Pursuant to a gazette notification dated November 13, 2025, the Ministry of Electronics and Information Technology (“MeitY”) notified the rules (“DPDP Rules” or “Rules”) under the Digital Personal Data Protection Act, 2023 (“DPDP Act” or the “Act”), which was published on August 11, 2023 (for an overview of the DPDP Act, see our note here). Pursuant to separate notifications dated November 13, 2025, the MeitY also notified (i) enforcement timelines for the DPDP Act (such notification, the “Enforcement Notification”); (ii) the establishment of the Data Protection Board of India (“DPBI”); and (iii) the number of DPBI members.
Read in conjunction with the Enforcement Notification, the DPDP Rules are intended to give effect to, and enable the operationalization of, the DPDP Act in a phased manner.
Earlier this year, pursuant to a notification dated January 3, 2025, the MeitY had issued a draft of the DPDP Rules (“Draft Rules”) for public consultation and comments (for an overview of the Draft Rules, see our note here). The final version of the DPDP Rules was notified by the MeitY following a deliberative process involving public consultations with, and the submission of 6,915 inputs by, a wide range of stakeholders, including start-ups, industry bodies, civil society groups, citizens, and government departments.
While the DPDP Rules remain substantially similar to the Draft Rules, a few key additions and changes have been introduced, including as discussed below.
Enforcement Timelines
The provisions of the DPDP Act and the DPDP Rules will come into force in three phases, as described below:
Phase 1: These provisions are effective from November 14, 2025 (i.e., the date of publication of the Enforcement Notification in the official gazette) and are primarily procedural in nature (e.g., effective dates, definitions, establishment of the DPBI and related administrative provisions, conflicts with other laws, and bar of jurisdiction of civil courts). Recent media reports suggest that a Government-appointed search-cum-selection committee will be constituted by December 2025 for the purpose of appointing the DPBI’s four members. However, the powers and functions of the DPBI (except those relating to registration and monitoring of consent managers – see Phase 2 below) will only become effective in Phase 3.
Phase 2: These provisions, which will become effective one year from the date of publication of the Enforcement Notification in the official gazette (i.e., in November 2026), relate to consent managers, i.e., registration of consent managers with the DPBI, obligations of consent managers, and the powers of the DPBI to inquire into breaches and impose penalties for breach of registration conditions.
Phase 3: This phase covers all the remaining substantive provisions of the DPDP Act and DPDP Rules, including grounds for processing of personal data, notices to be given by data fiduciaries to data principals, consent-related provisions, legitimate uses of personal data, general obligations of data fiduciaries (including in relation to reasonable security safeguards), additional obligations of significant data fiduciaries, rights of data principals, processing of personal data of children, processing of personal data outside India, intimation of personal data breaches, and exemptions from the applicability of the DPDP Act and DPDP Rules for specific purposes. These provisions will become effective 18 months from the date of publication of the Enforcement Notification in the official gazette (i.e., in May 2027).
Recent news reports following the Enforcement Notification indicate (also here) that the Government may consider a shorter enforcement timeline for certain companies. Since several ‘Big Tech’ companies and multinational corporations in India already comply with similar data protection regimes in other jurisdictions, including the EU’s GDPR, there are ongoing discussions about expedited implementation with respect to key provisions of the Act and Rules. Any modified rollout will require legislative amendments, and companies will need to remain alert to any such amendments.
Over the next few months, organizations will need to:
- track, map, and audit their data flows and legacy databases (for an overview of data mapping, see our note here);
- evaluate their data processing activities and the purposes thereof (for a discussion on data minimization, see our note here);
- undertake a gap analysis and prepare a compliance roadmap to satisfy obligations under the DPDP Act and DPDP Rules;
- put in place processes, policies, and templates for data collection and processing, including for consent collection and recording, and facilitating data principal rights (for a summary on consent management, see our notes here and here);
- review their existing data processing arrangements, commercial relationships, and data sharing contracts (for an overview of such contractual arrangements, see our note here);
- initiate internal awareness programs and training; and
- establish appropriate teams and appoint specialized personnel for the purpose of satisfying obligations under the DPDP Act and DPDP Rules.
