DPDP Rules 2025: Full Breakdown of India's Data Protection Rules (Compliance Deadline: May 2027)

Two years after the Digital Personal Data Protection Act received Presidential assent, we finally have the operational rulebook. The DPDP Rules 2025, notified by MeitY on November 13, 2025, answer the questions every compliance team in India has been asking since August 2023: how much time do we have, what exactly must we build, and what happens if we get it wrong?

I have read through every provision. The short version: the Rules are more prescriptive than most people expected, the deadlines are staggered but firm, and several obligations, particularly around breach notification and consent architecture, require genuine engineering work, not just policy documents.

Key Takeaways

• The DPDP Rules 2025 were notified on November 13, 2025, providing the operational framework for the DPDP Act 2023.
• Compliance is phased: Board governance activated immediately (November 2025), Consent Manager registration opens November 2026, and full Data Fiduciary obligations apply from May 13, 2027.
• Breach notification to the Data Protection Board must occur within 72 hours of discovery (Rule 7). Affected individuals must be notified separately with specific details.
• Consent notices must be standalone, itemized, and available in all 22 scheduled languages of India (Rule 3).
• Security safeguards are now codified: encryption, access controls, activity logging, and mandatory one-year log retention (Rule 6).
• Data erasure timelines are purpose-linked, with specific thresholds for large platforms (Rule 8).

Why Do the DPDP Rules 2025 Matter?

The DPDP Act 2023 (full text) established the legal framework: who is covered, what rights exist, what penalties apply. But the Act deliberately left operational specifics to subordinate legislation. How should a consent notice be structured? What counts as a "reasonable security safeguard"? How quickly must a breach be reported? When exactly does the clock start?

The Rules answer all of this. Without them, the Act was a set of principles. With them, it becomes a compliance programme you can actually build.

For the first time, Indian businesses have a concrete, deadline-driven checklist. That clarity is valuable. It also removes the last excuse for inaction.

What is the Phased Enforcement Timeline?

The DPDP Rules follow a three-phase implementation schedule, calculated from the notification date of November 13, 2025. This is not a suggestion; each phase carries binding legal effect.

Phase	Effective Date	What Activates
Phase 1: Governance	November 13, 2025	Data Protection Board of India (DPBI) becomes operational; Board appointment, governance, and appeal mechanisms
Phase 2: Consent Managers	November 13, 2026	Consent Manager registration opens; children's data protections activate; penalties for child data violations
Phase 3: Full Compliance	May 13, 2027	All Data Fiduciary obligations enforceable; consent, notice, security, breach notification, retention, DSR, and grievance mechanisms must be operational

Three things to note about this timeline.

First, the eighteen-month runway for Phase 3 was a deliberate policy choice. Industry bodies, including NASSCOM, lobbied for this period, arguing that shorter timelines would force businesses to choose between speed and quality of implementation. MeitY agreed. You have the time. Use it properly.

Second, the Consent Manager registration window in Phase 2 is significant for any entity planning to operate as an intermediary in the consent ecosystem. If your business model involves managing consent on behalf of Data Principals, you need to be ready to register by November 2026.

Third, children's data protections activate in Phase 2, not Phase 3. Any business processing data of individuals under 18, including EdTech platforms, gaming applications, and social media services, faces an earlier compliance deadline of November 2026. Waiting until May 2027 is not an option for those sectors.

What Must a Consent Notice Include? (Rule 3)

Rule 3 specifies the content, format, and accessibility requirements for consent notices. This is the provision that will affect every Indian website and application, because almost every digital service collects some form of personal data.

The notice must contain:

• An itemized description of the personal data being collected. Generic language ("we collect your information") does not satisfy this requirement. You must specify: names, email addresses, phone numbers, payment details, device identifiers, and so on, by category.
• The purpose of processing for each category of data collected. One-line purposes ("to improve your experience") are insufficient. The purpose must be specific enough that the Data Principal understands precisely how their data will be used.
• How to withdraw consent. The notice must provide a direct mechanism, not a buried settings page.
• How to exercise Data Principal rights. Including access, correction, erasure, and the right to file a grievance.
• How to file a complaint with the Data Protection Board of India.

Crucially, the notice must be a standalone document. You cannot embed it within a general terms of service agreement and call it compliant. The Rules intend for the notice to be a separate, clearly identifiable communication that the Data Principal receives before providing consent.

