DPDP Rules 2025 Explained for Data Fiduciaries

Data protection in India has entered a decisive new chapter. After years of legislative deliberation and public consultation, the Ministry of Electronics and Information Technology (MeitY) notified the final Digital Personal Data Protection (DPDP) Rules on November 13, 2025. These rules operationalise the DPDP Act, 2023 and give every Data Fiduciary operating in India the practical implementation clarity they have been waiting for since the draft rules were released for public consultation on January 3, 2025.

For organisations that collect, store, or process personal data of individuals in India, these rules are not aspirational guidelines. They are enforceable obligations backed by the Data Protection Board of India (DPBI), a regulatory body with the power to investigate, adjudicate, and impose penalties of up to Rs. 250 crore for serious violations. Understanding what the rules require, rule by rule, is the first and most critical step toward building a compliance programme that actually holds up.

The Three-Phase Implementation Timeline

The DPDP Rules do not take effect all at once. MeitY has structured the rollout across three phases, giving organisations time to prepare without indefinitely delaying enforcement.

Phase 1: Immediate Effect (November 2025) Rules 1, 2, and 17 to 21, which cover definitions, Board constitution and appointments, Board procedures, and the digital functioning of the DPBI, became operative upon gazette notification. The regulatory body is now formally in place.

Phase 2: One Year After Notification (November 2026) Rule 4, which governs Consent Management under the DPDP Act, takes effect. This is the first hard deadline that organisations with digital products and services must plan for.

Phase 3: Eighteen Months After Notification (May 2027) Rules 3, 5 to 16, 22, and 23 come into force. This phase covers notices, security safeguards, breach notification, data erasure, contact information obligations, children’s data, rights management, cross-border transfers, exemptions, and Significant Data Fiduciary obligations. For most organisations, this is where the real compliance work lies.

May 2027 should be treated as a firm project deadline. Organisations need to work backwards from that date and build the required systems, policies, vendor agreements, and internal processes well in advance.

Rule 3: Notices That Actually Inform

Rule 3 addresses one of the most persistent failures in data protection in India: the use of long, complex, and inaccessible privacy policies as consent notices. This rule sets a significantly higher standard for transparency.

The Standalone Requirement

The notice a Data Fiduciary provides to a Data Principal before seeking consent must be standalone and understandable without any reference to another document. It cannot cross-reference terms and conditions, separate privacy policies, or any external material. An individual reading the notice alone must fully understand what they are consenting to and what will happen to their data.

What the Notice Must Include

An itemised description of the personal data being collected
The specific purposes for which the data will be processed
A description of the goods or services the Data Principal will receive in exchange
A direct communication link to the Data Fiduciary’s website or app through which the individual can withdraw consent, exercise rights, and file complaints with the DPBI

Language Requirements

The notice must be available in English and in any language listed in the Eighth Schedule of the Constitution. Given the linguistic diversity of India, this is a meaningful accessibility obligation for any organisation with users across multiple states.

The era of vague, legalese-laden privacy policies doubling as consent notices is over. Legal and compliance teams must move away from drafting notices for legal defensibility and toward drafting them for genuine comprehension. Every Data Fiduciary should audit its existing consent notices against these requirements immediately.

Rule 4: Consent Management Under the DPDP Act

Consent Management under the DPDP Act takes on an entirely new dimension with Rule 4, which introduces Consent Managers as a formally recognised class of intermediary in India’s data ecosystem. This rule takes effect in November 2026.

What Is a Consent Manager?

A Consent Manager is a platform registered with the DPBI that gives Data Principals a single interface to give, manage, review, and withdraw their consents across multiple Data Fiduciaries. Instead of managing consent separately with each platform or service they use, individuals can exercise control over all their data relationships from one place.

Consent Managers are accountable directly to the Data Principal and must maintain interoperability, ensuring individuals are not locked into a single platform to exercise their rights. Critically, Consent Managers are prohibited from sub-contracting or assigning their core obligations to any other entity.

What This Means for Data Fiduciaries

Every Data Fiduciary that relies on consent as the lawful basis for processing must integrate with registered Consent Managers. This requires building or updating API infrastructure capable of receiving consent signals, recording them accurately, and acting on withdrawals without delay. Consent records must be retained for seven years.

This is not a trivial technical exercise. Organisations should begin scoping this integration now, well ahead of the November 2026 deadline, to avoid a last-minute scramble.

