The Digital Personal Data Protection (DPDP) rules were released by the Ministry of Electronics and Information Technology (MeitY) on Friday, November 14, 2025. This law outlines how to effectively operationalise the first-ever law in India governing the processing and government of individuals’ Personally Identifiable Information(PII).
The DPDP draft rules first came out in January 2025. Following submission reviews and inter-ministerial consultations, MeitY released the final DPDP rules on November 13th.The rules have captured a detailed obligation for consent management platforms for personally identifiable information (PII), obligations around grievance redressal, breach reporting, data retention and erasure, verifiable consent for minors, among others. The rules, while not providing any ‘templates for a model’, do give a fairly descriptive list of inclusions, such as an itemised list of personal data elements, purposes, and services/products availed, details of grievance and complaints logging with the Data Protection Board, and rights management.
Here’s a quick summary of the DPDP rules:
- Commencement: Rules 1,2, and 17–21, which relate to the constitution and functioning of the Data Protection Board, are effective immediately from the date of gazette publication. Rule 4, outlining directives for Consent Managers, will take effect after one year. The remaining rules covering mandates for consent notices, obligations for Significant Data Fiduciaries, requirements for verifiable parental consent, and other operational compliance provisions will come into force after eighteen months.
-
Obligations of Data Fiduciary (DF):
- Consent Notices: The DF must provide the Data Principal (DP) with a notice containing itemized description of personal data being collected and purpose of collection.
- Security Measures: It is mandatory to implement appropriate data security safeguards, such as encryption, anonymization, or virtual tokens, to prevent data breaches.
- Data Breach Notification: The Data Fiduciary must notify the affected principals immediately upon becoming aware of a personal data breach, and post this conduct a secondary investigation within 72 hours of the breach.
- Data Erasure: The DF must erase the personal data upon the specified purpose being met or after non-engagement within the specified period. The fiduciary must also maintain all logs till 1 years for investigation purposes.
- Consent Manager: The mandates regarding consent managers will trigger after 12 months.The Board has the power to suspend or revoke its registration based on non-compliance. Consent Managers will enable the DP to give, manage, and withdraw consent to DFs.
-
Processing Data of Children and Persons with Disabilities:
- Children: The child needs to declare that the adult is their parent to the Data Fiduciary. The emphasis should be on obtaining consent from a verified adult as declared by the Child (minor).DFs should maintain audit trails to prove that they have done their due diligence as per the DPDPA Rules.
- Persons with Disabilities: When obtaining verifiable consent from the lawful guardian of a person with disability, the DF must exercise due diligence to verify the guardian's appointment.
- Additional Obligations of Significant Data Fiduciary (SDF): SDFs must conduct a Data Protection Impact Assessment and Audit every twelve months and submit the report to the Board. They must also review any algorithmic processing softwares.
- Data Principal's Rights: The DF and Consent Manager must establish a grievance redressal system to ensure complaints are resolved within a reasonable period, not exceeding ninety days.
- Cross-border Transfer of Data: Personal data may be transferred outside the territory of India, provided the DF meets the requirements specified by the Central Government.
- Data Protection Board of India (Board): The Rules establish the formation of a Search-cum-Selection Committee for the appointment of the Chairperson and Members of the Board, their salaries and service conditions, and the procedure for Board meetings. The Board will operate as a Digital Office. The DPB is effective immediately.
- Appeals: Appeals against the Board's orders can be filed digitally with the Appellate Tribunal, which will also function as a Digital Office.
- Demand for Information by the Government: The Central Government can require a Data Fiduciary or intermediary to furnish information for specified purposes, including the sovereignty and security of India. If the disclosure could adversely affect the security of India, the Government may prohibit the disclosure.
Here’s what Mr. Ashok Hariharan, CEO IDfy, the company behind India’s First Full-Stack DPDP Compliance & Privacy Governance Platform, Privy, has to say about rules:
“The notification of the DPDP Rules marks a pivotal shift in India’s data protection landscape. It isn’t simply about meeting obligations - it’s about redefining how we honour the trust placed in us by every individual whose personal data we steward. As an industry, we must elevate our thinking from ‘Can we comply?’ to ‘How will we lead?’ - designing systems where consent is not an afterthought, breach-readiness is built in, and privacy by design becomes the default. The real work begins now: translating policy into architecture, ambition into culture, and intent into impact. With the launch of the DPDP Act, the government has redeemed its pledge, not in half measure, but wholly and substantially, to guarantee Privacy as a constitutional right for the people of Bharat, which it made in 2018."
This is a big step for the country towards data and privacy, and governance of personally identifiable information(PII). Privy, India’s first data governance and compliance platform, is already trying to mitigate these concerns with some of trusted brands of the country like Axis Bank, Axis Finance, TrustPaisa and others.
We will keep you updated with the latest updates pertaining to the DPDP rules and how it's going to impact your business. Stay glued to this space for more information on data, privacy, compliance, and all things DPDP.
Get in touch with us at shivani@idfy.comto take control over your data with India’s most trusted DPDP compliance platform.