INTRODUCTION
In August 2023, in a landmark move, the Indian legislature approved the Digital Personal Data Protection Act (DPDPA). The Act sought to protect personal data of citizens from unauthorised processing. The Act was considered as the first step towards a more robust data protection legal landscape in India but the delay in the publication of Rules made it difficult for data fiduciaries to start complying with the Act. As a result, it has been difficult to objectively navigate compliance related issues.
The release of the Digital Personal Data Protection Rules (DPDP Rules) on 13 November 2025 have complemented the Act in order to infuse life into the dormant data protection law of India.
PHASED IMPLEMENTATION
Rule 1 lays down a clear phased implementation plan for the operationalization of the Rules:
1. First Phase:
Rules – 1, 2, 17–21 – Effective from 13 Nov 2025
The constitution and appointments of the Data Protection Board (DPB) will commence. Over the next year, we can expect a functional DPB capable of steering the second phase of implementation.
2. Second Phase:
Rule 4 – Effective after 1 year | 14 Nov 2026
In the second phase, Consent Managers must comply with prescribed standards and formally register with the DPB.
3. Third Phase:
Rules – 3, 5–16, 22 & 23 – Effective after 18 months | 14 May 2027
Key operational obligations such as privacy notices, security safeguards, breach notifications, verifiable consent, and cross-border transfer requirements will come into force. This phase signals the need for data fiduciaries to make their systems, processes, products, and services privacy-compliant well in advance.
Therefore, businesses have a window of 18 months to get their privacy systems in place. This will involve revision of internal policies, privacy notices, developing data subject rights mechanisms and hiring privacy professionals.
NOTICE REQUIREMENT
Section 5 of the DPDPA obliges the Data Fiduciary to send a notice to the data principal. Rule 3 states that such a notice must be presented in an understandable manner independent of any other information. It must be a in clear and plain language and must give all details necessary to enable the data principal to give specific and informed consent. This includes a description of the personal data and the purpose of processing. The data fiduciary should also provide the communication link for accessing the website, app or other means using which the data principal may withdraw the consent, exercise rights under the DPDPA and make complaint to the Board. Therefore, businesses will have to display compliant privacy notices keeping in view the dominant languages in different geographical locations.
SECURITY SAFEGUARDS
Data fiduciaries are required to reasonable security measures to prevent data breaches and protect personal data. This includes measures such as encryption, obfuscation or masking. Access to computer resources used by data fiduciaries must be controlled. Measures such as monitoring and review must be in place to detect unauthorised access. Moreover, the data fiduciary is obliged to be contractually bound to take such measures. Businesses will have to procure the requisite technology and focus on a privacy by design approach while offering goods and services.
INTIMATION OF BREACH
Section 8(6) of the DPDPA requires the data fiduciary to intimate the affected data principal and the Board of any personal data breach. Rule 7 assists the abovementioned provision and states the details of such an intimation. The intimation must include the description of the breach, its nature, extent, timing and location. It must also explain the consequences of such breach, measures in place for mitigating the risk, additional safety measures and contact information of a person responsible for responding to queries in this regard. The data fiduciary is also required to intimate the Board of such breach without any delay within 72 hours. Therefore, businesses will have to prepare comprehensive incident response plans which are able to fulfil the requirements of this provision.
DATA RETENTION AND ERASURE
Section 8(7) of the DPDPA imposes an obligation on the data fiduciaries to erase personal data when it is reasonable to assume that the specified purpose is no longer being served. Rule 8 read with the Third Schedule enforces this obligation by making a provision for compulsory erasure in certain situations.
E-commerce entities having at least 2 crore registered users in India, online gaming intermediaries having at least 50 lakh registered users in India and social media intermediaries having at least 2 crore registered users in India who process personal data for enabling data principals to access user accounts and virtual tokens are required to erase such personal data if the data principal does not approach the data fiduciary for performance of the specific purpose or exercise of rights.
The data to be erased must be related to a period of three years from the date on which the data principal last approached the data fiduciary for the performance of the specific purpose, exercise of rights or commencement of the DPDP Rules, 2025, whichever is earlier.
The data fiduciary must inform the data principals of its decision to erase the personal data 48 hours prior to the erasure and must also prescribe the means of avoiding it.
Furthermore, all data fiduciaries will be required retain personal data, traffic data and other logs for at least one year for the purpose of processing by the State or its instrumentalities for facilitating any function or in the interest of sovereignty, integrity or security of the State.
Therefore, robust records of personal data must be present at all times. Though neither the Act nor the Rules mandate the maintenance of a Record of Processing Activities (RoPA) but considering the obligations outlined in the Rules, businesses will have to maintain and update RoPAs for effective compliance.
CONTACT INFORMATION
Data fiduciaries must publish the business contact information of the data protection officer or any other person answerable on behalf of the data fiduciary. Such information must be given on the website, app or in every conversation related to the exercise of rights of a data principal. Businesses will have to designate specified persons to deal with the queries of data principals and design online mechanisms such portals or dashboards to effectively raise concerns and exercise rights.
PERSONAL DATA OF CHILD OR DISABLED PERSON
Section 9(1) of the DPDPA provides that a data fiduciary must obtain verifiable consent of the parent or guardian before processing the personal data of a child. Rule 10 expands this obligation and requires the data fiduciaries to adopt technical and organisational measures to ensure that verifiable consent of the parent is obtained. It must be ensured that the individual identifying as the parent is an identifiable adult. This may be ensured by the following means:
1. Reliable details of identity and age available with the data fiduciary.
2. Details of identity and age provided by the individual.
3. Through a virtual token mapped to such details, which is issued by an authorised agency. (Digi Locker or Aadhaar-based authentication may be used in such cases).
Rule 11 deals with verifiable consent of persons with disabilities. In case of the person with disability, the data fiduciary must observe due diligence to verify that such guardian is appointed by a court of law, designated by an authority or by a local level committee.
Therefore, businesses processing personal data of children should start building verification methods and provide user friendly and accessible means of obtaining parental consent.
SIGNIFICANT DATA FIDUCIARIES
Rule 13 provides additional obligations for significant data fiduciaries (SDFs). SDFs are required to undertake annual Data Protection Impact Assessments and audits to ensure observance of the DPDPA. Person carrying out the assessment or audit must present the report to the Board containing observations. SDFs are further required to observe due diligence to ensure that algorithmic software deployed by it don’t pose risks to data principals. They must also ensure that personal data specified by the government is not transferred outside India. Though there is no clear definition of an SDF but businesses which deal with large volumes of personal data, process sensitive data, work in conjunction with the Government or State instrumentalities or use algorithms must take reasonable precautions to avoid liability.
RIGHTS OF DATA PRINCIPALS
Data fiduciaries and consent managers must publish on their app or website the means of making request for exercise of rights and particulars of data principal required for identification. Data principals may make request to data fiduciaries to exercise the rights under the DPDPA. Data fiduciaries must respond to grievances of data principals within 90 days. The data principal has the right to nominate another person who may exercise the rights on behalf of such data principal. Therefore, proper ‘Data Principal Rights’ intake forms must be created in order to receive requests. Data flows must be mapped accurately in order to comply with requests of erasure, updation or completion.
HOW TO ACT?
The next 18 months will determine whether organisations emerge DPDP-ready or risk regulatory exposure, reputational harm, and compliance failure.
This is the time for businesses to move proactively:
- Audit current data flows and revise internal policies.
- Update privacy notices, consent systems, and user-facing disclosures.
- Create rights-management workflows and incident-response playbooks.
- Designate responsible officers and build data governance structures.
- Train teams to embed privacy across processes, products, and decision-making.