Until such third phase takes effect, the provisions of the Information Technology Act, 2000 (“IT Act”) – in particular Section 43A of the IT Act (dealing with compensation for failure to protect data), along with the rules framed under such provision, i.e., the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), which together constitute the existing personal data protection regime in India – will continue to remain in force. The SPDI Rules will cease to apply only when the IT Act is amended to omit Section 43A, as intended under Section 44(2) of the DPDP Act. Pursuant to the Enforcement Notification, Section 44(2) of the DPDP Act is scheduled to take effect in May 2027 (for a discussion on navigating the transition from the SPDI Rules to the DPDP Act, see our note here).
DPBI
The dispute resolution mechanism under the Act and Rules is designed to be completely online. In line with the Act, the DPDP Rules state that the DPBI will function as a ‘digital office’ and may adopt techno-legal measures to conduct proceedings in a manner that does not require the physical presence of any individual. Persons aggrieved with an order or direction of the DPBI may prefer an appeal in digital form before the Telecom Disputes Settlement and Appellate Tribunal which, like the DPBI, will also function as a digital office.
Consent Managers
The DPDP Act defines ‘consent managers’ as persons registered with the DPBI who act as single points of contact to enable data principals to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. They will be accountable to data principals and act on their behalf. Every consent manager must be registered with the DPBI, and will be subject to such technical, operational, financial, and other conditions as prescribed under the Act and Rules.
Rule 4 of the DPDP Rules, currently scheduled to come into force in November 2026, deals with the conditions for registration and obligations of consent managers (which are similar to those prescribed under the Draft Rules). The eligibility criteria include: a minimum net worth of INR 20 million (approximately USD 225,000), that the applicant be a company incorporated in India, and the fulfillment of specified independent certification requirements relating to the interoperability of its platform and technical and organizational measures. Further, consent managers must avoid conflicts of interest with data fiduciaries and are required to put in place measures to ensure no conflicts arise on account of their directors, key personnel, and senior management holding directorships or having a financial interest, employment relationship, or ‘material pecuniary relationship’ with data fiduciaries.
Consent managers are required to enable data principals who use their platform to give consent to the processing of their personal data by data fiduciaries onboarded onto such platform either directly (i.e., to such data fiduciary itself) or through another data fiduciary (which is also onboarded onto such platform and maintains such data pursuant to the data principal’s consent).
At present, there is no clarity on whether entities that are similar to consent managers, such as ‘account aggregators’ (which are regulated by the Reserve Bank of India (RBI)) will require fresh registration with the DPBI under the DPDP Act. We anticipate that such questions may be clarified in due course. Further clarity is also expected on certain practical aspects, such as the integration between data fiduciaries and consent managers.
Substantive Provisions
Notice and consent
Section 5 of the DPDP Act requires data fiduciaries to give a notice to data principals along with, or prior to, a request for consent for processing their personal data. Additional requirements relating to the contents and/or nature of such notice have been specified in the Rules, as discussed in our earlier note on the Draft Rules.
While the Draft Rules required data fiduciaries to include an itemized description of the goods or services to be provided, or the uses to be enabled, pursuant to data processing, the DPDP Rules now indicate that a specific description in this regard will suffice. The removal of such itemization requirement – which might have proved cumbersome for organizations that process data for a variety of reasons, including to improve user experience – is a welcome development. Given that consent notices must be presented and understood “independent” of any other information made available by data fiduciaries, organizations will still need to ensure that all necessary details for obtaining “specific and informed consent” are set out in the notice itself (rather than through links to another document or a privacy policy, as has so far been a common practice in India).
In the context of M&A transactions, acquirer companies will also need to evaluate if fresh consents are required from data principals whose data is held by the target company due to any post-acquisition changes in the purposes for which data is being collected.
Cross-border data transfer
Pursuant to Section 16 of the DPDP Act, the Government may impose restrictions on the transfer of personal data to certain jurisdictions. The Rules have clarified that any personal data processed under the Act may be transferred outside the territory of India, but the Government may introduce special requirements by way of a general or special order in respect of making such data available to any foreign state, or to any person or entity under the control of, or any agency of, such foreign state.
Similar to the Draft Rules, the DPDP Rules also clarify that significant data fiduciaries (“SDFs”) are required to undertake measures to ensure that personal data specified by the Government pursuant to the recommendations of a committee constituted by it for this purpose, is processed subject to the restriction that such data, as well as the traffic data relating to its flow, is not transferred outside Indian territory.
SDFs
Under the DPDP Act, the Government has been empowered to notify any data fiduciary (or a class of data fiduciaries) as an SDF pursuant to an assessment of various factors, including the volume and sensitivity of personal data processed, risk to the rights of data principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, and public order.
