The Digital Personal Data Protection Rules, 2025 were notified by the Ministry of Electronics and Information Technology on 13 November 2025 via Gazette Notification G.S.R. 846(E), operationalising the Digital Personal Data Protection Act, 2023. The Rules take effect in three phases: Rules 1, 2 and 17-21 (definitions and Data Protection Board) from 13 November 2025; Rule 4 (Consent Manager registration) from 13 November 2026; and Rules 3, 5-16, 22 and 23 (consent, rights, breach, SDF, children's data, cross-border transfer) from 13 May 2027.
TL;DR for founders
India's data protection regime is now live on paper — but compliance deadlines are staggered. The Data Protection Board is being set up now (from 13 November 2025). From 13 November 2026, consent-layer startups must register as Consent Managers. The heavy obligations — proper consent notices, 72-hour breach reporting, user rights handling, grievance officers, children's-data rules and Significant Data Fiduciary duties — kick in on 13 May 2027, giving you roughly 12 months (from April 2026) to build consent, notice, rights-fulfilment and breach-response infrastructure. Budget for a Data Protection Officer, a DPIA rhythm, and a vendor/data-processor contract refresh. The maximum penalty is Rs. 250 crore per breach.
The Rules in one paragraph
The Digital Personal Data Protection Rules, 2025 ('DPDP Rules') operationalise India's first comprehensive data-protection statute, the Digital Personal Data Protection Act, 2023 ('DPDP Act'). The Rules prescribe the form of consent notices, the registration and governance of Consent Managers, Data Principal rights procedures, a 72-hour breach-notification window, the verifiable-parental-consent framework for children's data, and the constitution and adjudication process of the Data Protection Board of India ('DPBI'). Commencement is phased over 18 months to allow industry on-ramp, with penalties of up to Rs. 250 crore per contravention under Section 33 and the Schedule of the DPDP Act.
What the Rules say
The DPDP Rules run to 23 Rules plus four Schedules. Legislatively, they trace to Section 40 of the Digital Personal Data Protection Act, 2023 ('DPDP Act'), which empowers the Central Government to make rules on almost every operative provision of the statute.
Legislative history
The DPDP Act was assented to on 11 August 2023 (Act No. 22 of 2023) but was not immediately operational because the bulk of its obligations required delegated legislation. MeitY issued the draft DPDP Rules, 2025 on 3 January 2025 (G.S.R. 02(E)) for public consultation. Over 600 stakeholder comments were received. The final DPDP Rules, 2025 were notified 10 months later on 13 November 2025 via G.S.R. 846(E), along with companion notifications G.S.R. 843(E) to 845(E) bringing select DPDP Act provisions into force.
Rule 3 — Notice by the Data Fiduciary
Rule 3 read with Section 5 DPDP Act requires every Data Fiduciary to serve a notice before or at the time of requesting consent. The notice must be in clear and plain language, stand independent of any other document, itemise the categories of personal data and the specific purposes of processing, describe the goods, services or uses enabled by such processing, and provide the URL or other mechanism for (a) withdrawal of consent, (b) exercise of Data Principal rights under Section 11-14, and (c) lodging a complaint with the DPBI. Notices must be available in English and any of the 22 languages listed in the Eighth Schedule to the Constitution of India at the data principal's option.
Rule 4 — Consent Managers
Rule 4 DPDP Rules read with Section 6(7)-(9) DPDP Act creates a new regulated intermediary: the Consent Manager — a DPBI-registered entity that provides a single, interoperable interface through which Data Principals give, manage, review and withdraw consent. The First Schedule to the DPDP Rules lays down the registration conditions: incorporated in India, minimum net worth of Rs. 2 crore, fit-and-proper criteria for directors, and compliance with data-protection-by-design standards. Consent Managers act as fiduciaries of the Data Principal (not the Data Fiduciary) and cannot sub-license or sell consent artefacts.
Rule 5 — Processing by State and its instrumentalities
Rule 5 DPDP Rules read with Section 7(b) DPDP Act operationalises the State's ability to process personal data for the provision of subsidies, benefits, services, certificates, licences or permits under law. Processing must comply with the Second Schedule (standards of processing — e.g., purpose limitation, storage limitation, security safeguards).
