instrumentalities may process the personal data of a Data Principal under clause (b) of section 7 of the Act to provide or to issue to her any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds. (2) Processing under this rule shall be done following the standards specified in Second Schedule. (3) In this rule and Second Schedule, the reference to any subsidy, benefit, service, certificate, licence or permit that is provided or issued (...)

Difference in the standard to process personal data.

6. Reasonable security safeguards.

    

No change from draft.

7. Intimation of personal data breach.

[omitted]

(3) In this rule, "user account" means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary.

The final rules omit the definition of user account.

8. Time period for specified purpose to be deemed as no longer being served.

(1) A Data Fiduciary, who is of such class and is processing personal data for such corresponding purposes as are specified in Third Schedule, shall erase such personal data, unless its retention is necessary for compliance with any law for the time being in force, or, for the corresponding time period specified in the Third Schedule, if the Data Principal neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing. (2) At least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period, unless she logs into her user account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data. (3) Without prejudice to sub-rules (1) and (2), a Data Fiduciary shall retain, in respect of any processing of personal data undertaken by it or on its behalf by a Data Processor, such personal data, associated traffic data and other logs of the processing for a minimum period of one year from the date of such processing, for the purposes as specified in the Seventh Schedule, after which the Data Fiduciary shall cause such personal data and logs to be erased, unless further retention is required for compliance with any other law for the time being in force or notified by the Government. Illustration. Case 1: X, a Data Principal purchases an e-book on an e-book platform Y. Once delivery is completed, the specified purpose of processing is served. The platform Y must retain the order details, personal data, and logs of the processing (such as order confirmation, payment, and delivery events) for at least one year from the date of the transaction, even if X deletes her account. Case 2: X, a company engages a cloud service provider C as its Data Processor to host customer records. X as the Data Fiduciary, is required to ensure that the C also retains the data and associated logs for at least one year before erasure, unless any other applicable law requires a longer period.

(1) A Data Fiduciary, who is of such class and is processing personal data for such corresponding purposes as are specified in Third Schedule, shall erase such personal data, unless its retention is necessary for compliance with any law for the time being in force, if, for the corresponding time period specified in the said Schedule, the Data Principal neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing. (2) At least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period, unless she logs into her user account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data. (3) In this rule, "user account" means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which she is able to access the services of such Data Fiduciary.

Minor wording changes in (1), addition of (3) and illustrations, and the user account definition omitted.

9. Contact information of person to answer questions about processing.

    

No change from draft.

10. Verifiable consent for processing of personal data of child.

(b) details of identity and age, voluntarily provided — (i) by the individual; or (ii) through a virtual token mapped to such details, which is issued by an authorised entity.

(2) In this rule, the expression— (a) "adult" shall mean an individual who has completed the age of eighteen years; (b) "authorised entity" shall mean — (i) an entity entrusted by law or by the Central Government or by the State Government with the issuance of details of the identity and age or a virtual token mapped to such details; or a person appointed or permitted by the entity specified under clause (i), for such issuance, and also includes details of identity and age or token made available and verified by a Digital Locker Service Provider; (c) "Digital Locker service provider" shall mean such intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000 (21 of 2000);

Draft section name: 10. Verifiable consent for processing of personal data of child or of person with disability who has lawful guardian

(b) voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the Central Government or a State Government with the maintenance of such details or a person appointed or permitted by such entity for such issuance, and includes such details or token verified and made available by a Digital Locker service provider.

(3) In this rule, the expression— (a) "adult" shall mean an individual who has completed the age of eighteen years; (b) "Digital Locker service provider" shall mean such intermediary, including a body corporate or an agency of the appropriate Government, as may be notified by the Central Government, in accordance with the rules made in this regard under the Information Technology Act, 2000 (21 of 2000); (c) "designated authority" shall mean an authority designated under section 15 of the Rights of Persons with Disabilities Act, 2016 (49 of 2016) to support persons with disabilities in exercise of their legal capacity; (d) "law applicable to guardianship" shall mean,— (i) in relation to an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who despite being provided adequate and appropriate support is unable to take legally binding decisions, the provisions of law contained in Rights of Persons with Disabilities Act, 2016 (49 of 2016) and the rules made thereunder; and (ii) in relation to a person who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of such conditions and includes a person suffering from severe multiple disability, the provisions of law of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999) and the rules made thereunder; (e) "local level committee" shall mean a local level committee constituted under section 13 of the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999 (44 of 1999); (f) "person with disability" shall mean and include— (i) an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and (ii) an individual who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of any two or more of such conditions and includes an individual suffering from severe multiple disability.

