India’s DPDP Rules 2025: The Complete Compliance Guide

India’s Digital Personal Data Protection (DPDP) Act 2023 is now fully operational. The DPDP Rules 2025 — notified on 13 November 2025 via Gazette G.S.R. 846(E) — set out detailed compliance obligations for every organisation that processes the personal data of individuals in India. Whether you are a start-up, an enterprise, or a multinational with Indian operations, you are likely a Data Fiduciary under this law. This guide walks you through what the DPDP Rules require, when deadlines apply, and how you can achieve compliance with confidence.

What is the DPDP Act 2023?

The Digital Personal Data Protection Act 2023 (No. 22 of 2023) received Presidential assent on 11 August 2023 and came into force in phases per G.S.R. 843(E), notified 13 November 2025. It establishes rights for Data Principals (individuals whose data is processed) and obligations for Data Fiduciaries (organisations that determine the purpose and means of processing). The Data Protection Board of India — established in the NCT of Delhi per G.S.R. 844(E) with four members per G.S.R. 845(E) — has enforcement authority.

Who is a Data Fiduciary?

Any person who alone or jointly with others determines the purpose and means of processing personal data is a Data Fiduciary. This includes companies, government bodies, NGOs, and sole proprietors. Processing includes collection, storage, use, sharing, and deletion of personal data. Even organisations based outside India are covered if they process the personal data of individuals in India in connection with offering goods or services to them.

Note: Certain exemptions apply for personal/domestic use, journalistic purposes, research, and national security under Sections 17–18 of the Act.

What Makes Consent Valid Under DPDP?

Rule 3 specifies the form and manner of notice and consent. Consent must be: (1) Free — not bundled or coerced; (2) Specific — for a defined purpose; (3) Informed — supported by a clear notice; (4) Unconditional; (5) Unambiguous — indicated by a clear affirmative action. Consent cannot be obtained through dark patterns or deceptive design. Pre-ticked boxes are not valid.

NOTICE REQUIREMENTS (Rule 3): The notice must be provided in clear, plain language before collecting personal data. It must state: the personal data to be processed, the purpose of processing, and how the Data Principal can exercise their rights (including withdrawal of consent). Notice must be available in the 22 languages listed in the Eighth Schedule of the Constitution if the user requests it.

The Consent Manager Framework

Individuals may manage their consent through a registered Consent Manager — a Data Fiduciary that acts as a single point of contact for Data Principals to give, manage, review, and withdraw consent across multiple Data Fiduciaries. Consent Managers must be registered with the Data Protection Board and are accountable to the Data Principal. This opens a new ecosystem of consent orchestration tools that organisations may integrate with.

LEGITIMATE USES (Section 7): In addition to consent, processing is also permitted for certain legitimate uses without consent: employment purposes, medical emergencies, public health, legal proceedings, state functions, and other notified purposes.

Mandatory Security Safeguards

Rule 6 requires Data Fiduciaries to implement reasonable security safeguards to prevent personal data breaches. The rule specifies a minimum set of seven technical and organisational controls:

1. ENCRYPTION — of personal data both in storage and in transit

2. ACCESS CONTROLS — restrict access to authorised personnel only

3. DATA MASKING / ANONYMISATION — where appropriate to the context

4. MONITORING — logs of access and processing activities

5. LOG RETENTION — access and activity logs must be retained for one year

6. INCIDENT RESPONSE — documented processes for responding to breaches

7. DATA PROCESSOR AGREEMENTS — contracts must require processors to implement equivalent safeguards

Penalty for breach of Section 8(5): Up to ₹250 crore per incident.

Personal Data Breach — What You Must Do

Rule 7 establishes a two-stage notification obligation upon discovering a personal data breach:

STAGE 1 — IMMEDIATE BOARD NOTIFICATION

As soon as a breach is discovered, notify the Data Protection Board. The initial notice must include: a description of the breach, the categories and approximate number of Data Principals affected, likely consequences of the breach, and measures taken or proposed to address the breach.

