DPDP Rules 2025: What They Say, What They Mean, and What Your Business Must Do Now

They Are Here

On 13 November 2025, MeitY notified the Digital Personal Data Protection Rules, 2025.

After nearly two years of consultation, 6,915 stakeholder inputs, and public sessions across Delhi, Mumbai, Hyderabad, Bengaluru, and Chennai — the Rules are law.

The Act was the skeleton. The Rules are everything else — the operational requirements that tell businesses precisely how to comply. Here is what they say.

The Phased Rollout — Your Compliance Deadline

The Rules do not take full effect on a single date. Implementation is phased over 18 months from notification.

• From 13 November 2025 — Procedural provisions are in force. The Data Protection Board of India is formally established. Compliance planning must begin now.
• By 13 November 2026 — Consent Manager registration requirements take effect.
• By 13 March 2027 — All remaining substantive provisions come fully into force. Consent obligations, notices, rights of individuals, breach notification — all enforceable.

Eighteen months sounds like a long runway. Auditing your data, rebuilding consent flows, updating vendor contracts, and training teams takes considerably longer than most businesses anticipate. Start now.

Itemised Consent Notices

The Rules are specific about what a valid consent notice must contain. It must be itemised — each category of personal data listed alongside its specific purpose of processing, separately. Not a general overview. A granular, specific list.

The notice must be in plain language. And it must be available in Eighth Schedule languages — meaning if your users operate in Tamil, Telugu, Marathi, or any of the other scheduled languages, your notice must be accessible to them in those languages.

Breach Reporting — 72 Hours

The Rules confirm the breach notification timeline. When a personal data breach occurs, a Data Fiduciary must:

• Immediately notify affected Data Principals
• Submit an initial description of the breach to the Data Protection Board without delay
• Submit a full, detailed breach report to the Board within 72 hours of becoming aware of the breach

The 72-hour clock runs from the moment you become aware — not from when your investigation is complete. Partial information submitted on time is better than a complete report submitted late.

Failure to notify: up to ₹200 crore.

Data Retention and Deletion

Data Fiduciaries may only retain personal data for as long as the stated purpose of collection is being served. Once that purpose is fulfilled, the data must be deleted.

Two additional requirements introduced by the Rules:

• Individuals must be notified at least 48 hours before their data is erased
• System and processing logs must be retained for a minimum of one year for security, detection, and investigation purposes

Specific categories of businesses face a hard retention cap: e-commerce platforms with over 2 crore users, social media platforms, and online gaming platforms must delete user data within three years of last interaction, unless the user actively re-engages.

Cross-Border Data Transfers — Negative List, Not Whitelist

The final Rules adopted a notably business-friendly approach to cross-border data transfers. Rather than a whitelist of permitted countries, the Rules adopt a negative list model. Personal data can flow freely to all countries except those specifically restricted by the government.

The negative list has not yet been published. But the framework is significantly less restrictive than what was anticipated during the consultation period. Businesses with global operations, international cloud providers, or overseas parent companies should monitor the list when it appears.

Children's Data

Verifiable parental consent is required before processing personal data of anyone under 18. The Rules specify that verification cannot rely solely on self-declaration.

Three categories are exempt from the parental consent requirement: healthcare professionals, educational institutions, and certain prescribed functions. For all other businesses, the standard applies without exception.

Behavioural monitoring and tracking of minors remains prohibited regardless of consent.

The Data Protection Board — Fully Digital

The Board is established as a digital-first institution. Complaints are filed online. Cases are tracked through a dedicated portal. Hearings are conducted virtually. The Board will have four members, and its adjudicatory powers come into full force in March 2027.

Significant Data Fiduciaries

Significant Data Fiduciaries face a materially higher compliance standard under the Rules:

• Appointing a Data Protection Officer based in India
• Conducting annual Data Protection Impact Assessments
• Submitting to annual independent audits
• Completing algorithmic fairness assessments
• Meeting stricter technical due diligence requirements on processors

The government has not yet published its SDF designation list. Businesses processing large volumes of sensitive personal data in high-risk sectors should assess their exposure now.

What Has Not Changed

The Rules add procedural detail. They do not alter the Act's substantive framework. The definition of personal data, the four conditions for valid consent, the rights of Data Principals, the penalty structure, and the powers of the Data Protection Board — all remain as the Act established them. There is no provision in the Rules that reduces an obligation or narrows a right.

What to Do Right Now

Begin your data audit. Map what personal data you hold, where it lives, what it is used for, and who has access to it. This is the foundation of every compliance programme.

Redesign your consent notices. The itemised, plain-language, multilingual requirement is specific and non-negotiable. Most existing consent mechanisms do not meet it.

Document your cross-border data flows. Know exactly which countries your data flows to before the negative list is published.

Build your 72-hour breach response. The clock starts when you become aware. Automated detection, a clear internal escalation path, and a template notification are minimum requirements.

Assess your SDF exposure. If you could plausibly be designated a Significant Data Fiduciary, begin building toward those standards now.

The Bottom Line

The waiting is over. The Rules are notified, the Board is established, and the compliance clock is running.

March 2027 is the full compliance deadline. It is also, for businesses that start today, a reasonable amount of time to build a defensible programme. For businesses that start in January 2027, it will not be.