Changes section name and phrasing, removed specifics and just stated 'authorised entity', omits definitions regarding PwD.

11. Verifiable consent for processing of personal data of person with disability who has lawful guardian.

  

Not included as a separate rule, clubbed with rule 10.

  

12. Exemptions from certain obligations applicable to processing of personal data of child.

    

Rule 11 in the draft.

13. Additional obligations of Significant Data Fiduciary

(3) A Significant Data Fiduciary shall observe due diligence to verify that technical measures including algorithmic software adopted by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals

(5) In this rule, "committee" means a committee constituted by the Central Government for the purpose of this rule, which shall include officials from the Ministry of Electronics and Technology and may include officials from other Ministries or Department of the Central Government.

(3) A Significant Data Fiduciary shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.

Rule 12 in the draft amends language to technical measures, including algorithmic software, and adds a definition for the committee.

14. Rights of Data Principals

(2) To exercise the rights of the Data Principal under the Act, she may make a request to the Data Fiduciary to whom she has previously given consent for processing of her personal data, using the means and furnishing the particulars required by such Data Fiduciary for the exercise of such rights. (3) Every Data Fiduciary and Consent Manager shall prominently publish on its website or app, or both, as the case may be, within a reasonable period not exceeding ninety days under its grievance redressal system for responding to the grievances of Data Principals and shall, for ensuring the effectiveness of the system in responding within such period, implement appropriate technical and organisational measures. (4) To exercise the rights of the Data Principal under the Act, she may, in accordance with the terms of service of the Data Fiduciary and such law as may be applicable, nominate one or more individuals, using the means and furnishing the particulars required by such Data Fiduciary for the exercise of such right. (5) In this rule, the expression "identifier" shall mean any sequence of characters issued by the Data Fiduciary to identify the Data Principal and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID, email address, mobile number or licence number that enables such identification.

(2) To exercise the rights of the Data Principal under the Act to access information about personal data and its erasure, she may make a request to the Data Fiduciary to whom she has previously given consent for processing of her personal data, using the means and furnishing the particulars published by such Data Fiduciary for the exercise of such rights. (3) Every Data Fiduciary and Consent Manager shall publish on its website or app, or both, as the case may be, the period under its grievance redressal system for responding to the grievances of Data Principals and shall, for ensuring the effectiveness of the system in responding within such period, implement appropriate technical and organisational measures. (4) To exercise the rights of the Data Principal under the Act to nominate, she may, in accordance with the terms of service of the Data Fiduciary and such law as may be applicable, nominate one or more individuals, using the means and furnishing the particulars published by such Data Fiduciary for the exercise of such right. (5) In this rule, the expression "identifier" shall mean any sequence of characters issued by the Data Fiduciary to identify the Data Principal and includes a customer identification file number, customer acquisition form number, application reference number, enrolment ID or licence number that enables such identification.

13 in the draft

Changes in wording, adds 'prominently publish', adds more categories to identifiers.

15. Transfer of personal data outside the territory of India.

Any personal data processed by a Data Fiduciary under the Act may be transferred outside the territory of India subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.

14. Processing of personal data outside India.—Transfer to any country or territory outside India of personal data processed by a Data Fiduciary— (a) within the territory of India; or (b) outside the territory of India in connection with any activity related to offering of goods or services to Data Principals within the territory of India, is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.

Rule name changed, changes to the wording of the section.

16. Exemption from Act for research, archiving or statistical purposes.

    

15 in the draft, No change from draft.

17. Appointment of Chairperson and other Members

    

16 in the draft, No change from draft.

18. Salary, allowances and other terms and conditions of service of Chairperson and other Members

    

17 in the draft, No change from draft.