Language Requirements

The notice must be available in English and any language listed in the Eighth Schedule of the Indian Constitution. That is 22 languages, covering Hindi, Bengali, Tamil, Telugu, Marathi, Urdu, Gujarati, Kannada, Malayalam, Odia, Punjabi, and eleven others.

This requirement is consequential. Most Indian businesses currently publish privacy notices exclusively in English. Under the Rules, if you serve users who communicate in Tamil or Bengali, your notice must be accessible in those languages. The practical implication: consent infrastructure needs multilingual support, not as a nice-to-have, but as a legal obligation.

How Does Consent Manager Registration Work? (Rule 4)

Rule 4 creates an entirely new entity class in India's data protection ecosystem. Consent Managers are intermediaries that help Data Principals manage their consent across multiple Data Fiduciaries through a single interface.

Eligibility Requirements

To register as a Consent Manager, an entity must:

Requirement	Detail
Incorporation	Must be a company incorporated in India
Net worth	Minimum ₹2 crore
Platform	Must operate an interoperable platform (website or mobile application) for consent management
Fiduciary duty	Must act as a fiduciary to the Data Principal, prioritising their interests
Transparency	Must publicly disclose information about promoters, directors, and senior management
Security	Must implement robust security measures and undergo periodic audits
Registration	Must register with the Data Protection Board of India

What Consent Managers Actually Do

The concept borrows from the Account Aggregator framework that SEBI and RBI pioneered in the financial services sector. A Consent Manager operates a dashboard where a Data Principal can see every service they have given consent to, review the scope of that consent, and revoke it with a single action.

For Data Fiduciaries, the interoperability requirement is the operative detail. Your consent mechanisms must be structured in a way that Consent Managers can interface with them. This means standardised consent signals, machine-readable consent records, and APIs that support programmatic consent management.

The registration framework opens in November 2026. Entities planning to operate in this space should begin their application preparations well before that date, given that the Board will need to process and approve registrations.

What Are the Required Security Safeguards? (Rule 6)

Rule 6 converts the Act's general obligation to implement "reasonable security safeguards" into a specific, auditable list. This is the provision your engineering team needs to read.

Required measures include:

• Encryption, masking, obfuscation, or tokenisation of personal data. The Rules do not prescribe a specific encryption standard, but they require that data at rest and in transit is protected through one of these methods.
• Access controls to computer resources processing personal data. Role-based access, principle of least privilege, and documented access policies.
• Activity logging with visibility into who accessed personal data, when, and for what purpose. These logs must be sufficient to detect and investigate unauthorised access.
• Data backups ensuring business continuity and the ability to restore data after an incident.
• Mandatory one-year log retention. All system and processing logs related to personal data must be retained for at least one year for breach detection and investigation purposes. This applies regardless of your general data retention policy.

Note that the obligation extends to Data Processors acting on behalf of the Data Fiduciary. If you outsource data processing to a vendor, you remain responsible for ensuring these safeguards are in place at the processor's end. Rule 6 does not allow you to delegate the obligation by signing a contract; you must verify compliance.

For businesses already operating under ISO 27001 or SOC 2 frameworks, the overlap is substantial. But there are DPDP-specific elements, particularly around consent-linked access controls and the one-year log retention mandate, that may require additional configuration.

How Does Breach Notification Work? (Rule 7)

Rule 7 establishes what is arguably the most operationally demanding obligation in the entire framework: a 72-hour breach notification timeline to the Data Protection Board of India.

The Dual Notification Requirement

When a personal data breach occurs, the Data Fiduciary must notify two parties:

1. The Data Protection Board of India. An initial intimation must be made immediately upon discovery, followed by a detailed report within 72 hours. The 72-hour clock starts when the breach is discovered, not when the investigation concludes or the severity is fully assessed.

2. Each affected Data Principal. This notification must include:

• A description of the breach
• The potential consequences for the individual
• Mitigation measures the Data Fiduciary has taken
• Steps the Data Principal can take to protect themselves

Why 72 Hours Is Challenging

If you have handled a data breach before, you know that the first 72 hours are consumed by containment, forensic analysis, and impact assessment. Drafting a detailed report for a regulatory body within that same window requires a pre-built incident response process. You cannot improvise this under pressure.

The practical requirements:

• A documented breach response playbook, rehearsed, not shelved
• Pre-drafted notification templates for both the Board and affected individuals
• Clear internal escalation paths so that the clock starts the moment anyone in the organisation discovers(or reasonably should have discovered) the breach
• A designated breach response team with authority to act without waiting for multi-layered approvals

For financial institutions, the complexity increases further. CERT-In's existing incident reporting requirements under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 remain in force alongside the DPDP breach notification obligation. You may need to report the same incident to both CERT-In and the DPBI, under different timelines and formats.

