With detailed provisions on consent, data retention, breach notification, cross-border transfers, and obligations for significant data fiduciaries, the Rules mark an important step towards modern data governance.
The Digital Personal Data Protection Rules, 2025 (DPDP Rules) introduces a detailed regulatory framework for how personal data must be processed, protected, and governed in India. These Rules, notified on 14-11-2025 by the Ministry of Electronics and Information Technology (MeitY), operationalise critical parts of the Digital Personal Data Protection Act, 2023 (DPDP Act). With a staggered enforcement timeline and clear obligations for data fiduciaries, processors and consent managers, the DPDP Rules aim to bring clarity to data protection standards in the country.
These Rules were published in the Gazette of India as an official notification issued under Section 40 DPDP Act. They follow a public consultation process that began in early 2025 and set out detailed procedures, definitions, and compliance standards. This article provides an objective overview of the new Rules for organisations and individuals looking to understand the regulatory landscape.
Commencement and scope of the DPDP Rules
The Rules apply to data fiduciaries, data processors, consent managers and certain public authorities engaged in processing digital personal data. The commencement is staggered as follows:
1. Rules 1, 2 and 17 to 21 come into force on the date of publication in the Gazette.
2. Rule 4 comes into force on a later date to be notified.
3. Rules 3, 5 to 16, 22 and 23 come into force eighteen months after publication.
This phased rollout allows organisation’s time to prepare compliance mechanisms relating to consent, data retention, breach notifications, and responsibilities of significant data fiduciaries.
Key definitions and terminology
Rule 2 provides several foundational definitions that align with the Act. Important terms include:
1. Consent manager: An entity authorised and registered to manage user consent.
2. User account: An online account enabling access to a data fiduciary’s platform.
3. Verifiable consent: Consent that can be authenticated as per Rules 10 and 11.
Where terms are not defined in the Rules, they carry the meaning assigned in the Act. This structure ensures consistency across the regulatory framework.
Notice requirements for data fiduciaries
Rule 3 lays down clear guidelines for how data fiduciaries must provide notice to a data principal before processing personal data. The notice must be:
1. Clear, accessible, and understandable.
2. Separate from other information.
3. Written in simple language.
4. Sufficient to allow informed consent.
A valid notice must include:
1. A description of the personal data being processed.
2. The purpose for processing.
3. Contact details of the fiduciary.
4. Details of platforms through which data principals can withdraw consent, access grievance redressal, or exercise rights under the Act.
The design of notices must be transparent and must allow individuals to easily understand and exercise their choices.
Registration and duties of consent managers
Rule 4 lays out the registration process, eligibility, and duties for consent managers. They must be:
1. Entities incorporated in India.
2. Financially sound.
3. Equipped with technical and operational capacity to manage consent.
The First Schedule details eligibility standards such as net worth thresholds and governance requirements.
Consent managers must:
1. Provide an interoperable platform.
2. Allow users to give, review, manage, and withdraw consent.
3. Maintain high security standards.
4. Ensure all actions are in the data principal’s interest.
This framework strengthens user autonomy and encourages transparency in consent management systems.
Processing personal data for government services
Rule 5 covers how government bodies and their instrumentalities may process personal data to deliver subsidies, benefits, certificates, licences, permits, and public services. The rule states that such processing must comply with the criteria in the Second Schedule.
The rule also clarifies what constitutes a subsidy or benefit. It includes:
1. Services or entitlements provided using public funds.
2. Services provided under statutory or administrative schemes.
3. Permissions, licences, or certificates required for lawful activities.
This ensures consistency across government processes and enables clear compliance standards for authorities.
Security safeguards for data fiduciaries
Rule 6 requires data fiduciaries to implement reasonable security measures to prevent personal data breaches. These include:
1. Encryption.
2. Tokenisation.
3. Access controls.
4. Logging and audits.
5. Backup and recovery systems.
The measures must ensure confidentiality, integrity, and availability of personal data. These security obligations also apply to data processors engaged by fiduciaries. The standards align with broader information security principles and reference definitions under the Information Technology Act, 2000.
