New Delhi: India’s much-awaited Digital Personal Data Protection (DPDP) Rules, 2025, are finally here. The Ministry of Electronics and Information Technology (MeitY) notified the full operational framework on Tuesday, setting the wheels in motion for the country’s first full-fledged data protection regime. The rules bring in tighter safeguards, fresh compliance requirements, and a phased rollout that gives the industry up to 18 months to fall in line.
The framework, notified under the DPDP Act, 2023, includes obligations on how companies collect, store, and process personal data. The rules follow public consultations on the draft version released in January. The final version reflects several changes based on stakeholder inputs. From breach reporting deadlines to child-data rules, there’s a lot packed into this new legal structure.
Some rules apply now, others staggered over 18 months
The rollout is broken into stages. Rules 1, 2, and 17 to 21 are in effect immediately. Rule 4, which deals with Consent Manager registration, kicks in after one year. The rest, including major rules related to notices, breach handling, retention limits, and child-data processing, will apply 18 months from the notification date.
This approach gives companies breathing room, especially smaller ones still understanding how the DPDP Act works. But some requirements are already live, and the timelines are fixed.
Privacy notices must be clear, standalone, and easy to understand
Under Rule 3, Data Fiduciaries: companies that collect and decide how to use personal data, need to send clear notices. These notices must not be buried inside terms and conditions. Instead, they should list exactly what data is being collected, why it’s needed, and include direct links for users to withdraw consent or raise complaints.
This one feels overdue. We’ve all seen those endless policy popups where nothing is actually clear. The new rule forces companies to spell things out simply.
Mandatory breach notification in 72 hours
If there’s a data breach, companies will now have to notify both the affected users and the new Data Protection Board. Initial alerts must go out immediately, followed by a detailed report within 72 hours. This is one of the more strict rules in the package and could push companies to seriously rethink how they handle cybersecurity.
The rules also say affected users should get details on the type of breach, what risks it creates, what the company is doing about it, and who to contact for help.
Rules on child data, disabilities, and contact points
Before handling children’s data, platforms need to get verifiable parental consent. This can be done using existing user data, new IDs voluntarily submitted, or tokens from authorised providers like DigiLocker. Data collected from or about children without this step may be in violation once the rule takes effect.
Fiduciaries must also verify legal guardianship before processing data of users with disabilities. All companies must display contact details of their Data Protection Officers or representatives for complaints or rights-related queries.
Stricter rules for ‘Significant’ Data Fiduciaries
Some companies will fall under the category of Significant Data Fiduciaries (SDFs), based on their size, data volume, or user impact. These firms will face extra duties. They must carry out annual audits, risk assessments, and submit the reports to the Data Protection Board. They’ll also need to check that their tech systems, algorithms, and automated tools are not harming users’ rights.
The government may also notify localisation rules for specific categories of data handled by these entities.
Cross-border transfers, data retention, and more
Cross-border data transfers are allowed unless the Centre blocks specific countries or entities. Research, archiving, and statistical use cases are exempt if they meet certain privacy safeguards. Companies must also set data retention policies and warn users 48 hours before deleting inactive data, as defined in the new Third Schedule.
The Board and its pay scale now official
The final rules also set up how the Data Protection Board will be run. A Search-cum-Selection Committee led by the Cabinet Secretary will pick the Chairperson. A separate panel will suggest names for Board Members. The Chairperson’s monthly salary will be ₹4.5 lakh, as per the Fifth Schedule.
For now, businesses, tech firms, startups, and public sector platforms have a clear roadmap. The government has given time but is setting tight boundaries. With some rules already active, the countdown for compliance has begun. The final rules close the loop on years of policy discussions around personal data in India. The real test starts now, in boardrooms, on cloud servers, and in the apps that millions use every day.