- within Privacy, Real Estate and Construction, Media, Telecoms, IT and Entertainment topic(s)
- in European Union
- with readers working within the Law Firm industries
Overview
As a key development in India's data protection regime, the Digital Personal Data Protection Rules1 (DPDP Rules) were recently notified by MeitY, Government of India on November 13, 2025. The implementation of these rules along with the Digital Personal Data Protection Act, 20232 (DPDP Act) will happen in phases over a period of 18 months and thus, marking a significant shift in the data protection and privacy regime in India. Together, these frameworks reflect the established principles pertaining to informational privacy and proportionality which was laid down in the landmark judgment Justice K.S. Puttaswamy (Retd.) v. Union of India3 by the Hon'ble Supreme Court.
In the aftermath of this ruling, the government came under a constitutional obligation to protect the informational privacy related rights of the citizens, which found legislative manifestation in the enactment of the DPDP Act. The Act laid the foundational framework by articulating broad governing principles, defining the obligations of data fiduciaries, enumerating the rights and duties of data principal, and providing for the establishment of the Data Protection Board of India (DPBI) along with its powers, functions and procedures. The operationalization of these provisions, however, was deliberately deferred to the DPDP Rules. With the notification of the Rules, India's data protection regime has now begun to take concrete shape.
While the change may appear incremental on the surface, it marks a decisive leap in India's privacy laws. Data today underpins the functioning of individuals, businesses, governments, and security agencies, making it integral to everyday life. This concentration of data has also increased vulnerabilities, particularly the risk of personal data theft. India's DPDP law responds to this reality by making it clear that citizen's personal data is no longer to be treated as unfettered commercial capital.
For companies, this shift translates into enforceable compliance obligations under the DPDP Rules, requiring changes to internal governance structure, consent mechanisms, data handling practice, and breach response frameworks.
Before examining the key features introduced by the Rules, it is important to consider the implementation timelines of the DPDP framework, as these timelines inform how companies and organizations should plan their compliance integration.
|
DPDP Act, 20234 |
DPDP Rules, 20255 |
|
|
Effective Immediately, i.e.; November 13, 2025 |
Provisions relating to the definitions, establishment, powers, functions, and procedural framework of the Data Protection Board of India (DPBI), enabling the constitution and functioning of the Board. Also certain ancillary provisions provided under Chapter IX of the Act. |
Definition clause and the rules governing the appointment, service conditions, procedural functioning, and digital operation of the DPBI, including the constitution of the Search-cum-Selection Committee, terms of service of the Chairperson and Members, quorum and decision-making procedures, etc. |
|
Within 12 months from the notification |
Provisions recognizing Consent Managers as regulated entities under the Act, requiring their registration with the Data Protection Board of India subject to prescribed conditions, and empowering the Board to inquire into breaches of such conditions and impose penalties for non-compliance. |
Rules relating to the registration, regulation, and oversight of Consent Managers, including eligibility conditions, application and inquiry procedures, ongoing obligations, supervisory powers of the Data Protection Board of India, and powers to seek information, issue directions, suspend, or cancel registration in the interests of data principals. |
|
Within 18 months from the notification |
Core substantive provisions governing the scope and applicability of the Act, lawful grounds for processing personal data, Notice and Consent requirements, Rights and Duties of Data Principals, Obligations of Data Fiduciaries and Significant Data Fiduciaries, processing of Children's Data, Cross-border data transfers, exemptions, enforcement and penalty mechanisms, appellate remedies, and related statutory amendments. (Entire DPDP Act with the Rules) |
Rules operationalizing the DPDP compliance regime, covering privacy notice and consent standards, security safeguards, breach reporting and response, purpose-based data retention and automated deletion, publication of privacy contact details, verification of consent for children and PwDs with lawful guardians, enhanced obligations for Significant Data Fiduciaries, cross-border transfer modalities, appellate procedures, and government powers to seek information from data fiduciaries and intermediaries. |
The phased implementation framework carries distinct compliance consequences for organizations, which may be summarized as follows:
1. Effective immediately (13 November 2025)
With the DPBI now operational, organizations are exposed to an active regulator and must be ready for inquiries, directions, and adjudicatory proceedings, including maintaining documentation, internal records-keeping systems, and response and escalation protocols.
