In This Guide
Rules Overview
The DPDP Rules 2025 provide the detailed implementation framework for the Digital Personal Data Protection Act, 2023. The rules were notified in January 2025 following public consultation on draft rules.
Phased Implementation
Unlike some global privacy laws that had single compliance deadlines, DPDP Rules introduce a phased approach allowing organisations time to implement different requirements progressively.
Key Changes from Draft Rules
The final rules differ from the draft in several important ways:
Notice Requirements Refined
- More flexibility in notice format and presentation
- Clarification on itemised notice vs comprehensive notice options
- Simplified requirements for small businesses
Consent Manager Framework
- Registration requirements specified
- Technical standards for interoperability
- Clearer liability framework
SDF Thresholds
- Criteria for SDF notification clarified
- Sector-specific considerations acknowledged
- Audit requirements detailed
Cross-Border Transfer
- Process for restricting transfers to specific countries outlined
- No immediate restrictions announced
- Contractual safeguard guidance provided
Breach Notification
- 72-hour notification window to Board
- Prescribed format for notifications
- Criteria for notifying affected principals
Phased Compliance Timeline
The rules establish the following implementation phases:
| Phase | Timeline | Requirements |
|---|---|---|
| Phase 1 | 6 months from notification | Data Protection Board established; SDF notification process begins; Consent Manager registration opens |
| Phase 2 | 12 months from notification | General fiduciary obligations (notice, consent, security); Data principal rights mechanisms; Grievance redressal |
| Phase 3 | 18 months from notification | SDF obligations (DPO, DPIA, audit); Enhanced requirements for large processors; Full enforcement begins |
| Phase 4 | 24 months from notification | All provisions fully operative; Penalties fully enforceable; Transition period ends |
Note: The Central Government may notify different dates for different provisions. Monitor official gazette for updates to these timelines.
Notice Requirements (Rule Details)
The rules prescribe detailed notice requirements:
Content Requirements
- Identity and contact details of Data Fiduciary
- Description of personal data to be collected
- Purpose of processing (each purpose separately)
- Categories of data shared with other fiduciaries/processors
- How principal may exercise rights
- How to complain to Data Protection Board
Format Requirements
- Clear, plain language
- Available in English and scheduled languages as applicable
- Itemised format recommended for clarity
- Standalone notice or integrated with terms (clearly identified)
Timing
- Before or at the time of collection of personal data
- Upon any material change to processing purposes
Consent Manager Framework
The rules establish a framework for Consent Managers:
Registration Requirements
- Apply to Data Protection Board for registration
- Demonstrate technical capability for consent management
- Net worth requirements (as prescribed)
- Interoperability with other consent managers
Obligations of Consent Managers
- Provide accessible, transparent interface for principals
- Enable viewing of all consents given
- Enable withdrawal of consent
- Maintain logs of consent transactions
- Do not process personal data for own purposes
Fiduciary Obligations
- May offer consent manager as option to principals
- Must honour consent/withdrawal through consent manager
- Must integrate with registered consent managers
Significant Data Fiduciary Requirements
Rules detail the additional obligations for SDFs:
Data Protection Officer
- Senior management level appointment
- Based in India
- Reporting directly to Board of Directors or equivalent
- Contact details published and notified to Board
- Responsible for monitoring compliance
Data Protection Impact Assessment
- Conducted before processing likely to result in significant harm
- Periodic review of ongoing high-risk processing
- Contains risk assessment and mitigation measures
- Retained and available for Board inspection
Audit Requirements
- Annual audit by independent data auditor
- Auditor qualifications prescribed
- Audit report submitted to Board
- Covers compliance with Act and Rules
Breach Notification (Rule Details)
The rules specify breach notification requirements:
Notification to Data Protection Board
- Timeline: Within 72 hours of becoming aware
- Format: Prescribed form (Form DPB-1)
- Content: Nature of breach, data affected, principals affected, measures taken, contact for further information
Notification to Affected Data Principals
- Trigger: When breach likely to cause harm to principal
- Timeline: Without undue delay after breach containment
- Format: Clear, plain language in principal's preferred language
- Content: Nature of breach, data affected, measures principal should take, fiduciary contact
What Constitutes a Notifiable Breach
- Unauthorised access to personal data
- Unauthorised disclosure of personal data
- Loss or destruction of personal data
- Any breach of security safeguards
Action Plan by Phase
Phase 1 Actions (Months 0-6)
- Complete data inventory and processing mapping
- Assess whether SDF notification may apply
- Begin updating privacy notices
- Review current consent mechanisms
- Identify gaps in current practices
Phase 2 Actions (Months 6-12)
- Implement compliant privacy notices
- Update consent collection mechanisms
- Implement data principal rights processes
- Establish grievance redressal mechanism
- Review and update security safeguards
- Prepare breach notification procedures
Phase 3 Actions (Months 12-18)
- SDFs: Appoint Data Protection Officer
- SDFs: Conduct initial DPIA
- SDFs: Engage data auditor for first audit
- All: Review processor agreements for compliance
- All: Complete staff training
Phase 4 Actions (Months 18-24)
- Complete remediation of any gaps
- Conduct internal compliance review
- Establish ongoing monitoring program
- Document compliance evidence