Key takeaways from Digital Personal Data Protection Rules, 2025

The Ministry of Electronics & Information Technology has officially notified the Digital Personal Data Protection Rules, 2025 (‘the Rules‘), operationalising the landmark Digital Personal Data Protection Act, 2023 (‘the Act’). The Act had already received the assent of the President and was published on 11 August 2023.

This update summarises the 18 months phased implementation timeline and other key aspects related to compliance obligations for the organisations.

1. Implementation Timeline

Date	What Becomes Effective
13 Nov 2025 (Notification Date)	Definitions, Data Protection Board functioning, Complaint & inquiry procedures, Appointment of officers & employees
13 Nov 2026	Registration & obligations of Consent Manager
13 May 2027 (Enforcement Date)	Notices, consent, data rights, security safeguards, DPIA, audits, retention rules, breach reporting, cross border data transfers, appeals and penalties

2. Compliance obligations of Data Fiduciaries (who determines the purpose and means of processing of Personal Data)

Key provisions	Key Compliance Obligations
Notice Requirements	Present clear, stand-alone, informed notice covering itemised data collected, specific purpose and description of processing to Data Principals (individual to whom the Personal Data relates) Required to provide links for consent withdrawal, exercise user rights, and for making a complaint to the Board
Security safeguards	Protect all personal data processed (including through Data Processors) by implementing reasonable security safeguards to prevent breaches Deploying appropriate security measures, enforcing strict access controls, maintaining logs and monitoring systems to detect unauthorised access Implementing suitable Organisational & Technical Measures, Contracts with Data Processors must also mandate equivalent safeguards
Intimation of Personal Data Breach	To Individuals:Promptly notify all affected Data Principals, explaining in simple language: Description of the breach — nature, extent, timing, likely impact, mitigation taken recommended safety measures the individual can take, and a contact To the Data Protection Board: Immediately: Basic details — nature, extent, timing, location, and likely impact Within 72 Hours:A full report — detailed breach description, cause, mitigation, responsible parties, recurrence-prevention steps, and proof of individual notifications
Obligligations for Significant Data Fiduciaries	Annual Data Protection Impact Assessment & audit Algorithmic / technical risk assessments Compliance reporting to the Board Restrictions on cross-border transfer of notified datasets Significant Data Fiduciaries (i.e. e-commerce entity/ social media intermediary having not less than twenty million registered users or an online gaming intermediary having not less than 5 million registered users in India)
DPO/ Contact Details Publication	Display the contact of Data Protection Officer or responsible officer prominently on its website or app or communications
Consent for Children and Person with Disability	Platforms must verify the parent/guardian identity using reliable age/ identity tokens or official documents
Data Retention and Erasure	Retain logs/traffic data for minimum 1 year Significant Data Fiduciaries must delete data after 3 years of last interaction, except where lawful retention is required Erase personal data after the purpose-specific period, unless required by law. A reminder must be sent to the Data Principal 48 hours before erasure
Data Principal/ User Rights	Prominently publish on its website/ app the rights-exercise mechanisms, enable requests for access, correction, and erasure Maintain systems for response within mandated time and ensure grievance redressal mechanisms respond within 90 days or less
Cross-Border Transfer of Personal Data	May be transferred outside India only if the organisation meets such requirements as the specified by the Central Government Restricted in any country that is notified as blacklisted by the Central Government
Government Information Requests	Government may seek data for specific purposes under the Act, with restrictions on disclosing such requests
Appeals & Governance	Appeals lie with the Appellate Tribunal, filed digitally, under simplified procedures guided by natural justice

3. Way Forward

Data Fiduciaries are required to undertake the relevant compliances within the prescribed timeline of 18 months
Organizations must undertake a gap assessment to ascertain effective and timely compliance
Organizations should identify areas where their data processing practices may expose them to reputational or financial risks