2. Within 12 months from notification (13 November 2026)
The first milestone focuses on front-end and governance alignment, requiring businesses to redesign privacy notices and consent flows, set up user-friendly grievance mechanisms, publish clear privacy contact information, and ensure legal, product, and compliance teams can operationally support lawful processing and rights management.
3. Within 18 months from notification (13 May 2027)
This phase requires deeper operational and technical change, including reasonable security safeguards, breach-response frameworks, purpose-based retention with automated and inactivity-based deletion, stronger vendor and processor oversight, and additional safeguards for children's data and other high-risk environments, often supported by backend engineering changes and updated contracts.
Upon designation of a Significant Data Fiduciary (SDF) - Organizations processing large volumes or high-risk categories of personal data must prepare in advance for heightened regulatory scrutiny, as the enhanced obligations applicable to a SDF will activate upon notification. This includes readiness for data protection impact assessments, independent audits, algorithmic governance reviews, strengthened organizational controls, and adaptable cross-border data architectures to mitigate operational disruption upon designation.
Operational Impact of The DPDP Framework
1. Scope of the DPDP Framework
The DPDP Act applies to the processing6 of digital personal data7 within India, including Data8first collected offline and later digitized, and also to processing carried out outside India where it relates to the offering of goods or services to individuals in India. It does not apply to purely personal or domestic use, or to personal data made publicly available by the Data Principal or under a legal obligation. The DPDP Rules build on this scope by prescribing how notices, consent, rights, security safeguards, breach reporting, retention, and verification obligations must be operationalized wherever the Act applies, meaning that once an activity falls within the Act, the procedural and technical requirements under the Rules automatically follow.
2. Determining Compliance Exposure: Data Fiduciaries, Data Processors, and Significant Data Fiduciaries
Under the DPDP framework, organizations need to map where they act as a Data Fiduciary9and where they function only as a Data Processor10. In practice, this means identifying who actually decides why and how Personal Data11 is processed in each workflow, for instance, whether the organization itself determines the purpose of customer analytics, or merely analyses data on behalf of another entity. Where processing becomes large-scale or high-risk, there is a real possibility of being notified as a Significant Data Fiduciary12, bringing additional compliance expectations such as independent oversight and assessments. Since responsibility ultimately remains with the Data Fiduciary even where data is handled by vendors, clarity in allocation of roles and accountability becomes essential for compliance planning and regulatory exposure before the DPBI.
3. From Consent to Architecture: Reconfiguring Lawful Processing Mechanisms
The Act requires that personal data be processed only on the basis of valid consent or permitted legitimate uses, and the Rules operationalize this through stricter expectations around privacy notices, consent presentation and withdrawal. Organizations are now required to ensure that purposes are clearly communicated, that consent and withdrawals are logged and traceable, and that systems are capable of halting processing where consent is withdrawn unless another lawful basis applies. Integration with Consent Managers13also forms part of the compliance architecture, signaling that consent is now a design-level obligation, not merely legal documentation.
4. Operationalizing Data Principal Rights and Grievance Redressal at Scale
The DPDP regime requires that Data Principal14 be able to access their data, correct inaccuracies, request erasure and raise grievances, and the Rules expect organizations to publish a clear and accessible point of contact for doing so. In real-world terms, this means that a user should not have to search endlessly for an email ID, the mechanism should be obvious and structured. Grievance Redressal systems must also be capable of resolving complaints within a maximum period of 90 days. Requests must be verified, recorded and resolved within prescribed timelines, including those submitted through Consent Managers or nominees. As a result, organizations need repeatable workflows, case-handling systems and audit trails, rather than purely discretionary responses handled differently by each department.