Rule 5: Processing of Personal Data for State Functions

Data protection in India under the DPDP framework recognises that not every processing activity requires explicit consent obtained through a formal notice. Rule 5 specifies the standards and conditions under which the State and its instrumentalities may process personal data for providing subsidies, benefits, services, licences, certificates, and permits.

Key Conditions Under Rule 5

Processing must be for a specified and lawful State purpose, such as issuing government benefits or carrying out official functions under Indian law
The State must implement reasonable security safeguards consistent with Rule 6
Personal data collected for one State purpose cannot be used for a different purpose without separate authorisation
The State must publish, in a prescribed manner, the categories of personal data it collects and the purposes of such processing

Why This Matters for Private Data Fiduciaries

While Rule 5 primarily governs the State, private Data Fiduciaries that act as technology partners, processors, or service providers to government bodies must understand the standards they are required to meet contractually. Any Data Processor engaged by the State must adhere to the security and processing standards mandated by Rule 5 and the Second Schedule of the Rules.

Rule 6: Security Safeguards

Rule 6 establishes the minimum security measures every Data Fiduciary must implement to protect the personal data they hold. The framework is risk-based rather than prescriptive. There is no universal checklist. Each organisation must assess its own threat landscape and implement safeguards proportionate to the nature, sensitivity, and volume of data it processes.

Minimum Measures Required

Encryption, obfuscation, masking, or tokenisation of personal data
Access controls on all computer resources that store or process personal data
Logging and monitoring systems capable of detecting unauthorised access
Data backup and business continuity measures
Retention of access logs and personal data records for a minimum of one year
Contractual safeguards with every Data Processor handling data on the Fiduciary’s behalf
Appropriate technical and organisational measures calibrated to the organisation’s specific risk profile

The Proportionality Principle

A health-tech platform processing sensitive medical records or a fintech company handling financial transaction data operates at a different risk level than a small e-commerce retailer with basic customer information. Rule 6 places the responsibility on each Data Fiduciary to make that proportionality judgment honestly and document it clearly.

Security teams should use Rule 6 as the foundation for a formal gap assessment, mapping current controls against each requirement and producing a remediation roadmap with clear timelines and ownership before May 2027.

Rule 7: Breach Notification

Breach notification is one of the most operationally demanding obligations in data protection in India under the new rules. When a personal data breach occurs, the Data Fiduciary must act on two fronts simultaneously and without delay.

Notifying Affected Data Principals

Each affected individual must receive a notification through their user account or registered communication channel. The notification must include:

A clear description of the breach and what occurred
The likely consequences of the breach for the individual
The mitigation measures the Data Fiduciary has already taken
Safety steps the individual should take to protect themselves
Contact details for raising further queries

Reporting to the DPBI

The DPBI must receive an initial report immediately after the breach is discovered. A comprehensive follow-up report is then due within seventy-two hours. This report must cover:

Updated details of the breach
The circumstances in which it occurred and the root cause
Remedial actions taken by the Data Fiduciary
Findings regarding the person or system responsible
A summary of all notifications sent to affected individuals

The Operational Reality

Seventy-two hours is a tight window, particularly for organisations that discover breaches outside business hours, across distributed systems, or involving third-party Data Processors. Without a pre-built incident response plan, ready-to-use communication templates, and clearly assigned internal ownership, meeting this deadline is extremely difficult. Building that infrastructure now is a compliance requirement, not a future enhancement.

Rule 8: Data Erasure Timelines

Rule 8 introduces specific and enforceable data erasure obligations, drawing a clear distinction between large-scale Data Fiduciaries and smaller organisations.

Who Does the Three-Year Erasure Rule Apply To?

E-commerce entities with two crore or more registered users
Social media intermediaries with two crore or more users
Online gaming intermediaries with fifty lakh or more users

For these organisations, personal data must be erased within three years if the Data Principal has not contacted the organisation or exercised any rights during that period. The Third Schedule of the Rules specifies the exact class of Data Fiduciaries and their corresponding erasure timelines.

The Forty-Eight-Hour Pre-Erasure Notice

Before carrying out erasure, the Data Fiduciary must give the individual at least forty-eight hours’ advance notice. This gives the person an opportunity to log in, take action, or contact the organisation before their data is permanently deleted. Erasure must be complete and verifiable, not just a flag in a database.

The Universal One-Year Retention Floor

Every Data Fiduciary, regardless of size or user base, must retain personal data and processing logs for a minimum of one year from the date of processing. This floor exists to support breach detection, investigation, and regulatory inquiry by the DPBI.

