India issues detailed rules for implementing the Digital Personal Data Protection Act
India has published the official Digital Personal Data Protection (DPDP) Rules 2025, setting out the operational framework that will govern how personal data is collected, processed, stored, and transferred under the DPDP Act. The rules introduce a phased implementation schedule, new compliance obligations for organisations, and detailed procedures for consent, notice, breach reporting, children’s data, and cross-border transfers.
India has released the official 2025 rules for implementing the Digital Personal Data Protection Act (DPDP Act). The new framework clarifies how data fiduciaries must handle notice, consent, security, breach reporting, retention, and grievance mechanisms. It also provides phased timelines for compliance and introduces several new definitions that change how key duties are understood in practice.
The rules set out a structured rollout. Provisions dealing with definitions and the functioning of the Data Protection Board take effect immediately. Registration requirements for Consent Managers will apply after one year. Core obligations, including notice, security safeguards, breach reporting, child-data protections, rights of data principals and cross-border transfer conditions, take effect after eighteen months. This staggered approach gives organisations time to adjust internal systems, update user interfaces, and prepare for data retention and verification requirements.
Several rules introduce clearer and stricter operational duties. Notice obligations now require specific rather than itemised descriptions of how data will be used. Security safeguards are framed as examples rather than fixed requirements, but the rules add a mandatory one-year minimum retention of logs and traffic data for all processing activities. Breach notifications must be issued within 72 hours. Data fiduciaries must also publish grievance timelines prominently and resolve complaints within ninety days. The rules on children’s data and data relating to persons with disabilities have been separated, with clearer verification requirements and a prohibition on targeted advertising or behavioural monitoring of children. Significant Data Fiduciaries face additional duties, including DPIAs, annual audits and due diligence checks on technical measures.
The brief also highlights substantive changes from the January 2025 draft. These include more precise definitions, a new one-year mandatory retention rule, expanded obligations for Significant Data Fiduciaries, and a revised structure for consent and age-verification. The rules also streamline cross-border transfer provisions by simplifying the scope of data that can be transferred and clarifying that restrictions will be based on government notifications. Taken together, the final rules move India’s data-protection regime from high-level principles to detailed operational requirements, signalling a shift toward tighter compliance expectations and more consistent enforcement across sectors.