Personal data breach notifications
Rule 7 prescribes a detailed process for notifying both data principals and the Data Protection Board (Board) of personal data breaches. Fiduciaries must:
1. Notify affected data principals without delay through the registered communication channels.
2. Provide details including the nature of the breach, date, time, and potential impact.
3. Disclose mitigation steps already taken.
4. Suggest safety measures for affected individuals.
5. Provide contact details of a person responsible for responding to queries.
Additionally, fiduciaries must notify the Board within hours of becoming aware of a breach, and later provide updates including investigation results, remedial steps, and potential impacts.
Retention and deletion of personal data
Rule 8 sets out strict rules on data retention and deletion.
Key requirements include:
1. Data must be deleted after the purpose is fulfilled unless retention is required under law.
2. Data fiduciaries must notify individuals at least forty-eight hours before deletion.
3. Data logs must be retained for at least one year from the date of processing.
4. Data processors must follow fiduciaries’ instructions on deletion.
This rule promotes accountability by preventing the unnecessary storage of personal data and reduces the risk of misuse.
Contact details for exercising rights
Rule 9 requires each data fiduciary to publish the professional contact details of its Data Protection Officer or the authorised person overseeing data protection matters. These details must be displayed prominently on its website or application.
This ensures that data principals know how to exercise their rights related to access, correction, deletion, or grievance redressal.
Processing children’s personal data
Rule 10 provides the conditions for obtaining verifiable consent before processing a child’s personal data. A data fiduciary must collect verifiable consent from a parent or guardian and must:
1. Use reliable identification methods.
2. Verify the age and identity of the parent or guardian.
3. Ensure authentication measures are robust.
Digital locker and other authorised government platforms may be used for verification.
Rule 11 sets similar requirements for processing personal data of persons with disabilities, where a legal guardian’s verifiable consent is required.
Exemptions for processing children’s data
Rule 12 provides limited exemptions to the restrictions on processing children’s personal data. These exemptions apply to:
1. Certain classes of data fiduciaries.
2. Specific purposes listed in the Fourth Schedule.
These exemptions are narrow and subject to strict conditions.
Obligations for significant data fiduciaries
Rule 13 lays down additional obligations for entities classified as significant data fiduciaries.
They must:
1. Conduct annual data protection impact assessments.
2. Undergo independent audits.
3. Verify that algorithms and software used for processing do not cause harm.
4. Ensure that personal data and related logs are not transferred outside India unless allowed.
This rule strengthens regulatory oversight for large entities processing high volumes of personal data.
Rights of data principals
Rule 14 sets the framework for exercising rights such as:
1. Access.
2. Correction.
3. Erasure.
4. Grievance redressal.
Data fiduciaries and consent managers must publish details of the mechanisms available for exercising these rights. They must also ensure their grievance redressal systems resolve complaints within a reasonable period.
Cross-border transfer of personal data
Rule 15 states that cross-border transfer of personal data is allowed as long as the data fiduciary meets conditions specified by the Central Government. These conditions may vary based on the recipient country, entity, or public authority.
This rule creates a flexible mechanism for international data transfers while protecting national interests.
Data processing for research, archiving or statistical purposes
Rule 16 grants exemptions for processing personal data for research, archiving or statistical work. This processing is allowed when it meets conditions listed in the Second Schedule, particularly where anonymisation or minimalisation supports the purpose.
Constitution, appointment and functioning of the Data Protection Board
Rules 17 to 23 deal with the administrative and procedural aspects of the Data Protection Board. They cover:
1. Appointment of the Chairperson and Members.
2. Terms of service and remuneration.
3. Digital operations of the Board.
4. Meeting procedures.
5. Filing of appeals to the Appellate Tribunal.
6. Powers to seek information from data fiduciaries.
The Board will operate as a digital office, allowing electronic hearings and digital submissions.
Conclusion
The DPDP Rules add operational clarity to the DPDP Act and create a structured framework for data protection in India. With detailed provisions on consent, data retention, breach notification, cross-border transfers, and obligations for significant data fiduciaries, the Rules mark an important step towards modern data governance. The staggered implementation timeline gives organisations time to adjust systems and adopt compliant processes.
These Rules, together with the DPDP Act, form India’s first comprehensive digital privacy law and place clear responsibilities on organisations that collect and process personal data, which is an area where guidance from a seasoned corporate law firm in India is increasingly sought by businesses navigating complex compliance duties.
*Founder/Managing Partner, Vidhiśāstras-Advocates & Solicitors. Author can be reached at: ashish@vidhisastras.com.