With the notification of the Digital Personal Data Protection Rules, 2025, (DPDP Rules) 14 November 2025, India's journey toward implementing the Digital Personal Data Protection Act, 2023 (DPDPA) has officially taken off. The rules have been notified after an extensive consultation period with stakeholders, the DPDP Rules provide the procedural nuances and compliance aspects of the Act, which will govern how organizations collect, process, store and respond to data breaches related to personal data in the country. Most importantly, the DPDP Rules officially offer a nascent approach to India's planned and substantive data protection regime.
Phased Enforcement
The DPDP Rules shall come into effect in a phased manner as follows:
Phase I (Immediate enforceability): All definitions contained within the DPDP Rules, 2025 come into force on 14 November 2025, this means that all the stakeholders need to gain clarity on the implementation of the Act and the DPDP Rules on an urgent basis. In addition, the Data Protection Board of India (DPBI) was established on 13th November 2025, including the constitution of the Chairperson and all Board Members, meaning that the DPBI can begin implementing a governance structure that incorporates administrative, procedural and quasi-judicial aspects. This early implementation of the Board is important because it will oversee compliance, grievance, redressal, and enforcement under the DPDP regime.
Phase II (One Year): Consent Managers will register and be obliged by the terms set forth in the DPDP Rules within one year of notification to facilitate a structured and secure environment in securing Data Principal consent.
Phase III (18 months): The remaining provisions of the DPDP Rules, including provisions for, Data Principal Notice, Consent Managers and Data Breach Notification, will come into effect 18 months from the date of publication, allowing stakeholders adequate time to prepare for full compliance with the Act and its Rules.
This transition period is intended to give Data Fiduciaries, Data Processors, Government Entities, and other stakeholders sufficient time to strengthen their compliance readiness. This period enables organizations to train employees on data privacy and protection, revise internal policies in alignment with DPDP Act 2023, and build the operational capacity required to ensure smooth and accountable implementation of the Rules once they become fully enforceable.
Data Principal Notice
A Data Principal notice, which shall be provided prior to or at the time of seeking consent by the Data Fiduciary, shall be transparent and clear, presented separately, independent, and in clear, easily understandable language. It should provide a plain-language account enabling informed consent, including an itemized description of the personal data collected, the specific purposes, and goods, services, or uses enabled by such processing. The notice must also provide a direct communication link to the website or app, or both, of the Data Fiduciary and detail how the Data Principal will be able to withdraw consent as easily as it was given, exercise rights under the Act, and make complaints to the DPDP Board, ensuring clear, accessible, and accountability while processing Personal Data.
Consent Manager
The DPDP Rules provide for a strong structure regarding the registration and responsibilities of a Consent Manager. As per the First Schedule, applications would be invited from Indian companies with substantial technical, operational, and financial capacity-a minimum net worth of ₹2 crore, that have to show sound governance, integrity, and conflict-free operations, including detailed disclosures of promoters, directors, key managerial personnel, and significant shareholders. Consent Managers shall provide Data Principals with the facility for granting, managing, and withdrawing consent between Data Fiduciaries without access to personal data; retain consent logs at least for seven years; use strong security safeguards; avoid conflicts of interest; act independently; and are periodically audited.
It supervises registration, which may call for further information, and suspends or cancels registration in case of non-compliance. Similarly, the Consent Managers and Data Fiduciaries need to set out clear mechanisms for exercising the rights by the Data Principals, specifying authentication requirements, and undertaking timely grievance redressal. In essence, this would ensure that only competent and trustworthy entities deal with consent, consent flows become standardized, accountability is enhanced, and the rights of Data Principals under the DPDP Act are protected.
Reasonable Security Safeguards
Data Fiduciaries have a heightened responsibility to protect the personal data they handle, and the DPDP Rules outline clear expectations for maintaining reasonable security safeguards. They must implement strong technical measures such as encryption, masking, obfuscation, and tokenization along with strict access controls to prevent unauthorized use. Continuous monitoring, logging, and review mechanisms are required to detect, investigate, and prevent security incidents, while robust backup and resilience measures must support business continuity in case data confidentiality, integrity, or availability is compromised. Logs and relevant data must be retained for at least one year to aid breach investigations, and Data Fiduciaries must ensure that all contracts with Data Processors include stringent security requirements.