Rule 6 — Reasonable security safeguards
Rule 6 DPDP Rules read with Section 8(5) DPDP Act prescribes the baseline security obligations: encryption, obfuscation, masking or virtual tokens for personal data; access controls; logging of data access; maintenance of processing logs and personal-data-breach-detection mechanisms for a minimum of one year; and back-ups to restore the confidentiality, integrity and availability of personal data. This Rule dovetails with — but does not displace — the CERT-In Directions dated 28 April 2022 under Section 70B(6) of the Information Technology Act, 2000 ('IT Act'), which retain their independent six-hour cyber-incident reporting timeline.
Rule 7 — Personal data breach intimation
Rule 7 DPDP Rules read with Section 8(6) DPDP Act prescribes a two-step breach-notification regime:
- Immediate intimation to affected Data Principals — without delay, in plain language, through the data fiduciary's registered communication channels, describing the nature and extent of the breach, likely consequences, and mitigating measures.
- Report to the DPBI within 72 hours — containing (a) updated description of the breach, (b) facts and circumstances, (c) remedial actions taken, (d) findings on the person who caused the breach, and (e) record of communications sent to Data Principals.
Breach reporting under Rule 7 is distinct from — and does not satisfy — CERT-In breach reporting under the 2022 Directions. Covered entities must report to both authorities on their respective clocks.
Rule 8 — Time-period for retention and erasure
Rule 8 DPDP Rules read with Section 8(7) DPDP Act mandates erasure of personal data when the purpose for which it was collected is no longer being served — presumptively when the Data Principal has not approached the Data Fiduciary for three years (for specified classes of Data Fiduciaries prescribed under the Third Schedule, including e-commerce entities, online gaming intermediaries and social-media intermediaries above listed user thresholds).
Rule 9 — Contact information and Data Protection Officer
Rule 9 DPDP Rules read with Section 8(9) DPDP Act requires every Data Fiduciary to prominently publish the business contact information of a Data Protection Officer (for Significant Data Fiduciaries) or a person authorised to answer questions about processing. A grievance must be acknowledged by the Grievance Officer within the timeline set out in the notice, and a reasoned response issued within the statutory period.
Rule 10 — Verifiable consent for processing children's and persons-with-disabilities data
Rule 10 DPDP Rules read with Section 9 DPDP Act requires a Data Fiduciary to obtain verifiable consent from the parent (in the case of a child under 18) or lawful guardian before processing the data. Three verification pathways are recognised: (a) information already reliably held by the Data Fiduciary, (b) identity and age details voluntarily provided, or (c) a government-issued or government-authorised token or virtual token. Tracking, behavioural monitoring and targeted advertising directed at children are prohibited unless exempted by the Central Government. The Fourth Schedule lists classes of Data Fiduciaries and purposes (e.g., health services, educational credentialling) exempt from parts of the children's-data regime.
Rule 11 — Consent for processing data of persons with disabilities
Rule 11 DPDP Rules provides parallel safeguards for Data Principals with disabilities who have lawful guardians, consistent with the Rights of Persons with Disabilities Act, 2016.
Rule 12 — Additional obligations of Data Fiduciaries
Rule 12 DPDP Rules operationalises accountability for Data Fiduciaries identified (by class) by the Central Government. Obligations include maintenance of records of processing activities and periodic internal data audits.
Rule 13 — Additional obligations of Significant Data Fiduciaries
Rule 13 DPDP Rules read with Section 10 DPDP Act requires every Significant Data Fiduciary ('SDF') — as notified by the Central Government — to: (a) appoint a Data Protection Officer based in India reporting to the Board or equivalent; (b) appoint an independent data auditor; (c) undertake a Data Protection Impact Assessment (DPIA) and a periodic data audit at least once every twelve months; (d) submit an observation report arising from the audit to the DPBI; and (e) apply such other prescribed measures, including as to algorithmic evaluation where processing poses risks to Data Principal rights.
The SDF designation criteria in Section 10(1) DPDP Act look to: (i) volume and sensitivity of personal data processed, (ii) risk to Data Principal rights, (iii) potential impact on India's sovereignty and integrity, (iv) risk to electoral democracy, (v) security of the State, and (vi) public order. As of the date of this explainer (April 2026), no notified SDFs exist; designations will follow once Rule 13 commences on 13 May 2027.