Rule 9: Contact Information of the Data Protection Officer

Rule 9 is brief but operationally important. It requires every Data Fiduciary to prominently publish, on its website or app, the business contact information of its Data Protection Officer (DPO) if one is appointed, or an alternate person who can answer questions about the processing of personal data on behalf of the organisation.

What This Means in Practice

The DPO or designated contact must be clearly identified and easily reachable by any Data Principal
This contact information must also appear in every response the Data Fiduciary sends to a Data Principal exercising their rights under the Act
For Significant Data Fiduciaries, a DPO is mandatory. For other Data Fiduciaries, the Rules require at minimum a named individual capable of responding to data-related queries

Organisations that currently have no publicly accessible point of contact for data-related queries must create one before May 2027.

Rule 10: Verifiable Consent for Processing Children’s Personal Data

Rule 10 imposes strict obligations on Data Fiduciaries when the Data Principal is a child, defined under the DPDP Act as any individual below the age of eighteen years.

Key Obligations

Verifiable parental consent: Before processing a child’s personal data, the Data Fiduciary must obtain verifiable consent from the child’s parent or legal guardian. The parent must be an identifiable adult, verified through reliable identity and age details already available with the Data Fiduciary, or through a Digital Locker service provider or other authorised token system.
No tracking or behavioural monitoring: Data Fiduciaries are prohibited from tracking or monitoring the behaviour of children.
No targeted advertising: Directing targeted advertisements at children based on their personal data is expressly prohibited.
Age-appropriate design: Data Fiduciaries must implement appropriate technical and organisational measures to verify the age of users and identify when they are dealing with a child.

Exemptions Under the Fourth Schedule

Certain classes of Data Fiduciaries are exempted from the parental consent and tracking restrictions under specific conditions. Clinical establishments and healthcare providers processing children’s data for health services, and educational institutions processing data for educational purposes or child safety, may qualify for limited exemptions as detailed in the Fourth Schedule. However, these exemptions are purpose-specific and narrow. Most organisations cannot rely on them.

Rule 11: Verifiable Consent for Persons with Disabilities

Rule 11 extends the same level of protection offered to children under Rule 10 to persons with disabilities who have a lawful guardian.

Key Requirements

Where a person with a disability is unable to exercise legal decision-making capacity even with support, their lawful guardian must provide verifiable consent for the processing of their personal data
The Data Fiduciary must verify that the person claiming to be a lawful guardian holds that authority under the applicable law, such as the Rights of Persons with Disabilities Act, 2016
The same restrictions on behavioural tracking and targeted advertising that apply to children also apply to personal data processed under Rule 11

This rule ensures that the DPDP framework does not inadvertently exclude India’s population of persons with disabilities from meaningful data protection.

Rule 13: Heightened Obligations for Significant Data Fiduciaries

Significant Data Fiduciaries represent the highest tier of accountability in India’s data protection framework. The Central Government designates organisations as SDFs based on the volume and sensitivity of data they process and the potential risk they pose to individual rights, national security, or public order.

Additional Obligations for Significant Data Fiduciaries

Annual DPIAs and audits: SDFs must conduct Data Protection Impact Assessments and independent audits at least once every twelve months and submit a report of significant observations to the DPBI.
Algorithmic accountability: SDFs must verify that the algorithmic software used for processing personal data does not pose a risk to the rights of Data Principals. This covers recommendation systems, automated decision-making tools, and any other algorithmic process applied to personal data at scale.
Data localisation: SDFs must ensure that specific categories of personal data, as notified by the Central Government, are not transferred outside India.
Mandatory DPO: SDFs must appoint a Data Protection Officer who is an individual responsible to the Board of Directors or equivalent governing body of the organisation.

What This Means in Practice

SDF obligations require governance structures capable of sustaining annual audit and DPIA cycles, conducting algorithmic risk reviews across product and engineering teams, maintaining data localisation controls on an ongoing basis, and supporting a DPO with sufficient seniority and independence to report directly to the board. Organisations that wait for a formal SDF designation before preparing will find themselves significantly behind. The principle here is direct: the greater the data handling power, the greater the accountability.

Rule 14: Rights of Data Principals and Grievance Redressal

Rule 14 operationalises the rights available to Data Principals under the DPDP Act and sets enforceable standards for how Data Fiduciaries must facilitate those rights.

