Blog

INTRODUCTION In August 2023, in a landmark move, the Indian legislature approved the Digital Personal Data Protection Act (DPDPA). The Act sought to protect personal data of citizens from unauthorised processing. The Act was considered as the first step towards a more robust data protection legal landscape in India but the delay in the publication of Rules made it difficult for data fiduciaries to start complying with the Act. As a result, it has been difficult to objectively navigate compliance related issues. The release of the Digital Personal Data Protection Rules (DPDP Rules) on 13 November 2025 have complemented the Act in order to infuse life into the dormant data protection law of India. PHASED IMPLEMENTATION Rule 1 lays down a clear phased implementation plan for the operationalization of the Rules: 1.     First Phase: Rules – 1, 2, 17–21 – Effective from 13 Nov 2025 The constitution and appointments of the Data Protection Board (DPB) will commence. Over the next year, we can expect a functional DPB capable of steering the second phase of implementation. 2.     Second Phase: Rule 4 – Effective after 1 year | 14 Nov 2026 In the second phase, Consent Managers must comply with prescribed standards and formally register with the DPB. 3.     Third Phase: Rules – 3, 5–16, 22 & 23 – Effective after 18 months | 14 May 2027 Key operational obligations such as privacy notices, security safeguards, breach notifications, verifiable consent, and cross-border transfer requirements will come into force. This phase signals the need for data fiduciaries to make their systems, processes, products, and services privacy-compliant well in advance. Therefore, businesses have a window of 18 months to get their privacy systems in place. This will involve revision of internal policies, privacy notices, developing data subject rights mechanisms and hiring privacy professionals. NOTICE REQUIREMENT Section 5 of the DPDPA obliges the Data Fiduciary to send a notice to the data principal. Rule 3 states that such a notice must be presented in an understandable manner independent of any other information. It must be a in clear and plain language and must give all details necessary to enable the data principal to give specific and informed consent. This includes a description of the personal data and the purpose of processing. The data fiduciary should also provide the communication link for accessing the website, app or other means using which the data principal may withdraw the consent, exercise rights under the DPDPA and make complaint to the Board. Therefore, businesses will have to display compliant privacy notices keeping in view the dominant languages in different geographical locations. SECURITY SAFEGUARDS Data fiduciaries are required to reasonable security measures to prevent data breaches and protect personal data. This includes measures such as encryption, obfuscation or masking. Access to computer resources used by data fiduciaries must be controlled. Measures such as monitoring and review must be in place to detect unauthorised access. Moreover, the data fiduciary is obliged to be contractually bound to take such measures. Businesses will have to procure the requisite technology and focus on a privacy by design approach while offering goods and services. INTIMATION OF BREACH Section 8(6) of the DPDPA requires the data fiduciary to intimate the affected data principal and the Board of any personal data breach. Rule 7 assists the abovementioned provision and states the details of such an intimation. The intimation must include the description of the breach, its nature, extent, timing and location. It must also explain the consequences of such breach, measures in place for mitigating the risk, additional safety measures and contact information of a person responsible for responding to queries in this regard. The data fiduciary is also required to intimate the Board of such breach without any delay within 72 hours. Therefore, businesses will have to prepare comprehensive incident response plans which are able to fulfil the requirements of this provision. DATA RETENTION AND ERASURE Section 8(7) of the DPDPA imposes an obligation on the data fiduciaries to erase personal data when it is reasonable to assume that the specified purpose is no longer being served. Rule 8 read with the Third Schedule enforces this obligation by making a provision for compulsory erasure in certain situations. E-commerce entities having at least 2 crore registered users in India, online gaming intermediaries having at least 50 lakh registered users in India and social media intermediaries having at least 2 crore registered users in India who process personal data for enabling data principals to access user accounts and virtual tokens are required to erase such personal data if the data principal does not approach the data fiduciary for performance of the specific purpose or exercise of rights. The data to be erased must be related to a period of three years from the date on which the data principal last approached the data fiduciary for the performance of the specific purpose, exercise of rights or commencement of the DPDP Rules, 2025, whichever is earlier. The data fiduciary must inform the data principals of its decision to erase the personal data 48 hours prior to the erasure and must also prescribe the means of avoiding it. Furthermore, all data fiduciaries will be required retain personal data, traffic data and other logs for at least one year for the purpose of processing by the State or its instrumentalities for facilitating any function or in the interest of sovereignty, integrity or security of the State. Therefore, robust records of personal data must be present at all times. Though neither the Act nor the Rules mandate the maintenance of a Record of Processing Activities (RoPA) but considering the obligations outlined in the Rules, businesses will have to maintain and update RoPAs for effective compliance. CONTACT INFORMATION Data fiduciaries must publish the business contact information of the data protection officer or any other person answerable on behalf of the data fiduciary. Such information must be given on the website, app or in every conversation related to the exercise of rights of a