Key takeaways from Digital Personal Data Protection Rules, 2025
The Ministry of Electronics & Information Technology has officially notified the Digital Personal Data Protection Rules, 2025 (‘the Rules‘), operationalising the landmark Digital Personal Data Protection Act, 2023 (‘the Act’). The Act had already received the assent of the President and was published on 11 August 2023.
This update summarises the 18 months phased implementation timeline and other key aspects related to compliance obligations for the organisations.
1. Implementation Timeline
Date
What Becomes Effective
13 Nov 2025 (Notification Date)
Definitions, Data Protection Board functioning, Complaint & inquiry procedures, Appointment of officers & employees
13 Nov 2026
Registration & obligations of Consent Manager
13 May 2027 (Enforcement Date)
Notices, consent, data rights, security safeguards, DPIA, audits, retention rules, breach reporting, cross border data transfers, appeals and penalties
2. Compliance obligations of Data Fiduciaries (who determines the purpose and means of processing of Personal Data)
Key provisions
Key Compliance Obligations
Notice Requirements
Present clear, stand-alone, informed notice covering itemised data collected, specific purpose and description of processing to Data Principals (individual to whom the Personal Data relates)
Required to provide links for consent withdrawal, exercise user rights, and for making a complaint to the Board
Security safeguards
Protect all personal data processed (including through Data Processors) by implementing reasonable security safeguards to prevent breaches
Deploying appropriate security measures, enforcing strict access controls, maintaining logs and monitoring systems to detect unauthorised access
Implementing suitable Organisational & Technical Measures, Contracts with Data Processors must also mandate equivalent safeguards
Intimation of Personal Data Breach
To Individuals:Promptly notify all affected Data Principals, explaining in simple language:
Description of the breach — nature, extent, timing, likely impact,
mitigation taken recommended safety measures the individual can take, and
Within 72 Hours:A full report — detailed breach description, cause, mitigation, responsible parties, recurrence-prevention steps, and proof of individual notifications
Obligligations for Significant Data Fiduciaries
Annual Data Protection Impact Assessment & audit
Algorithmic / technical risk assessments
Compliance reporting to the Board
Restrictions on cross-border transfer of notified datasets
Significant Data Fiduciaries (i.e. e-commerce entity/ social media intermediary having not less than twenty million registered users or an online gaming intermediary having not less than 5 million registered users in India)
DPO/ Contact Details Publication
Display the contact of Data Protection Officer or responsible officer prominently on its website or app or communications
Consent for Children and Person with Disability
Platforms must verify the parent/guardian identity using reliable age/ identity tokens or official documents
Data Retention and Erasure
Retain logs/traffic data for minimum 1 year
Significant Data Fiduciaries must delete data after 3 years of last interaction, except where lawful retention is required
Erase personal data after the purpose-specific period, unless required by law. A reminder must be sent to the Data Principal 48 hours before erasure
Data Principal/ User Rights
Prominently publish on its website/ app the rights-exercise mechanisms, enable requests for access, correction, and erasure
Maintain systems for response within mandated time and ensure grievance redressal mechanisms respond within 90 days or less
Cross-Border Transfer of Personal Data
May be transferred outside India only if the organisation meets such requirements as the specified by the Central Government
Restricted in any country that is notified as blacklisted by the Central Government
Government Information Requests
Government may seek data for specific purposes under the Act, with restrictions on disclosing such requests
Appeals & Governance
Appeals lie with the Appellate Tribunal, filed digitally, under simplified procedures guided by natural justice
3. Way Forward
Data Fiduciaries are required to undertake the relevant compliances within the prescribed timeline of 18 months
Organizations must undertake a gap assessment to ascertain effective and timely compliance
Organizations should identify areas where their data processing practices may expose them to reputational or financial risks
Cookie Consent
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-advertisement
1 year
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Cookie
Duration
Description
__utma
2 years
This cookie is set by Google Analytics and is used to distinguish users and sessions. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmb
30 minutes
The cookie is set by Google Analytics. The cookie is used to determine new sessions/visits. The cookie is created when the JavaScript library executes and there are no existing __utma cookies. The cookie is updated every time data is sent to Google Analytics.
__utmc
session
The cookie is set by Google Analytics and is deleted when the user closes the browser. The cookie is not used by ga.js. The cookie is used to enable interoperability with urchin.js which is an older version of Google analytics and used in conjunction with the __utmb cookie to determine new sessions/visits.
__utmt
10 minutes
The cookie is set by Google Analytics and is used to throttle request rate.
__utmz
6 months
This cookie is set by Google analytics and is used to store the traffic source or campaign through which the visitor reached your site.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
CONSENT
16 years 5 months 10 days 17 hours
These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
vuid
2 years
This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
IDE
1 year 24 days
Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie
15 minutes
This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE
5 months 27 days
This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC
session
This cookies is set by Youtube and is used to track the views of embedded videos.