What Rights Do Data Principals Have?

Right to access: The individual can request a summary of their personal data being processed and the names of all Data Processors with whom their data has been shared.
Right to correction and erasure: The individual can request correction of inaccurate or incomplete data, and erasure of data that is no longer necessary for the purpose for which it was collected.
Right to nominate: Under Rule 14(4), a Data Principal can nominate another individual to exercise their data rights on their behalf in the event of death or incapacity.
Right to withdraw consent: The individual can withdraw consent at any time. Upon withdrawal, the Data Fiduciary must cease processing the data for those purposes and cannot make withdrawal a condition for denying unrelated services.
Right to grievance redressal: If a Data Fiduciary fails to respond to or resolve a rights request, the Data Principal can escalate the matter to the DPBI.

What Data Fiduciaries Must Do

Prominently publish on their website or app the means through which Data Principals can submit rights requests, along with any identifiers such as customer IDs, email addresses, or application numbers needed to identify the individual
Publish, within a reasonable period not exceeding ninety days, their internal response timelines for grievances and implement the measures needed to meet those timelines
Respond to and resolve all grievances within ninety days of receipt

The Practical Implication

An inaccessible or dysfunctional rights mechanism is itself a compliance failure. Organisations need a clear, accessible, and operational channel for rights requests. Burying a form in an obscure section of a website does not meet the spirit or the letter of Rule 14.

Rule 15: Transfer of Personal Data Outside India

Rule 15 operationalises India’s framework for cross-border data transfers, adopting a “negative list” approach rather than the adequacy or whitelist mechanisms found under GDPR and other global privacy regimes.

How the Negative List Model Works

Under Rule 15, cross-border transfers of personal data are permitted to any country or territory unless the Central Government expressly restricts or prohibits transfer to that jurisdiction. This is a significant departure from more restrictive models and offers Indian businesses greater operational flexibility in global data flows.

However, this flexibility comes with important conditions:

Transfers remain subject to any general or special orders issued by the Central Government restricting access to personal data by foreign states or their controlled entities
Significant Data Fiduciaries face additional data localisation obligations for categories of personal data specifically notified by the Central Government, which must not be transferred outside India under any circumstances
Even where transfer is permitted, all other obligations of the DPDP Rules continue to apply to the data throughout its lifecycle abroad, including rights of access, correction, and erasure under Rule 14

What Organisations Must Do

Data Fiduciaries that transfer personal data internationally must build a monitoring mechanism capable of tracking and applying any government orders that restrict transfers to specific jurisdictions. Organisations must also be prepared to migrate data assets if a country is subsequently placed on the negative list. For regulated sectors and government contractors, offshore storage carries heightened compliance risk that requires specific governance attention.

What Organisations Must Do Right Now

The May 2027 deadline may feel distant, but eighteen months narrow quickly once you account for technology changes, vendor procurement, policy rewrites, legal reviews, and staff training. Compliance under the DPDP Rules is not a single task. It is a structured programme that requires clear ownership, a realistic timeline, and sustained organisational commitment.

1. Conduct a Data Audit

Before any Data Fiduciary can build a compliant framework, it must understand exactly what data it holds, why, and on what basis.

Map every category of personal data collected across all products, services, and touchpoints
Identify the lawful basis for each processing activity, whether consent, deemed consent, or a State or legal obligation
Document where personal data is stored, who has access, and current retention periods
Identify all third-party Data Processors and assess whether existing contracts meet the safeguard and security requirements of Rule 6

2. Revise Every Consent Notice

Most existing privacy policies and consent notices will not meet the requirements of Rule 3.

Audit every notice against the standalone requirement and remove all cross-references to other documents
Ensure notices include an itemised data description, specific processing purposes, and a service description
Add a direct communication link for consent withdrawal, rights exercise, and DPBI complaints
Make notices available in English and in Eighth Schedule languages relevant to your user base

3. Prepare for Consent Management Under the DPDP Act

Consent Management under the DPDP Act will change how organisations receive and record consent from November 2026.

Identify which registered Consent Managers your organisation will need to integrate with
Begin technical scoping for API infrastructure that handles consent signals in real time
Ensure systems can process consent withdrawals received through a Consent Manager immediately and without manual intervention
Build consent record retention infrastructure capable of storing records for seven years

4. Run a Security Gap Assessment

Rule 6 requires safeguards proportionate to your risk profile. That assessment must come before any remediation work begins.