Rule 14 — Rights of Data Principals
Rule 14 DPDP Rules operationalises Sections 11-14 DPDP Act. Every Data Fiduciary (and every Consent Manager) must publish the URL or other mechanism through which a Data Principal may exercise: the right to access (a summary of personal data processed plus the identities of Data Processors with whom it has been shared), the right to correction, completion, updation and erasure, the right to grievance redressal (statutory response within the timeline specified in the notice, capped at the statutory period) and the right to nominate another individual to exercise these rights in the event of death or incapacity.
Rule 15 — Transfer of personal data outside India
Rule 15 DPDP Rules read with Section 16 DPDP Act permits transfer of personal data processed by a Data Fiduciary outside the territory of India, subject to such restrictions as the Central Government may, by general or special order, specify with respect to particular countries or classes of entities. This preserves a blacklist / negative-list model, unlike the GDPR's adequacy approach. Sectoral localisation obligations — notably RBI's 6 April 2018 Storage of Payment System Data Directive — continue to apply independently and are not displaced by Section 16 DPDP Act.
Rule 16 — Exemption for research, archiving and statistical purposes
Rule 16 DPDP Rules operationalises Section 17(2)(b) DPDP Act, exempting such processing from most provisions (except for security safeguards) where conducted in accordance with standards in the Second Schedule.
Rules 17-21 — Data Protection Board of India
Rules 17-21 DPDP Rules operationalise Sections 18-26 DPDP Act to constitute the DPBI. They prescribe the appointment process, tenure, salary, service conditions and removal of the Chairperson and members; meeting procedure; techno-legal functioning as a digital-first regulator (under Section 28(3)-(4) DPDP Act, the Board conducts proceedings digitally by default); inquiry procedures; and record-management standards.
Rules 22-23 — Appeals, Rule-making
Rule 22 DPDP Rules operationalises appeals to the Telecom Disputes Settlement and Appellate Tribunal ('TDSAT') under Section 29 DPDP Act, which must be filed within 60 days of the impugned order (extendable on cause shown). Rule 23 covers the Central Government's residual rule-making powers and transitional provisions.
Phased rollout — what applies when
The Rules commence in three phases, as specified in Rule 1(2) DPDP Rules:
| Phase | Commencement | Rules in force | What it means in practice |
|---|---|---|---|
| Phase 1 | 13 November 2025 | Rules 1, 2 and 17-21 | Definitions and constitution of the DPBI. MeitY begins the appointment process for the Chairperson and members. No direct compliance burden on data fiduciaries yet. |
| Phase 2 | 13 November 2026 | Rule 4 | Consent Manager registration with the DPBI opens. Entities seeking to operate as Consent Managers must incorporate in India, meet the Rs. 2 crore net-worth threshold, and file the Form prescribed in the First Schedule. |
| Phase 3 | 13 May 2027 | Rules 3, 5-16, 22 and 23 | The substantive compliance regime goes live: consent notices (Rule 3), Data Fiduciary security safeguards (Rule 6), 72-hour breach notification (Rule 7), retention/erasure (Rule 8), grievance officer (Rule 9), children's data (Rule 10), SDF obligations including DPIA and data audit (Rule 13), rights of Data Principals (Rule 14), cross-border transfer regime (Rule 15) and appellate procedure (Rule 22). |
Awaiting Tier 1 confirmation: MeitY has indicated via the companion notifications G.S.R. 843(E)-845(E) that select DPDP Act sections come into force alongside the Rules. Stage-by-stage commencement adjustments for individual sub-rules, if any, will be published as separate G.S.R.s and are tracked in references/digital-data-ai-law/regulatory-calendar.md. Designation of Significant Data Fiduciaries under Section 10 DPDP Act — with associated thresholds — is expected to follow via a separate Central Government notification closer to 13 May 2027.
Who is affected
The regime reaches several distinct classes of actor. Obligations differ by class.
- Data Fiduciaries (all). Any person who alone or in conjunction with other persons determines the purpose and means of processing personal data. This catches every Indian or foreign entity offering goods or services to Data Principals in India. Substantive obligations under Rules 3, 6-9 and 14 apply from 13 May 2027.
- Significant Data Fiduciaries. Designated by Central Government notification under Section 10(1) DPDP Act. Triggers Rule 13 additional obligations: DPO (resident in India, reporting to the Board), independent data auditor, annual DPIA + data audit, observation report to DPBI.