STAGE 2 — DATA PRINCIPAL NOTIFICATION (within 72 hours)

After the Board notification, affected Data Principals must be notified within 72 hours. The notification must include: a plain-language description of the breach, what data was exposed, protective measures Data Principals can take, and the Data Fiduciary’s contact details for queries.

Penalty for failure to notify: Up to ₹200 crore per incident.

When Must Personal Data Be Erased?

Section 8(7) of the Act and Rule 8 of the DPDP Rules 2025 set out the erasure framework. Personal data must be erased as soon as the purpose for which it was collected is no longer being served — either because consent has been withdrawn, the purpose has been fulfilled, or the individual has not engaged with the service within the retention period.

The Third Schedule to the DPDP Rules sets default retention periods for specific sectors:

E-COMMERCE entities with 2 crore+ users: 3 years from last transaction or login

ONLINE GAMING entities with 50 lakh+ users: 3 years from last login

SOCIAL MEDIA entities with 2 crore+ users: 3 years from last login

ERASURE RIGHTS (Section 12): Data Principals have the right to request erasure of their personal data. Requests must be addressed within 90 days (Rule 14). Data Fiduciaries must also erase data held by their Data Processors.

Processing Children’s Personal Data

Section 9 of the Act and Rule 10 of the DPDP Rules 2025 impose heightened obligations for the processing of personal data of minors (children under 18) and persons with disabilities who have a lawful guardian.

VERIFIABLE PARENTAL CONSENT is required before processing. Rule 10 specifies the approved verification methods, including integration with DigiLocker (India’s government-backed digital document wallet) to verify the parent’s identity and establish the parent-child relationship.

PROHIBITED PROCESSING: Data Fiduciaries must not track, monitor, or profile children, or engage in behavioural targeting directed at children. Platforms must not serve targeted advertising to children.

AGE-GATE DESIGN: Organisations collecting data must have technical measures to detect and prevent processing without verified parental consent for minors.

Rights of Data Principals

The DPDP Act grants individuals the following rights over their personal data:

1. RIGHT TO ACCESS (Section 11) — Summary of data being processed and processing activities

2. RIGHT TO CORRECTION & ERASURE (Section 12) — Correct inaccurate or update outdated data

3. RIGHT TO GRIEVANCE REDRESSAL (Section 13) — Raise concerns with the Data Fiduciary

4. RIGHT TO NOMINATE (Section 14) — Nominate another person to exercise rights after death/incapacity

5. RIGHT TO WITHDRAW CONSENT — Withdraw at any time; withdrawal doesn’t affect prior processing

RESPONSE TIMELINE (Rule 14): Data Fiduciaries must respond to Data Principal requests within the period specified in the rules. Grievance redressal must be completed within 90 days of receiving a complaint.

GRIEVANCE OFFICER: Each Data Fiduciary must designate a contact person or mechanism for Data Principals to raise complaints. Details must be published in the privacy notice.

Are You a Significant Data Fiduciary?

The Central Government may designate any Data Fiduciary or class of Data Fiduciaries as a “Significant Data Fiduciary” (SDF) based on six factors specified in Section 10(1):

1. Volume and sensitivity of personal data processed

2. Risk to rights of Data Principals

3. Potential impact on sovereignty and integrity of India

4. Risk to electoral democracy

5. Security of the State

6. Public order

[VERIFY — FUTURE NOTIFICATION: The specific list of designated SDFs has not yet been published. Organisations in financial services, health, telecom, and large consumer platforms are most likely to be designated.]

ADDITIONAL OBLIGATIONS FOR SDFs (Rules 12–14):

• Appoint a Data Protection Officer (DPO) resident in India
• Appoint an independent Data Auditor
• Conduct annual Data Protection Impact Assessments (DPIAs)
• Conduct annual algorithmic audits (Rule 13)
• Comply with data localisation requirements (if notified)
• Respond to Data Principal requests within tighter timelines

Transferring Personal Data Outside India

Section 16 of the Act permits the transfer of personal data outside India to countries or territories notified by the Central Government. Rule 15 provides the framework for how these transfers are governed.