5. Data Breach Obligations and Incident Response Readiness
Where a personal data breach occurs, the Act requires notification without delay to both the Board and affected Data Principals. Practically, the Data Fiduciary must promptly inform individuals of the breach, explain its nature, and set out the mitigation steps they may take, while also notifying the Board with an initial description followed by a detailed report within 72 hours. This means organizations must already know who will assess the breach, who will draft the notification, and how risk to individuals will be evaluated. The Rules reinforce this through expectations of system logging, monitoring and accountability so that the cause, scope, and impact of a breach can actually be determined. Breach-management therefore shifts from being an IT function to a legal-regulatory obligation, supported by structured detection, escalation and documented response steps.
6. Data Retention, Deletion, and Log Management
The principle that personal data must be erased once the purpose is fulfilled is made operational through the Rules, which also requires erasure linked to prolonged inactivity of user accounts15 after notice. Before erasure, Data Principals must be given at least 48 hours advance notice and the option to continue or exercise their rights. At the same time, the Rules require that certain event logs be retained for at least 1 year to support investigation and accountability. This creates a practical shift, that is, rather than keeping data 'just in case,' organizations must assign purpose tags, retention timelines and deletion triggers, alongside exception handling where another law mandates retention. Backup environments also need review so that deletion is not just a front-end exercise.
7. Children's Data and Data of Persons with Disabilities (PwDs)
Where personal data relates to child16 or persons with disabilities17 with lawful guardians, the Act requires verifiable consent from the parent or guardian and prohibits certain processing which may be harmful or detrimental to the child's well-being. The Rules operationalize age verification and guardian validation processes, including the use of Digital Locker-based methods. In practice, onboarding flows must incorporate age-identification mechanisms, along with systems to obtain and verify parental or lawful-guardian consent wherever required. Organizations should also retain reliable records as proof of such consent, and ensure that support and customer-facing teams can recognize and appropriately handle cases involving children or persons with lawful guardians. These obligations are particularly relevant to ed-tech, gaming, social-media, telecom and app-based platforms, where engagement with minors is frequent and continuous.
8. Vendor and Processor Governance: Contractual and Oversight Challenges
Even where processing is outsourced to a Data Processor, the Data Fiduciary retains responsibility for compliance under the Act. The Rules expect security safeguards, breach notification duties and deletion obligations to flow through the contractual chain, rather than ending at the corporate boundary. In practice, organizations need to renegotiate vendor contracts, ensure timely breach reporting clauses exist, and maintain evidence of oversight and audit interaction, because if a processor fails, the regulatory exposure still falls primarily on the Data Fiduciary.
9. Reasonable Security Safeguards and Organizational Accountability
The Act requires reasonable security safeguards to prevent personal data breaches18, and the Rules gives substance to this expectation by referencing technical and organizational controls such as encryption, access restriction, backups, monitoring and logging. Significant Data Fiduciaries must also perform enhanced governance activities including audits and risk assessments. This moves information security from being a best-practice preference to a regulatory threshold duty, requiring organizations to not only implement controls but also maintain documented evidence that they were in place and reasonably proportionate at the time of any breach.
10. Regulatory Accountability and the Emerging Penalty Landscape
With the Data Protection Board of India established19, the regime creates a functioning enforcement framework. The Board may inquire into breaches and complaints, issue directions, impose penalties, and call for information, with inquiries required to be completed within six months, extendable by a further three months at a time with reasons recorded. The Rules lay down the procedures by which the Board operates. Appeals against its decisions will lie with the Appellate Tribunal, TDSAT. For businesses, this means compliance programmes must be Board-ready, with policies, logs, governance records and decisions maintained so that they can be produced during an inquiry. Regulatory engagement therefore becomes a structured and ongoing responsibility rather than a rare or exceptional event.
