Key principles, consent rules, and organizational readiness
On November 13, 2025, the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules 2025 (Rules), clarifying key implementation aspects of the Digital Personal Data Protection Act (DPDPA) 2023, marking a significant milestone in the rollout of India’s first comprehensive data protection law.
India’s landmark DPDPA was enacted on August 11, 2023, to regulate the processing of all digital personal data (data collected in digital form, or later digitized) of India’s residents, the DPDPA applies to any entity (data fiduciary) that determines the purpose and means of processing such data.
Its extraterritorial scope is broad, and covers processing within India and processing abroad connected with offering goods or services to individuals in India. The Act introduces consent-based processing, individual rights, and regulatory mechanisms, elements familiar in global privacy laws, tailored to India’s context.
The Rules will take effect in phases. Certain provisions, such as those creating the Data Protection Board (Board), became effective as soon as they were published in the Official Gazette. Rules governing the registration and operation of consent managers will apply after 12 months, while all remaining regulations will come into force after 18 months.
Stakeholders are advised to start preparing now. The law promises robust penalties (up to INR500 million- 2.5 billion, approx. US$6-30 million) for noncompliance and represents an urgent mandate to integrate privacy into business operations.
Who’s covered under India’s DPDPA? Scope, key terms, and processing principles explained
While the DPDPA introduces foundational data protection principles, it lacks the concept of “special categories of data” like the GDPR’s sensitive personal data (e.g., health, biometric, sexual orientation). All personal data is treated uniformly; notably, any data made publicly available by the individual or required to be made public by law is wholly outside the law’s scope. This is broader than exemptions in many laws and means scraped social-media or directory data may escape the law if already “public,” though legal questions remain if such data ceases to be public after collection.
A data fiduciary, analogous to a GDPR controller, “determines the purposes and means” of processing, and bears the burden of compliance. By contrast, data processors (acting under a fiduciary’s instructions) have no direct obligations under the DPDPA; instead, fiduciaries must contractually bind processors to protect data.
Thus, unlike GDPR or CCPA, which impose some duties on processors, DPDPA focuses enforcement on the fiduciaries, who must, in turn, hold their vendors accountable.
The DPDPA codifies the standard fair-information principles. All processing must be lawful, fair, transparent, purpose-specific, and minimally invasive. Personal data must be collected only for clear purposes and not retained longer than needed. Data fiduciaries must implement strong security safeguards (technical and organizational) to prevent breaches and maintain records demonstrating compliance.
DPDPA consent requirements: Lawful basis for processing personal data in India
A consent-oriented regime is at the core of the DPDPA, as it demands “free, specific, informed, unconditional and unambiguous” consent from individuals (data principals) before processing their personal data. Consent must be an affirmative act; pre-checked boxes or implied agreements are prohibited.
The Rules require very specific consent, where each piece of personal data must be clearly linked to the exact purpose for which it is used. Businesses handling large, varied data must rethink how they present this information and whether related purposes can be grouped together. Companies will need to redesign consent flows and user interfaces so that purposes are clearly stated and opting out is simple. Uniquely, the Rules also mandate providing a website or app link for opt-outs, unlike most countries that only require a contact point.
Additionally, consent is the primary lawful basis for processing. The DPDPA does not recognize many of the non-consent bases familiar to European law.
Aside from consent, the Act allows only a narrow list of “legitimate uses” (specific statutory or emergency purposes) without consent. These include situations where data is voluntarily shared and not objected to by the individual, compliance with court orders or law, employment necessities, and responses to natural disasters or epidemics.
No general legitimate interest or contract necessity grounds exist as in the GDPR. This consent-centric approach will challenge many organizations: in contexts like AI model training or large-scale analytics, it may be impractical to obtain individualized consent.
Data principle rights under India’s DPDPA: Access, correction, deletion, and redress
The DPDPA grants individuals rights largely similar to those in GDPR, but with some country-specific enhancements. Data principals can access, correct, or erase their data held by a fiduciary, and they may receive a copy of their information. The law also mandates notice; organizations must provide clear privacy policies and notices about how data is processed and protected.
Importantly, the law adds some unique rights: every data fiduciary must maintain a grievance redressal officer so that individuals have “readily available and effective means” to complain. Individuals also gain the right to nominate a representative to exercise their rights after death or incapacity. These procedural rights reflect India’s emphasis on accessible redress. Additionally, the Rules require that grievances are resolved within a reasonable time, not exceeding ninety (90) days, adding certainty to the duration of internal grievance resolution processes between businesses and customers.