The Act imposes certain special compliance requirements upon SDFs – including the need to appoint an independent data auditor and a data protection officer (“DPO”) based in India for the purpose of representing such SDF, and to undertake periodic data protection impact assessments (“DPIAs”) and audits. Such obligations will apply to SDFs over and above the general obligations which are applicable to all data fiduciaries.
The Rules introduce certain additional obligations applicable to SDFs, such as: (a) ensuring submission of DPIA results to the DPBI once in every 12 months; and (b) verifying by way of due diligence that technical measures, including algorithmic software adopted by them in respect of personal data processed, is “not likely to pose a risk to the rights of data principals”.
At present, there is no clarity on the specific classes of data fiduciaries that are expected to be notified as SDFs under the DPDP Act, although this is anticipated in the near future.
Data principal rights and corresponding obligations
The Rules provide guidance in relation to the manner in which the rights of data principals are required to be enabled by data fiduciaries and consent managers (as applicable). Specifically, the Rules require data fiduciaries and consent managers to:
- prominently publish certain details on their website or app (or both, as applicable), including (i) details of the means using which data principals may make requests for the exercise of their rights; (ii) particulars which may be required to identify a data principal under the terms of service (such as their username, customer/enrolment ID, application reference, email address, mobile/license number, or other identifier); (iii) responses to grievances raised by data principals within a reasonable period not exceeding 90 days under their grievance redressal systems; and (iv) contact details of the designated person for the purpose of addressing questions related to data processing (including the DPO, if applicable); and
- implement appropriate technical and organizational measures for ensuring effectiveness of their grievance redressal mechanism.
Reasonable security safeguards
Under Section 8(5) of the Act, a data fiduciary is required to protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a data processor, by taking reasonable security safeguards (“RSS”) to prevent a personal data breach. Importantly, a breach of the RSS obligation may involve a penalty which may extend to INR 2.5 billion (approximately USD 28 million).
Like the Draft Rules, the Rules specify certain minimum RSS which should be implemented by a data fiduciary, including measures such as encryption, obfuscation, or masking of personal data; access control measures, if applicable; appropriate logs and other measures to monitor access and aid in investigation and remediation; data resilience measures (such as data backups); and contractual provisions in the agreements entered into between the data fiduciary and the data processor, if applicable, related to implementing RSS. The framework under the DPDP Rules relating to RSS appears to be more indicative than prescriptive, which gives organizations the flexibility to implement RSS commensurate to the volumes and sensitivity of personal data being processed.
Data retention
Under the Act, data fiduciaries are required to erase personal data, unless retention is necessary for legal compliance, upon the earlier of: (i) the data principal withdrawing their consent, or (ii) as soon as it is reasonable to assume that the specified purpose (i.e., the purpose mentioned in the notice given by the data fiduciary to the data principal) is ‘no longer being served’. According to Section 8(8) of the Act, it will be deemed that such purpose is no longer being served if the data principal does not: (a) approach the data fiduciary for the performance of the specified purpose; and (b) exercise any of their rights in relation to such processing for such time period as prescribed.
In this regard, the Rules specify different time periods for different classes of data fiduciaries, and for different purposes. Such different classes of data fiduciaries include e-commerce entities, social media intermediaries, and online gaming intermediaries, with specified numbers of registered users in India.
The retention time period specified in the Rules for each class of data fiduciary is the later of (i) three years from the date on which the data principal last approached the data fiduciary for the performance of the specified purpose or the exercise of their rights, or (ii) the commencement of the DPDP Rules. The determination of when each user “last approached the data fiduciary” is ambiguous and will likely require certain processes and tools, such as timestamping.
While such requirements were already specified in the Draft Rules, the DPDP Rules now clarify that personal data, associated traffic data, and other logs related to the processing of such data, must be retained for at least one year from the date of such processing by all data fiduciaries (for the purpose of Government use in the interest of India’s sovereignty and integrity or national security) even if the specified purpose has already been achieved. Thereafter, such data and logs need to be erased (including by data processors, the performance of which must be ensured by data fiduciaries), absent other legal or Government requirements.
Reporting of personal data breaches
Section 8(6) of the Act requires that, upon the occurrence of a personal data breach, a data fiduciary is obligated to intimate the DPBI and each affected data principal, in the manner prescribed under the Rules. Like the Draft Rules, the Rules do not prescribe any specific timelines for the initial breach notification and instead state that it should be made without delay (with an additional update to the DPBI to be made within 72 hours of the breach). A strict interpretation of this provision would mean that data principals need to be informed of a data breach almost immediately, which could pose practical challenges. A breach of such obligations may attract a penalty of up to INR 2 billion (approximately USD 22.5 million).