Failure to notify with 72 hours carries a penalty of up to ₹200 crore under the Schedule to the DPDP Act.

What Are the Data Retention and Erasure Rules? (Rule 8)

Rule 8 operationalises Section 8(7) of the Act, which requires Data Fiduciaries to erase personal data once the specified purpose is fulfilled.

The general principle is straightforward: if you collected personal data for a specific purpose, you must delete it when that purpose is no longer being served. If the Data Principal withdraws consent, erasure must follow, subject to any overriding legal requirement to retain the data.

Platform-Specific Retention Thresholds

Rule 8 introduces specific thresholds for large digital platforms. As of February 2026, the following categories face defined retention limits:

Platform Type	User Threshold	Maximum Retention Period
E-commerce entities	2 crore or more registered users	3 years from last interaction
Online gaming intermediaries	50 lakh or more registered users	3 years from last interaction
Social media intermediaries	2 crore or more registered users	3 years from last interaction

For these platforms, personal data must be erased within three years of the Data Principal's last interaction with the service. A 48-hour warning must be issued to the Data Principal before the erasure occurs, giving them the opportunity to re-engage if they wish to retain their account.

For businesses outside these categories, the principle remains purpose-driven rather than time-driven. You define the retention period based on the purpose for which data was collected, and you enforce it.

Crucially, sectoral laws may impose their own retention requirements. An insurance company, for instance, might need to retain policyholder data for ten years under IRDAI regulations, even though the DPDP purpose has been fulfilled. In such cases, the sectoral law prevails, but only for the specific data category covered by that regulation. The rest must still be erased under DPDP.

What Are the Obligations for Children's Data? (Rules 9-10)

The Rules reinforce Section 9 of the Act with additional procedural requirements:

• Verifiable parental consent must be obtained before processing any personal data of a child (under 18). The emphasis is on "verifiable": a simple checkbox claiming "I am over 18" does not satisfy this requirement.
• No tracking, behavioural monitoring, or targeted advertising directed at children. This prohibition is absolute and not subject to parental consent override.
• The Rules require Data Fiduciaries to make "reasonable efforts" to verify the age of Data Principals where children's data may be involved.

These obligations activate in Phase 2 (November 2026), six months before the general compliance deadline. EdTech, gaming, social media, and any platform with a significant minor user base must prioritise this workstream.

What About Significant Data Fiduciaries? (Rules 11-13)

The Rules prescribe enhanced obligations for entities designated as Significant Data Fiduciaries (SDFs) by the Central Government:

• Annual Data Protection Impact Assessments (DPIAs): SDFs must conduct comprehensive assessments of how their data processing activities affect Data Principal rights.
• Independent audits: An independent data auditor must periodically assess the SDF's compliance posture.
• Algorithmic fairness: SDFs deploying algorithmic decision-making must assess whether their systems result in unfair outcomes for Data Principals.
• Data Protection Officer: A DPO based in India must be appointed. This is not a dual-hat role; the DPO must have sufficient independence and seniority to be effective.

As of February 2026, the Central Government has not yet notified the criteria for SDF designation. However, based on the Act's text and the thresholds in Rule 8, businesses processing data of more than 2 crore users should prepare as though designation is likely.

How Do Data Principal Rights Work Under the Rules?

The Rules operationalise the rights framework established in Sections 11 through 14 of the Act:

• Access requests: Data Principals can request a summary of all personal data held by the Data Fiduciary, the processing purposes, and the identities of entities with whom data has been shared.
• Correction and erasure: Data Principals can request correction of inaccurate data, completion of incomplete data, or erasure of data no longer necessary for the stated purpose.
• Grievance redressal: Every Data Fiduciary must appoint a Grievance Officer and provide accessible contact details. Grievances must be resolved within the prescribed timeline.
• Response timeline: Data Fiduciaries must respond to Data Principal requests within 90 days of receipt.
• Escalation: If the Data Principal is unsatisfied with the response, or receives no response within the prescribed period, they may escalate to the Data Protection Board. The Board can conduct inquiries, seek responses from the Data Fiduciary, and impose penalties.

The 90-day timeline is a maximum, not a target. Data Fiduciaries that consistently take the full 90 days to respond to straightforward access requests will find themselves on the wrong end of a pattern that the Board, once fully operational, may view unfavourably.