19. Procedure for meetings of Board and authentication of its orders, directions and instruments.

    

18 in the draft, No change from draft.

20. Functioning of Board as digital office

    

19 in the draft, No change from draft.

21. Terms and conditions of appointment and service of officers and employees of Board

(1) The Board may, with previous approval of the Central Government, appoint such officers and employees as it may deem necessary for the efficient discharge of its functions under the provisions of the Act.

(1) The Board may, with previous approval of the Central Government and in such manner as the Central Government may by general or special order specify, appoint such officers and employees as it may deem necessary for the efficient discharge of its functions under the provisions of the Act.

20 in the draft.

Omit 'by general or special order.'

22. Appeal to Appellate Tribunal.

(1) Any person aggrieved by an order or direction of the Board, may prefer an appeal before the Appellate Tribunal, it shall be filed in digital form as the Appellate Tribunal may decide. (2) An appeal filed with the Appellate Tribunal shall be accompanied by fee of like amount as is applicable in respect of an appeal filed under the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), unless reduced or waived by the Chairperson of the Appellate Tribunal at her discretion, and the same shall be payable digitally using the Unified Payments Interface or such other payment system authorised by the Reserve Bank of India.

(1) An appeal, including any related documents, by a person aggrieved by an order or direction of the Board, shall be filed in digital form, following such procedure as may be specified by the Appellate Tribunal on its website. (2) An appeal filed with the Appellate Tribunal shall be accompanied by fee of like amount as is applicable in respect of an appeal filed under the Telecom Regulatory Authority of India Act, 1997 (24 of 1997), unless reduced or waived by the Chairperson of the Appellate Tribunal at her discretion, and the same shall be payable digitally using the Unified Payments Interface or such other payment system authorised by the Reserve Bank of India as the Appellate Tribunal may specify on its website.

21 in the draft, changes in wording, no requirement for RBI-approved payment interface to also be specified in website.

23. Calling for information from Data Fiduciary or intermediary.

(1) The Central Government may, for such purposes of the Act as are specified in Seventh Schedule, acting through the corresponding authorised person specified in the said Schedule, require any Data Fiduciary or intermediary to furnish such information as may be called for, within the specified period as may be given in such. (2) Where the disclosure of furnishing of information as referred to in sub-rule (1) is likely to prejudicially affect the sovereignty and integrity of India or security of the State, the Central Government may require the Data Fiduciary or intermediary to not disclose such furnishing to affected Data Principal or any other person except with the previous permission, in writing, of the authorised person. (3) For the purposes of this rule, the expression "intermediary" shall have the same meaning as assigned to it in the Information Technology Act, 2000 (21 of 2000).

(1) The Central Government may, for such purposes of the Act as are specified in Seventh Schedule, acting through the corresponding authorised person specified in the said Schedule, require any Data Fiduciary or intermediary to furnish such information as may be called for, specify the time period within which the same shall be furnished and, where disclosure in this regard is likely to prejudicially affect the sovereignty and integrity of India or security of the State, require the Data Fiduciary or intermediary to not disclose the same except with the previous permission in writing of the authorised person. (2) Provision of information called for under this rule shall be by way of fulfilment of obligation under section 36 of the Act.

22 in the draft,

Changes in ordering and wording clarifies meaning of intermediary, remove reference to S.36 of the DPDP Act.
  • Conclusion

The DPDP Rules 2025 represent a refined evolution from the draft, streamlining implementation timelines, bolstering verifiable consent for vulnerable groups, and mandating practical safeguards like a 48-hour pre-erasure notice and one-year log retention. These citizen-centric updates shaped by 6,915 stakeholder inputs strike a pragmatic balance between privacy rights and digital innovation, enabling phased compliance over 18 months while imposing steep penalties up to ₹250 crore for lapses. For professionals and businesses, proactive adoption of techno-legal measures will not only ensure accountability but also fortify trust in India's burgeoning data ecosystem, positioning the nation as a global leader in responsible data governance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Sonal Verma
Sonal Verma
Photo of Abhijeet Kashyap
Abhijeet Kashyap
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More