- Data Processors. Persons who process personal data on behalf of a Data Fiduciary. Subject to contractual discipline imposed by the Data Fiduciary under Section 8(2) DPDP Act; Rule 6 security safeguards flow through.
- Consent Managers. New regulated intermediary class under Rule 4. Registration window opens 13 November 2026.
- Platforms processing children's data. Any Data Fiduciary processing personal data of persons below 18 must implement Rule 10 verifiable-parental-consent controls from 13 May 2027. Edtech, online gaming, social media and children's content platforms are the obvious targets; exempt classes and purposes are listed in the Fourth Schedule.
- Government bodies. Processing for subsidies, benefits, services, certificates, licences and permits under Rule 5 attracts the Second Schedule standards.
Practitioner analysis
1. The 13 May 2027 cliff is real — but so is the onboarding that precedes it
Unlike the GDPR's 2-year grace period, the DPDP Rules give a full 18 months. Legal teams must therefore stage advice: (a) next 12 months — governance scaffolding (DPO identification, vendor inventory, record-of-processing-activities build), (b) months 12-16 — operational builds (consent notices in 22 languages, rights-fulfilment portal, DPO contact publication), (c) months 16-18 — tabletop breach drills against the 72-hour Rule 7 clock.
2. Interaction with IT (SPDI) Rules 2011
The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 under Section 43A IT Act remain in force until 13 May 2027. On that date, Section 44(2) DPDP Act omits Section 43A IT Act; the SPDI Rules thereby lose their parent section. Practitioners should audit existing privacy policies drafted to SPDI standards (which required affirmative written consent for defined categories of sensitive personal data) — these will need re-papering to the DPDP notice-and-consent model.
3. Interaction with sectoral frameworks
DPDP does not displace existing sectoral obligations. The following continue to apply in parallel: (a) RBI Master Direction on Digital Payment Security Controls dated 18 February 2021 and IT Governance Master Direction dated 7 November 2023; (b) SEBI Cybersecurity and Cyber Resilience Framework dated 20 August 2024 ('CSCRF'); (c) IRDAI Information and Cyber Security Guidelines, 2023 dated 24 April 2023; (d) CERT-In Directions dated 28 April 2022 (six-hour reporting clock — independent of and additional to the DPDP 72-hour clock); (e) UIDAI Aadhaar (Data Security) Regulations, 2016. Regulated entities must therefore map each incident-reporting clock before any breach and maintain separate escalation matrices.
4. Common drafting pitfalls
Three recurring problems in client privacy documentation: (i) composite consent notices that bundle several processing purposes (impermissible under Rule 3 — each purpose must be specific and verifiable); (ii) "deemed consent" language carried over from the 2019 and 2022 draft bills (not recognised in the final 2023 Act or 2025 Rules); (iii) erasure clauses that set unconditional retention floors (Rule 8 operates as a statutory erasure trigger once the processing purpose expires).
5. What to watch in early DPBI orders
The DPBI, once constituted, is likely to triage its first 12 months of enforcement around: (a) breach-notification non-compliance (Rule 7), where the 72-hour evidentiary trail is clear; (b) consent-notice adequacy (Rule 3), where a short audit produces a finding; and (c) grievance-officer accessibility (Rule 9), which has low evidentiary cost. SDF-facing DPIA orders will lag.
Enforcement and penalties
Section 33 DPDP Act empowers the DPBI to impose monetary penalties for contraventions. The Schedule to the DPDP Act lists eight heads, including:
- Entry 5 — Failure to take reasonable security safeguards resulting in breach (Section 8(5)): up to Rs. 250 crore.
- Entry 6 — Failure to notify a personal data breach to the Board or affected Data Principals (Section 8(6)): up to Rs. 200 crore.
- Entry 3 — Breach of obligations relating to children's data (Section 9): up to Rs. 200 crore.
- Entry 4 — Breach of additional SDF obligations (Section 10): up to Rs. 150 crore.
- Entry 8 — Breach of any other provision: up to Rs. 50 crore.
Section 33(2) requires the Board, in quantifying the penalty, to have regard to the nature, gravity and duration of the breach; the personal data affected; the repetitive nature of the breach; gains realised or losses avoided; mitigating action taken; and proportionality.
