The Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 on 14 November 2025, operationalising the Digital Personal Data Protection Act, 2023 (DPDP Act). The Rules establish the procedural framework for data protection compliance in India, including a mandatory 72-hour breach notification window, the constitution of the Data Protection Board, and a phased implementation timeline spanning 12 to 18 months.
Background
The DPDP Act, 2023 received Presidential assent in August 2023 but remained inoperative pending the notification of subordinate rules that would prescribe the procedural and operational details. The Act establishes the overarching framework for the processing of digital personal data in India, including principles of consent, purpose limitation, and data minimisation, but delegates critical implementation aspects to the Rules.
India's data protection legislative journey has extended over seven years, from the Justice BN Srikrishna Committee report in 2017 through the withdrawn Personal Data Protection Bill, 2019 and the Digital Personal Data Protection Bill, 2022, before culminating in the 2023 Act. The notification of these Rules marks the transition from a legislative framework to an enforceable regulatory regime, bringing India in line with jurisdictions that have operational data protection enforcement mechanisms.
Key Provisions
The DPDP Rules, 2025 contain the following principal provisions:
72-hour breach notification: Data fiduciaries must notify the Data Protection Board and affected data principals within 72 hours of becoming aware of a personal data breach. The notification must specify the nature of the breach, categories of data affected, and remedial measures undertaken.
Data Protection Board established: The Rules provide for the constitution of the Data Protection Board of India as the adjudicatory body. The Board will receive complaints, conduct inquiries, and impose penalties for non-compliance with the Act.
Consent management framework: Detailed requirements for obtaining, recording, and managing consent from data principals are prescribed. Consent managers must be registered with the Board and meet prescribed technical and financial eligibility criteria.
Phased implementation: The Rules provide for a phased rollout over 12 to 18 months. Significant data fiduciaries are expected to comply within the first phase, while smaller entities receive extended timelines.
Penalty framework operationalised: The Rules activate the penalty provisions under the Act, with maximum penalties of up to Rs 200 crore for non-compliance with certain provisions. The graduated penalty structure accounts for the nature and severity of the contravention.
Children's data protections: Enhanced consent requirements for processing data of minors are prescribed, including verifiable parental consent mechanisms that data fiduciaries must implement.
Implications for Practitioners
The notification of the DPDP Rules transforms data protection compliance from a prospective obligation into an immediate operational priority for organisations processing digital personal data in India. In-house counsel and compliance teams must initiate gap assessments against the Rules within the first implementation phase, with particular attention to breach notification protocols, consent management infrastructure, and data processing documentation.
The 72-hour breach notification window is among the most operationally demanding requirements. Organisations will need to establish detection, assessment, and reporting workflows that can function within this compressed timeline, which is comparable to the GDPR's notification period.
Practitioners advising significant data fiduciaries should note that the phased implementation means that these larger entities face the earliest compliance deadlines. The consent manager registration regime introduces a new class of regulated intermediary, creating advisory opportunities for firms with technology law practices.
The penalty framework — with its Rs 200 crore ceiling — underscores the financial consequences of non-compliance. Practitioners should counsel clients that the cost of building compliance infrastructure is materially lower than the potential penalty exposure.