What is the Role of the Data Protection Board? (Rules 14-22)

The Rules provide the procedural architecture for the DPBI, covering appointment processes, hearing procedures, and penalty assessment frameworks. Several provisions merit attention:

• Digital-first operations: The Board operates as a digital office. Complaints are filed electronically, hearings may be conducted via video conference, and orders are issued digitally. This is a deliberate design choice, consistent with the Act's "digital by design" philosophy.
• Complaint process: A Data Principal must first exhaust the grievance redressal mechanism of the Data Fiduciary before approaching the Board. This is a mandatory prerequisite.
• Inquiry timeline: The Board is mandated to complete inquiries within six months from the date of receiving a complaint, with a possible extension of up to three months.
• Appeals: Orders of the Board can be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and from there to the Supreme Court. This provides a clear appellate hierarchy.

What Should Indian Businesses Do Now?

The eighteen-month compliance window sounds generous. It is not. Based on what the Rules require, here is a realistic sequencing:

Months 1-3 (Now through April 2026): Gap assessment. Map your current data practices against every Rule. Identify the deltas. If you are collecting personal data today without standalone consent notices (you almost certainly are), that is your first finding.

Months 4-9 (May through October 2026): Build. Redesign consent flows, implement multilingual privacy notices, establish your DSR response infrastructure, train your breach response team, and get your retention policies documented and automated.

Months 10-15 (November 2026 through March 2027): Test and iterate. Run tabletop exercises for breach scenarios. Process mock DSR requests end-to-end. Verify that your consent infrastructure handles withdrawal as smoothly as collection. If you serve children, your November 2026 obligations should already be live.

Months 16-18 (April through May 2027): Final audit. Documentation review. Board readiness.

The organisations that will struggle are those who treat this as a legal exercise. The Rules demand engineering work: consent APIs, multilingual content delivery, automated retention enforcement, breach detection systems, DSR workflow automation. A compliance policy document, no matter how thorough, is not compliance.

Frequently Asked Questions

When do the DPDP Rules 2025 come into effect?

The DPDP Rules 2025 were notified on November 13, 2025, with a phased implementation schedule. Data Protection Board governance provisions took effect immediately. Consent Manager registration obligations activate after 12 months (November 2026). All core Data Fiduciary obligations, including consent, notice, security, breach notification, and data retention, become enforceable after 18 months, on May 13, 2027.

What is the penalty for not complying with the DPDP Rules by May 2027?

The penalty regime is specified in the Schedule to the DPDP Act 2023, not in the Rules themselves. Maximum penalties range from ₹50 crore for general non-compliance (failure to provide proper consent notices, inadequate DSR processes) to ₹250 crore for security failures that result in a data breach. Failure to notify the Data Protection Board of a breach within 72 hours can attract penalties up to ₹200 crore.

Do the DPDP Rules 2025 apply to small businesses and startups?

Yes. Neither the DPDP Act 2023 nor the DPDP Rules 2025 include a small business exemption. Any entity that determines the purpose and means of processing digital personal data is a Data Fiduciary and must comply. The scope and complexity of compliance will vary based on the volume and sensitivity of data you process, but the legal obligation is universal. A 10-person startup collecting user emails through a website form is as much a Data Fiduciary as a company with 10,000 employees.

How do the DPDP Rules relate to the DPDP Act 2023?

The DPDP Act 2023 is the primary legislation enacted by Parliament that establishes the legal framework: definitions, rights, obligations, penalties, and institutional structures. The DPDP Rules 2025, notified by MeitY under the powers conferred by the Act, provide the operational detail needed to implement its provisions. The Act tells you what you must do; the Rules tell you how, when, and in what format. For a section-by-section analysis of the Act itself, see our complete guide to the DPDP Act 2023.

What is a Consent Manager under the DPDP Rules?

A Consent Manager is a new entity class introduced by Rule 4 of the DPDP Rules 2025. Consent Managers are intermediaries, registered with the Data Protection Board, that enable Data Principals to manage their consent across multiple services through a single platform. They must be incorporated in India, maintain a minimum net worth of ₹2 crore, and operate an interoperable platform. The registration framework opens in November 2026. Consent Managers act as fiduciaries to the Data Principal, meaning they must prioritise the individual's interests over those of any Data Fiduciary.

Simplify Your DPDP Compliance

This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.

ComplyZero helps Indian businesses implement DPDP compliance without the complexity. From consent management to multilingual privacy notices, breach notification workflows to DSR portals, the platform handles the operational requirements so your team can focus on building your product.

Join the waitlist →