Data Breach
Under the DPDP Rules, in the event of a personal data breach, the Data Fiduciary must promptly notify both the affected Data Principals and the Data Protection Board of India (DPBI). Notifications to Data Principals should be clear and concise, outlining the nature, extent, and timing of the breach, its likely consequences, measures taken or planned to mitigate risks, protective steps the Data Principal may take, and contact details of a responsible representative for queries. Simultaneously, the Data Fiduciary must inform the DPBI without delay and provide detailed information within 72 hours, including expanded breach details, circumstances leading to the breach, mitigation measures, the person responsible, steps to prevent recurrence, and evidence of notifications to Data Principals.
Data Retention and Deletion
Under the DPDP Rules, specific timelines have been established for how long certain classes of Data Fiduciaries must retain personal data solely for enabling user account access or access to virtual tokens issued through their platforms. E-commerce entities and social media intermediaries with two crore or more registered Indian users, as well as online gaming intermediaries with fifty lakh or more registered Indian users, must retain such data for three years from the date the Data Principal last accessed the service, exercised a right, or from the commencement of the DPDP Rules, whichever is later. Before this retention period expires, the Data Fiduciary is required to notify the Data Principal at least 48 hours in advance that their personal data will be erased unless they log in or otherwise engage with the platform to continue the specified purpose. This mechanism strengthens transparency, prevents indefinite retention, and ensures user control over continued data processing.
Data Fiduciaries (State and its instrumentalities) must retain personal data, traffic data, and processing logs for at least one year as given in the Seventh Schedule, to support government functions such as national security, legal compliance, and statutory disclosures or to notify Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary. After this period, the data must be erased unless further retention is mandated under another applicable law.
Verifiable Consent for Minors and Persons with Disability
The DPDP Rules introduce enhanced safeguards for protecting the personal data of children and persons with disabilities through verifiable parental or guardian consent. For children, a Data Fiduciary must obtain verifiable consent from a parent, ensuring the individual providing consent is genuinely the child’s parent and an identifiable adult. Verification can be based on identity and age information already held or voluntarily submitted by the parent, including via virtual tokens issued by authorised entities. Similarly, for persons with disabilities, where consent is given by a guardian, the Data Fiduciary must verify that the guardian is legally authorised, appointed by a court, designated by a competent authority, or recognised under relevant guardianship laws. These measures ensure that personal data of minors and persons with disabilities is processed only with lawful, verifiable consent, preventing misuse and strengthening protection in digital ecosystems.
Significant Data Fiduciary
A Significant Data Fiduciary (SDF), as designated by the Central Government, must conduct a Data Protection Impact Assessment (DPIA) and an annual audit every twelve months from the date it is designated as an SDF. The SDF must also ensure that the entity conducting the DPIA and audit, submits a report of key observations to the DPBI. In addition, SDFs are required to exercise due diligence to verify that the technical tools and algorithmic systems they use for processing personal data do not pose risks to Data Principal rights. They must also implement measures to ensure that any category of personal and traffic data specifically identified by the Central Government, based on recommendations from a designated committee is processed with the restriction that such data is not transferred outside India.
Conclusion
In conclusion, the notification of the Digital Personal Data Protection Rules, 2025, marks a significant milestone in India’s data protection journey, operationalizing key aspects of the DPDPA, 2023. The DPDP Rules provide a structured, phased approach to enforcement, enabling stakeholders to prepare for full compliance while establishing robust governance through the early constitution of the Data Protection Board of India. They set clear expectations for Data Fiduciaries, including transparent Data Principal notices, strong security safeguards, timely breach reporting, and defined data retention and deletion timelines. Enhanced protections for minors and persons with disabilities through verifiable parental or guardian consent, and the regulation of Consent Managers, ensure accountability and standardization of consent flows. Additionally, the framework for Significant Data Fiduciaries strengthens oversight of high-risk processing activities, DPIAs, audits, and localization requirements. Collectively, these provisions aim to foster trust, accountability, and responsible data handling, ensuring that the rights of Data Principals are respected and safeguarded across India’s digital ecosystem.