Notably, there is no private right of action under the DPDPA; only the Board can enforce penalties. However, data principals can register complaints with the Board or seek other prescribed remedies.
DPDPA exemptions and special cases
The DPDPA provides several exemptions and carve-outs balancing privacy with other interests. Personal data processed by natural persons for purely personal or household purposes is out of scope. Personal data already made public by the individual or under a legal obligation is exempt.
Critically for innovation, Section 17(2)(b) explicitly exempts research, archiving, and statistical processing from the Act’s obligations, provided such processing meets government-prescribed standards and is not used for decisions about a specific individual. If rulemaking clarifies the standards, this could permit AI/ML research using large datasets, a boon for innovation.
But questions remain: who qualifies (academic institutions only or also private labs), and what technical/ethical guidelines will apply? Clear guidelines here will determine how “clean” personally identifiable data can be repurposed for research.
Children’s data is another focus. The Act contemplates special protections for minors: a parent’s consent is needed for processing a child’s data, and the government may mandate a parental consent mechanism. The draft version of the Rules provided for certain purposes for which children’s personal data could be subject to tracking or behavioral monitoring. This list has been expanded to include the determination of real-time location of a child, where such processing is restricted to tracking real-time location of a child in the interest of their safety, protection or security. Further, children’s data may also be monitored or tracked to restrict certain types of services and advertisements which may pose a detrimental effect on their well-being.
Importantly, the DPDPA grants broad government exemptions. The government can declare law enforcement, national security, and sovereign interests out of scope, as can certain classes of data fiduciaries (e.g., startups) based on factors like the volume of data processed and the impact on national security or public order (these open-ended powers have drawn criticism).
DPDPA security obligations explained: Data minimization, breach notifications, and governance standards
Security
The DPDPA reiterates and extends traditional security obligations. Data fiduciaries must adopt “reasonable security practices” at least as stringent as international standards, akin to India’s IT Act 43A (now largely superseded).
The Rules also mandate that every data fiduciary protect personal data under its control, requiring the implementation of technical protections like encryption, strong access controls, logging, continuous monitoring, and incident-response capabilities. Data fiduciaries must also maintain backups and business-continuity measures to ensure data availability and integrity. Logs and relevant personal data must be retained for at least one year to support breach investigations. Data Processors must be contractually bound to meet the same security standards. SMEs, in particular, may need significant upgrades to their security infrastructure, policies, and practices to meet these requirements.
New retention requirement
The final rules introduce a new requirement, mandating all personal data, traffic data and logs generated from data processing activities to be retained at least for 1 year, even after the fulfilment of the purpose, or deletion of the user account, for (i) processing of personal data by government agencies in the interest of national security and sovereignty and integrity of India; (ii) performance of any function under any law in force in India; and (iii) disclosure of any information, pursuant to any law in force in India.
Breach notification
On breaches, the Act requires mandatory notification to both the Board and affected individuals whenever a personal data breach occurs, irrespective of scale.
The Rules creates a two-stage breach reporting process requiring immediate intimation to affected principals and the Board, followed by a detailed report to the Board within 72 hours. Notifications must include breach details, impacts, mitigation steps, and user guidance. Due to the lack of materiality threshold, it is unclear whether even minor incidents must be reported, resulting in administrative overload and user “notification fatigue”. The 72-hour window also differs from other sectoral rules like CERT-In’s 6-hour timeline, adding compliance complexity for organizations.
Importantly, organizations should align DPDPA breach procedures with other obligations (e.g., telecom or financial sector breach rules and CERT-IN requirements) to avoid conflicting processes.
Accountability
Beyond breach reports, the DPDPA embeds accountability measures. All fiduciaries must maintain records of their processing activities and implement privacy governance measures. Those designated as “Significant Data Fiduciaries” (SDFs), based on factors like volume of data, sensitivity, and impact on India’s sovereignty, democracy, or public order, face extra duties.
To see how these SDF obligations apply to AI and high-volume data platforms, read our breakdown of the DPDPA’s global and sector-specific implications.
The Central Government may classify certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on factors such as data volume and sensitivity, risks to Data Principals, and national or public-order considerations. SDFs face enhanced obligations, including appointing an India-based Data Protection Officer and undergoing independent data audits.
Once designated, they must conduct annual DPIAs and audits, and report key findings to the Data Protection Board. They must also ensure technical and algorithmic systems are tested and verified to prevent risks to data principals. SDFs must comply with any Government-mandated cross-border data transfer restrictions. Likely candidates include major tech platforms and organizations in regulated sectors such as finance, banking, and healthcare. The Government retains broad discretion to include additional categories when determining SDF status.