Map current security controls against each requirement in Rule 6
Assess the sensitivity and volume of data processed to determine the appropriate safeguard level
Identify specific gaps in encryption, access controls, logging, monitoring, and backup systems
Produce a time-bound remediation roadmap with named owners for each action item
Review and strengthen contracts with all Data Processors to include the required security obligations

5. Build an Incident Response Plan

The seventy-two-hour breach reporting window under Rule 7 leaves no room for improvisation.

Appoint a designated incident response lead with clear authority to act
Draft breach notification templates for both affected individuals and the DPBI
Define internal escalation paths that function outside business hours and across distributed teams
Run tabletop exercises to test whether your organisation can realistically meet the seventy-two-hour reporting window
Ensure monitoring and detection systems can trigger the response process automatically

6. Design Data Erasure Workflows

For Data Fiduciaries that cross the Rule 8 user thresholds, erasure is a legal obligation and must be systematic and verifiable.

Confirm whether your organisation meets the applicable user thresholds under the Third Schedule
Build automated workflows to identify personal data that has been inactive for three years
Design and implement the forty-eight-hour pre-erasure notification process
Ensure erasure is complete and auditable, with processing logs retained for the mandatory one-year minimum

7. Publish DPO or Contact Information

Rule 9 requires this to be prominently displayed across all digital touchpoints.

Appoint a Data Protection Officer if you are or are likely to be designated a Significant Data Fiduciary
For other Data Fiduciaries, designate a named individual capable of responding to data-related queries
Publish this contact information prominently on your website and app
Ensure the contact details are included in all responses to rights requests from Data Principals

8. Build a Rights Request Mechanism

Data Principals have enforceable rights under the Act and Rule 14 creates specific process obligations around how those rights are exercised.

Build a clear, accessible rights request process reachable through the communication link in your Rule 3 notice
Publish the identifiers required to submit a rights request, such as customer IDs or registered email addresses
Define and publish internal response timelines and ensure grievances are resolved within ninety days
Assign clear ownership and train legal, compliance, and customer-facing teams on how to handle requests correctly

9. Address Children’s and Disability Data Obligations

Rules 10 and 11 create design and process obligations that touch product, engineering, legal, and operations teams simultaneously.

Review onboarding and age verification flows to identify where children or persons with disabilities may be accessing your platform
Build verifiable parental or guardian consent mechanisms integrated with Digital Locker services or other authorised verification systems
Audit all data processing and advertising logic to remove behavioural tracking and targeted advertising directed at minors
Review the Fourth Schedule to determine whether any exemptions apply to your specific use case and document that determination clearly

10. Review Cross-Border Data Transfer Arrangements

Rule 15 affects every organisation that transfers personal data to servers, processors, or affiliated entities outside India.

Map all cross-border data flows and identify the jurisdictions involved
Build a monitoring mechanism to track Central Government orders restricting transfers to specific countries
Prepare a contingency data migration plan in the event a jurisdiction is added to the negative list
Ensure all contractual arrangements with offshore processors preserve the rights of Data Principals under Rule 14

11. Prepare for Significant Data Fiduciary Designation

If your organisation processes personal data at significant scale or sensitivity, SDF designation may be a matter of when, not if.

Assess your data processing activities against the likely SDF designation criteria, including volume, sensitivity, and risk to individuals
Begin building governance frameworks for annual DPIAs and independent audits
Initiate risk reviews of all algorithmic systems used for processing personal data
Appoint or identify a candidate for the mandatory DPO role and ensure the person has direct access to your board or senior governing body
Map categories of personal data that may be subject to data localisation requirements under Rule 15

12. Train Your People

Technology and policy changes deliver no compliance value if the people responsible for executing them are unprepared.

Run mandatory DPDP training for legal, compliance, IT, product, and customer support teams
Ensure senior leadership understands the regulatory risk, the timelines, and the resource commitment required
Create clear internal guidelines for handling data subject requests, breach events, consent withdrawals, and cross-border transfer decisions in day-to-day operations

Data protection in India has moved from a future regulatory concern to a present operational reality. Every Data Fiduciary now has a defined set of obligations, a regulatory body with enforcement powers, and a clear timeline within which to comply. The organisations that approach this work methodically, with clear ownership and genuine commitment at every level, will meet the May 2027 deadline with confidence. Those that wait will find themselves managing compliance under pressure, and in a regime with an active Data Protection Board, that is a risk no organisation should accept.