MeitY notifies DPDP Rules 2025, marks new era of data protection in India: What you need to know

Laying out the operational framework for data protection in India, the Ministry of Electronics and Information Technology (MeitY) has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025. The new notification comes after the government included objections and suggestions on the draft DPDP Rules, 2025, issued in January 2025. The new rules under the Digital Personal Data Protection Rules, 2025, are proposed to be rolled out in phases, with Rules 1, 2 and 17 to 21 coming into force immediately, while Rule 4 is to come into force one year later. Rules 3, 5 to 16, 22 and 23 will come into force 18 months after the notification.

The DPDP rules call for the setting up of a Data Protection Board, a key regulatory body. The rules also guide data breach reporting, verifiable parental consent, the operational framework of a consent manager, compliance requirements, criteria for classifying a significant data fiduciary (company or organisation that collects, stores, or uses the user’s personal data), and prescriptive security safeguards for protecting personal data. "India has decisively moved its landmark data-protection regime into the operational phase. These steps signal that the legal framework is no longer theoretical but enforceable, meaning organisations must now transition from planning to action," says Akshay Garkel, Partner & Leader, Cyber, Grant Thornton Bharat.

Key Provisions of the DPDP Rules, 2025:

How companies can send notices to users: Companies must present notices in clear and plain language, so that a fair account of the details necessary to enable informed consent can be obtained. Notices should have an itemised description of such personal data; and the specified purpose or purposes of, and specific description of the goods or services to be provided, such processing; and give the particular communication link for accessing the website or app, or both, of such company. "Organisations may need to reassess their consent frameworks to ensure that consent is specific, informed, and clearly distinguishable from the standard terms of use that users typically auto-accept. While the Rules provide some commercial flexibility by allowing stakeholders to adopt reasonable security safeguards, they also mandate certain minimum measures including encryption, and obfuscation," says Harsh Walia, Partner at Khaitan & Co.

Obligations of consent managers: Consent Managers must fulfil conditions in Part A of the First Schedule and must be registered by the Board. If the board believes that a consent manager is not adhering to the conditions and obligations under this rule, it may, after giving an opportunity to be heard, suspend or cancel their registration. “The Board may, for this rule, require the Consent Manager to furnish such information as the Board may call for.”

Processing of personal data for various provisions: Under this rule, personal data can be processed for the provision or issue of a subsidy, benefit, service, certificate, licence or permit by the State and its instrumentalities.

Security safeguards: A company will protect personal data in its possession or under its control by taking reasonable security safeguards to prevent a personal data breach. This includes appropriate data security measures, steps to control access to the computer resources, visibility on the accessing of such personal data, continued processing in the event of confidentiality, detection of unauthorised access and technical and organisational measures. Organisations will also need to invest in updated processes, technologies, and training to create a more transparent ecosystem.

Intimation of personal data breach: On becoming aware of any personal data breach, the company will inform each affected users, in a concise, clear and plain manner and without delay, through the user account or any mode of communication registered by the user with the company. The board, in 72 hours, will update, share measures taken and reveal findings about the breach.

Contact information of person to answer questions about processing:  Every organisation will prominently publish on its website or app, and mention in every response to a communication, the business contact information of the Data Protection Officer, or a person who can answer on behalf of the company, the questions of the user about the processing of its personal data.

Verifiable consent for processing of personal data of a child: A company will adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child, and will observe due diligence for checking that the individual identifying herself as the parent is an adult. 

What stands out in the DPDP Act?

The DPDP Rules give a clear roadmap to Indian enterprises on how they collect, process, secure and govern personal data. Experts hail the phase rollout provision, as it provides the space to operationalise privacy, recalibrate their data architecture and embed accountable company practices seamlessly.  “The rules set fixed obligations, which leads to an increase in the cost of compliance, apart from an increase in the legal and operational costs. Now, enterprises must immediately prioritise data discovery, classification and data-mapping exercises, implement consent and retention workflows, strengthen breach-response mechanisms, and deploy technology-led governance tools that provide real-time visibility across the data lifecycle,” says Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India. 

Businesses have an 18-month window to comply with core obligations. “With the Data Protection Board now established and staggered compliance timelines taking effect, businesses need to shift focus from high-level planning and sensitisation to actual implementation of obligations. The next 18 months will be critical for achieving the right balance between user rights, regulatory certainty and business practicality,” says Probir Roy Chowdhury, Partner-JSA Advocates & Solicitors.

Aruna Sharma, practitioner development economist and retired government secretary, agrees, saying: “A reasonable timeframe will enable entities to gear up their systems and come on board. Some aspects of access to data by authorised agencies will need more caution and fine-tuning to ensure privacy norms.”

How to successfully implement DPDP rules?

While these rules are a significant step forward, the successful implementation will require ongoing collaboration among regulators, businesses, and consumers, say experts. “It is essential that organisations take proactive steps to comply with these regulations, ensuring not only legal adherence but also the responsible handling of personal data. Achieving compliance will require a continuous and strategic effort, as the rules emphasise the importance of integrating data governance, privacy, and security at the foundational level - across both system design and organisational culture,” says Mayuran Palanisamy, Partner, Deloitte India.

The staggered approach framed out in rules gives businesses vital breathing room, but they must move quickly, opine experts. "The final rules to the Digital Personal Data Protection Act 2023 are now out, and, as expected, the Government has opted for a phased rollout of the law. The Data Protection Board has been operationalised. However, businesses have an 18-month window to comply with core obligations such as privacy notice, consent, transfer obligations, security safeguards, and children’s data handling, while consent manager registration carries a one-year timeline," says Supratim Chakraborty, Partner at Khaitan & Co.

What are the notable changes in the final rules?

The final set of rules is in line with those issued in January 2025, with a few notable exceptions. The final set of Rules now sets out the timelines for their implementation — immediately for certain provisions relating to establishing the Data Protection Board, 1 year for those related to consent managers, and 18 months for rules relating to notices, breach reporting, data retention, etc. There are more details provided in the Rule relating to obtaining ‘verifiable parental consent’, whereby definitions of “adult”, “authorised entity”, and “digital locker service provider” have been specified - a separate rule on processing personal data of a disabled person has been added. There are some other, smaller, ’tweaks’ in the final Rules, for example, an added ground for processing children's data, to determine their real-time location for safety or protection purposes.

“The final rules are an iteration of the version released in early 2025. Both the DPDPA law and these rules seek to operationalise the mandate of the Supreme Court following the Puttusamy judgment; they do deliver since India now has a standalone data privacy law to protect the fundamental right to privacy. The real proof-of-the-pudding will be in its implementation and enforcement,” says Vikram Jeet Singh, Partner at BTG Advaya. 

What do these rules mean for companies?

The notification of the final DPDP Rules and their phased rollout marks an important milestone in India’s digital journey. For the IT and ITES industry, it provides long-awaited clarity on compliance, user consent, and breach-response expectations, while still giving room for innovation to thrive, say experts.

“The focus on transparent data practices, responsible consent management for children and vulnerable users, and clear timelines for reporting breaches brings India closer to global data governance standards. More importantly, it helps strengthen the trust that our customers and partners expect from us,” says Sujit Patel, CEO & MD SCS Tech India, a global system integration and digital transformation company.

For the financial ecosystem as well, the rules comes at a crucial moment. "The message is clear, data governance is now both a regulatory imperative and a strategic advantage. At FSS, we welcome this move and are deepening our focus on privacy-by-design, lifecycle data controls and transparent AI pipelines to ensure our processing platforms remain trusted, compliant and future-ready,” Vishal Maru, Global Processing Head, Financial Software and Systems.