These measures are aimed at high-volume tech firms, social platforms, and critical infrastructure providers, forcing them into a formal data governance posture.
The government can also ease or tighten obligations (even exempt whole classes like startups), so companies should watch for objective criteria in the rules.
When will DPDPA be enforced? Understanding the Board’s powers and what comes next
Along with the notification of the Rules, the Government has notified a phased timeline for implementing the DPDPA as follows:
- Effective immediately (November 13, 2025):
- (a) definitions under the DPDPA (e.g., that of personal data, data fiduciary, etc.);
- (b) provisions establishing the Board along with its administrative machinery;
- (c) the rule-making and transitional powers of the Government of India; and
- (d) the ability to make amendments to the DPDPA.
- After 1 year (November 13, 2026): the conditions for registration and operation of consent managers as well as the Board’s corresponding jurisdiction over being intimated of any breach of such conditions.
- After 18 months (May 13, 2027): the core operational provisions of the DPDPA, relating to:
- (a) consent and corresponding aspects;
- (b) obligations applicable to data fiduciaries;
- (c) obligations applicable to significant data fiduciaries ; and
- (d) the remaining powers of the Board.
The Board will be the DPDPA’s enforcement authority. It is empowered to investigate complaints, conduct inquiries, and impose fines (up to INR 2.5 billion) or corrective orders, including blocking data processing or demanding deletion. The Board can also mandate urgent remedial measures in case of a serious breach.
The Board will function entirely online to handle complaints, investigate data breaches, and impose penalties, completing inquiries within six months (extendable by three-month blocks with written reasons), and its decisions must be issued in writing. Appeals first go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), with civil courts barred from intervening where the Board has jurisdiction. A further and final appeal may be made to the Supreme Court, creating a three-tier appeal structure.
Regulators have signaled a progressive but firm stance. Indian policymakers aim to align the DPDPA with global best practices while accommodating local needs. For example, a Finance Ministry advisory sees robust data protection as central to economic and national security interests.
At the same time, concerns about transparency (Right to Information Act) and law enforcement privacy (IT Act) must be balanced. The DPDPA amends RTI rules to protect officials’ personal data, a change that has sparked debate.
DPDPA implementation: Compliance challenges and business readiness
The new Rules mark the final step in putting India’s first data protection law into action. The Government will clarify issues like cross-border data transfer limits and which organizations will be tagged as significant data fiduciaries. The Rules aim to balance clear regulation with enough flexibility for businesses to innovate. As the law becomes fully operational, companies must update their systems, processes, and documentation to ensure strong and resilient compliance.
Companies should start by mapping all personal data flows to identify what data is collected, why, where it is stored, and to whom it is disclosed. Only with a complete inventory can firms apply the DPDPA’s rules to each data set (e.g., requiring new consents or erasing old data).
Existing policies and practices will need revision. Privacy notices will have to explicitly track India’s consent and data subject rights requirements. Global companies must check “policy deltas”: while the GDPR allows processing on legitimate interest or contracts, India’s law will often demand fresh consent instead, which means consent mechanisms may need redesign in India-specific ways. Firms should also implement or upgrade systems to record and log consent transactions, evidence that valid consent was obtained for every processing activity.
Contractual agreements will also require review. Data processing agreements must be amended so that fiduciaries can enforce DPDPA obligations on their vendors, even though the law only directly binds fiduciaries. For example, cloud or analytics providers may need new clauses on security standards, audit rights, breach notification, and data return or deletion. Aligning such contracts across the supply chain is crucial since fiduciaries remain liable for breaches by their processors.
Finally, organizations should invest in training and culture change. Given the DPDPA’s novel features (consent managers, no default legal interests, nomination rights, etc.), employees will need education to handle data correctly. Companies may run simulation exercises for data breaches or rights requests, and ensure that even non-technical staff understand basic privacy tenets. Building privacy into day-to-day operations is not just legal risk mitigation; it is becoming a strategic imperative in India’s digital economy.
Turning privacy principles into business practice
The Digital Personal Data Protection Act signals India’s intent to build a modern privacy regime rooted in consent, transparency, and accountability. From redefining lawful data processing to mandating strong governance and breach preparedness, the DPDPA requires organizations to move beyond checkbox compliance and embrace a privacy-by-design mindset.
But foundational understanding is only the first step. Implementation will require organizations to rework contracts, overhaul consent flows, inventory their data, and instill a culture of privacy across teams and tools. With enforcement timelines still unfolding, now is the time to build the infrastructure—technical, procedural, and cultural—that ensures long-term compliance.