DPDP as a Driver of Organizational and Market-Level Transformation
Beyond statutory timelines and operational compliance duties, organizations should also consider DPDP implementation as a progressive capability-building exercise. The framework is not merely concerned with documentation or isolated controls, but with building durable systems, governance mechanisms and cultural practices that embed privacy-by-design into routine operations. Organizations that approach DPDP as an ongoing investment, rather than a one-time cost, are more likely to create resilient, scalable and trusted data environments.
Loyalty and rewards programmes are likely to face significant disruption under the DPDP framework. Many such schemes are currently structured around the centralization of customers' mobile numbers, which function as persistent identifiers linking purchase histories, reward points, discounts, and targeted offers. Under the DPDP regime, companies can no longer retain personal data indefinitely or without a continuing lawful basis. This necessitates a re-design of loyalty architectures, either through time-bound retention, anonymization, or consent-driven re-engagement, particularly where customer data must be deleted once the transactional purpose is fulfilled. Businesses will therefore be required to move away from data-heavy models towards privacy-by-design loyalty systems.
Concluding Note
The DPDP framework aims at striking a balance between fostering innovation and growth & preserving the privacy of citizens. It is in the end a test of institutional maturity. It requires organizations to make a decision, whether personal data will continue to be a convenient resource or it will be regarded as a responsibility to the people it concerns. The Rules do not merely prescribe technical controls, they demand judgment, restraint and respect for boundaries that previously were easy to overlook. Together, the DPDP Act and Rules seek to enhance privacy, foster trust and responsible innovation to build a more secure and globally competitive digital economy in India.
Footnotes
1 Ministry of Electronics and Information Technology, Digital Personal Data Protection Rules 2025, notified under the Digital Personal Data Protection Act, 2023 https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf.
2 Act No. 22, Ministry of Law and Justice, Government of India (2023)
https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf.
3 (2017) 10 SCC 1
4 Ministry of Electronics and Information Technology, 'Notification: Digital Personal Data Protection Act, 2023, Commencement Dates' GSR 843(E), 13 November 2025, The Gazette of India, Extraordinary, Part II Section 3(i).
5 Rule 1, DPDP Rules, 2025, Supra note 2, at 1.
6 'Processing' in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction; Digital Personal Data Protection Act 2023, s 2(x).
7 'Digital personal data' means personal data in digital form; Digital Personal Data Protection Act 2023, s 2(n).
8 'Data' means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means; Digital Personal Data Protection Act 2023, s 2(h)
9 'Data Fiduciary' means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data; Digital Personal Data Protection Act 2023, s 2(i).
10 'Data Processor' means any person who processes personal data on behalf of a Data Fiduciary; Digital Personal Data Protection Act 2023, s 2(k).
11 'Personal data' means any data about an individual who is identifiable by or in relation to such data; Digital Personal Data Protection Act 2023, s 2(t).
12 Significant Data Fiduciary" means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10; Digital Personal Data Protection Act 2023, s 2(z).
13 'Consent Manager' means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform; Digital Personal Data Protection Act 2023, s 2(g).
14 'Data Principal' means the individual to whom the personal data relates and where such individual is:
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf;
Digital Personal Data Protection Act 2023, s 2(j).
15 'User account' means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which such Data Principal is able to access the services of such Data Fiduciary; Digital Personal Data Protection Rules, 2025, r 2(c).
16 'Child' means an individual who has not completed the age of eighteen years; Digital Personal Data Protection Act 2023, s 2(f).
17 'Person with disability' shall mean and include:
- an individual who has long term physical, mental, intellectual or sensory impairment which, in interaction with barriers, hinders her full and effective participation in society equally with others and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; and
- an individual who is suffering from any of the conditions relating to autism, cerebral palsy, mental retardation or a combination of any two or more of such conditions and includes an individual suffering from severe multiple disability and who, despite being provided adequate and appropriate support, is unable to take legally binding decisions; Digital Personal Data Protection Act 2023, s 11(2) (d).
18 'Personal data breach' means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data; Digital Personal Data Protection Act 2023, s 2(u).
19 Digital Personal Data Protection Act 2023, s 2(c) r/w s 18.
To view the original article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