[VERIFY — FUTURE NOTIFICATION: The approved country list has not yet been notified by the Central Government. Transfer restrictions will come into effect once this list is published. Organisations should begin mapping cross-border data flows now to prepare.]

RECOMMENDED ACTION: Organisations should:

• Conduct a data flow mapping exercise to identify all cross-border transfers
• Categorise data by sensitivity and receiving country risk
• Implement data rights management controls that can enforce geographic restrictions
• Monitor MeitY notifications for the approved country list

When Do You Need to Be Compliant?

13 Nov 2025 — DPDP Rules 2025 officially notified (G.S.R. 846(E))

13 Nov 2025 — Data Protection Board of India established (G.S.R. 844(E))

Q1 2026 — Board likely to begin operationalising enforcement mechanisms

[TBD] — Significant Data Fiduciary designations notified

[TBD] — Approved cross-border transfer country list notified

~Nov 2026* — MeitY proposed 12-month deadline (stakeholder consultation, Jan 23 2026)

~May 2027 — Original 18-month compliance deadline (if acceleration not confirmed)

*The January 23, 2026 MeitY stakeholder consultation proposed accelerating the deadline from 18 months to 12 months. This has NOT been formally confirmed by gazette notification. Organisations should plan for the earlier Nov 2026 target as a prudent baseline.

RECOMMENDED: Begin compliance programme immediately. Typical enterprise DPDP programmes require 9–12 months to complete gap assessment, implement controls, and achieve audit readiness.

What Are the Financial Consequences of Non-Compliance?

The Schedule to the DPDP Act 2023 sets out maximum penalties:

₹250 CRORE — Failure to implement reasonable security safeguards (Section 8(5))

₹200 CRORE — Failure to notify the Board or Data Principals of a breach (Section 8(6))

₹200 CRORE — Non-compliance with special provisions for children (Section 9)

₹150 CRORE — Failure to fulfil additional SDF obligations (Section 10)

₹10,000 — Failure to observe duties of Data Principal (Section 15)

UP TO THE UNDERLYING PENALTY — Breach of voluntary undertaking accepted by the Board (Section 32 — the penalty equals that applicable for the original breach)

NOTE: The Data Protection Board may consider factors including the nature of the breach, the number of individuals affected, the Data Fiduciary’s history of compliance, and remediation efforts when determining the actual penalty amount.

From Compliance Obligation to Operational Control

Seclore’s data-centric security platform helps organisations meet their DPDP obligations at the data level — not just at the perimeter. Our Rights Management and Data Classification solutions provide the technical controls required by Rule 6 (security safeguards), and the audit trail capabilities needed for Board notifications under Rule 7 (breach response).

CAPABILITY 1: DATA PROTECTION & ENCRYPTION — Persistent encryption follows the file, not just the network. Ensures data remains protected even when shared outside the organisation. Maps to Rule 6 security safeguards requirement.

CAPABILITY 2: ACCESS CONTROLS & RIGHTS MANAGEMENT — Granular, policy-driven access controls with automatic expiry and remote revocation. Supports erasure obligations under Rule 8 and enables compliance with Data Principal erasure requests.

CAPABILITY 3: AUDIT TRAILS & BREACH DETECTION — Detailed activity logs retained for the Rule 6-mandated one-year period. Real-time alerts on anomalous access patterns to support the Rule 7 breach notification timeline.

Ready to Start Your DPDP Compliance Journey?

Seclore works with enterprise teams across India to assess their DPDP readiness, implement data-centric controls, and build audit-ready compliance programmes. Our experts can help you map your data flows, identify gaps against the DPDP Rules, and deploy the right technical safeguards before the compliance deadline.

DPDP FAQs