Consistent with the Draft Rules, the details to be provided in the breach intimation notices to the data principal and the DPBI have been prescribed in the Rules, including with respect to: description of the breach (such as the nature, extent, and timing); consequences of the breach; and the risk mitigation measures implemented. The updated notification to be provided to the DPBI is required to include findings regarding the person who may have caused the breach, remedial measures taken to prevent recurrence, and a report regarding intimations made to affected data principals.
Verifiable consent
Section 9(1) of the Act requires a data fiduciary to obtain verifiable consent of the parent or lawful guardian of a child and/or a person with disability who has a lawful guardian, prior to the processing of any personal data related to such data principal in a manner prescribed under the Rules. The Rules specify the following:
Children
A data fiduciary is required to adopt appropriate technical and organizational measures to ensure that verifiable parental consent is obtained before processing a child’s personal data and undertake due diligence to check that an individual identifying themselves as the parent of a child is an adult (i.e., above the age of 18 years) who is identifiable with reference to: (a) ‘reliable’ details of identity and age of such individual, as available with the data fiduciary; or (b) details of identity and age as voluntarily provided (1) by the individual, or (2) through a virtual token mapped to such details, as issued by an authorized entity (i.e., an entity entrusted by law or by the Central/State Government, or a person appointed or permitted by such entity, with such issuance), which may include details made available and verified by a Digital Locker Service Provider (i.e., an intermediary or an agency, as notified by the Government).
However, the requirement to obtain verifiable parental consent, as well as the prohibition under the Act on tracking, behavioral monitoring, and targeted advertising with respect to children, will not be applicable to certain classes of data fiduciaries including clinical/mental health establishments and healthcare professionals, educational institutions and daycare centers, subject to the specified conditions relating to the nature and purposes of processing; and processing of a child’s personal data for certain purposes inter alia relating to the safety, welfare, and security of children and performance of legal obligations.
Persons with disability
While obtaining verifiable consent from a lawful guardian prior to the processing of personal data related to a ‘person with disability’ (as defined in the Rules), the data fiduciary is required to observe due diligence to confirm that the individual(s) identifying themselves as the lawful guardian have been appointed by a court of law, or by a designated authority (i.e., an authority designated under the Rights of Persons with Disabilities Act, 2016 to support persons with disabilities in exercise of their legal capacity), or a local level committee (as defined in the Rules), in accordance with the applicable guardianship law.
Conclusion
The DPDP Rules, along with the Enforcement Notification, have set the stage for organizations to start preparing for compliance under the Act. While the legal framework under the DPDP Act is expected to evolve in the coming years through policy refinement, judicial interpretation, practice, and enforcement – the key principles such as data minimization, purpose-limited consent mechanisms, and prompt breach reporting reflect a clear shift towards responsible and trust-driven data governance and management. Organizations that approach compliance proactively, including by implementing privacy-by-design, will stand to benefit in the long run. Apart from mitigating the risk of regulatory penalties, such an approach will strengthen an organization’s reputation and credibility.
The 18-month period seems to be a reasonable timeframe for organizations to take appropriate steps to ensure compliance with the new data protection regime and should be used as an opportunity to systematically prepare a robust privacy framework. Businesses will have to update privacy notices, check consent flows, and review vendor/outsourcing contracts (including to ensure that third-party service providers comply with data processing obligations). They will also need to implement retention and incident response procedures (including breach-reporting playbooks). Clear governance steps are recommended, including board-level engagement, employee training, and prioritizing high-risk processing (e.g., AI, profiling, large consumer datasets, children’s data).
Going forward, if organizations meet the threshold for SDF status, attendant privacy impact assessments, periodic audits, and an India-based DPO requirement may follow.
Given the quantum of potential penalties, businesses should also evaluate and improve upon their IT and cybersecurity systems and internal policies for the purpose of satisfying obligations under the DPDP Act and Rules, including in respect of a breach.
This insight has been authored by Rachael Israel, Dr. Deborshi Barat, Reshma (Vaidya) Gupte and Prakriti Anand from S&R Associates. They can be reached at [email protected], [email protected], [email protected] and [email protected], respectively, for any questions. This insight is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.