Appeal path: DPBI order → appeal to TDSAT within 60 days under Section 29 DPDP Act and Rule 22 DPDP Rules → appeal to the Supreme Court of India on questions of law under Section 18 of the Telecom Regulatory Authority of India Act, 1997, within 90 days.
Founder checklist
- By 30 June 2026 — assign a named DPO (for SDF candidates) or grievance officer (for all fiduciaries); publish contact details on the product's privacy centre.
- By 30 September 2026 — complete a personal-data inventory: what you collect, from whom, where it is stored, which vendors touch it, what the erasure triggers are.
- By 31 December 2026 — finalise a consent-notice template in plain English plus at least Hindi and one regional language; integrate a consent-withdrawal mechanism.
- By 31 March 2027 — run a tabletop breach drill against the 72-hour Rule 7 clock with simultaneous six-hour CERT-In simulation.
- By 13 May 2027 — publish Data Principal rights portal; complete a first-pass DPIA if you expect SDF designation; re-paper data-processor contracts with Section 8(2) flow-down clauses.
Frequently asked questions
When are Indian companies required to start complying with the DPDP Rules 2025? The Rules commence in three phases. Rules 1, 2 and 17-21, covering definitions and the Data Protection Board of India, are in force from 13 November 2025. Rule 4 (Consent Manager registration) commences on 13 November 2026. Substantive data fiduciary obligations under Rules 3, 5-16, 22 and 23 — including consent notices, data principal rights, breach reporting, Significant Data Fiduciary duties and children's data protections — commence on 13 May 2027.
What is the breach notification timeline under the DPDP Rules 2025? Under Rule 7 of the DPDP Rules, 2025, a Data Fiduciary must intimate affected Data Principals 'without delay' on becoming aware of a personal data breach, and provide a detailed report to the Data Protection Board within 72 hours (extendable only with Board permission). Failure to notify attracts a penalty of up to Rs. 200 crore under entry 6 of the Schedule to the Digital Personal Data Protection Act, 2023.
Who qualifies as a Significant Data Fiduciary under the DPDP regime? Section 10 of the Digital Personal Data Protection Act, 2023 empowers the Central Government to designate a data fiduciary (or class thereof) as a Significant Data Fiduciary based on factors such as volume and sensitivity of personal data processed, risk to data principals, potential impact on India's sovereignty and public order, and electoral-democracy risk. As of April 2026, no SDFs have been designated by notification; designations and associated Rule 12-13 DPIA and audit duties become relevant on or after 13 May 2027.
Do the DPDP Rules 2025 permit cross-border transfers of personal data? Yes. Section 16 of the Digital Personal Data Protection Act, 2023 read with Rule 15 of the DPDP Rules, 2025 permits transfer of personal data outside India, subject to restrictions the Central Government may prescribe by general or special order — a 'blacklist' model. Until a negative list is notified, cross-border transfers remain permitted, but sectoral constraints (e.g., RBI's data-localisation direction on payment data) continue to apply independently.
How do the DPDP Rules 2025 interact with the IT (SPDI) Rules 2011? The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 framed under Section 43A of the Information Technology Act, 2000 remain in force until the DPDP Rules substantive obligations commence on 13 May 2027. On that date, Section 44(2) of the DPDP Act omits Section 43A of the IT Act, and consent and notice obligations shift to the DPDP framework. Sectoral rules (RBI, SEBI CSCRF, IRDAI, CERT-In Directions 2022) continue in parallel.
Where can I appeal an order of the Data Protection Board of India? Under Section 29 of the Digital Personal Data Protection Act, 2023, any person aggrieved by an order of the Data Protection Board of India may prefer an appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days of receipt of the order. TDSAT orders are appealable to the Supreme Court of India on questions of law within 90 days.
Sources
- Digital Personal Data Protection Rules, 2025 — MeitY (G.S.R. 846(E))
- DPDP Rules 2025 — MeitY PDF
- PIB — DPDP Rules, 2025 Notified (17 November 2025)
- Digital Personal Data Protection Act, 2023 — MeitY PDF
- India Code — statutes portal
- eGazette of India — notification search
This explainer is part of Veritect's Digital, Data & AI Law vertical. It is an original analysis prepared from Tier 1 government and regulator sources and does not reproduce or paraphrase any third-party commentary. For verification, consult the Gazette of India notification G.S.R. 846(E) dated 13 November 2025.