The central government by Ministry of Electronics and information Technology notify the DPDP Rules, 2025 in exercise of powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023.
Phase 1 (Effective Immediately: November 2025)
These rules are primarily administrative, focused on setting up the Data Protection Board (DPB).
- Rule 1: Short Title and Commencement (The name of the rules and timeline)
- Rule 2: Definitions
- Rule 17: Appointment of Chairperson and Members of the Board
- Rule 18: Salary, allowances, and conditions of service
- Rule 19: Procedure for meetings of the Board
- Rule 20: Functioning of the Board as a digital office
- Rule 21: Terms and conditions for officers and employees of the Board
Phase 2 (Effective in 12 Months: by November 2026)
This phase is focused on creating the technical infrastructure for consent.
- Rule 4: Registration of Consent Managers
Phase 3 (Effective in 18 Months: by May 2027)
This phase includes all the core data protection duties and user rights.
- Rule 3: Notice and Consent
- Rule 5: Processing data for state functions (subsidies, benefits, etc.)
- Rule 6: Security Safeguards (To prevent breaches)
- Rule 7: Data Breach Reporting (To the Board and to users)
- Rule 8: Data Retention Limits (How long data can be kept)
- Rule 9: Publishing contact information for the Data Protection Officer
- Rule 10: Processing data of Children
- Rule 11: Processing data of Persons with Disabilities
- Rule 12: Exemptions related to children's data
- Rule 13: Additional duties for Significant Data Fiduciaries (Large companies)
- Rule 14: Data Subject Rights (Correction, Erasure, Grievance)
- Rule 15: Transferring personal data outside of India
- Rule 16: Exemptions for research, archiving, and statistics
- Rule 22: Procedure for appealing to the Tribunal
- Rule 23: Board's power to require information
Practical Implementation Roadmap for Organisation
Phase one Immediately (0 -12 weeks)
Goal: Prepare the foundation
- Form a DPDP compliance team.
- Map what personal data you collect and where it flows.
- Fix basic security controls (access control, encryption, logging).
- Draft a simple DPDP-compliant privacy notice.
- Start monitoring announcements from the Data Protection Board.
Phase Two By 12 Months (Before 13 Nov 2026)
Goal: Get ready for the Consent Manager regime
Decide how your organisation will manage consent:
- Integrate with a Consent Manager, or
- Become a Consent Manager (if eligible), or
- Build strong internal consent systems.
- Update systems to store consent records properly.
- Update vendor contracts to include DPDP security & consent sharing obligations.
Phase Three By 18 months (Before 13 May 2027)
Goal: Full operational DPDP compliance
You must have all day-to-day processes working:
1. Privacy Notice & Consent
- Publish a clear, simple, DPDP-compliant privacy notice.
- Implement easy consent withdrawal.
2. Security & Breach Response
- Complete security hardening.
- Set up breach detection and 72-hour notification system.
3. Data Principal Rights
- Build a working rights request
system
(access, correction, erasure, grievance respond within 90 days).
4. Data Retention & Deletion
- Apply correct retention schedules.
- Implement deletion workflow with a 48-hour warning to users.
5. Children’s Data
- Add age verification and parental consent mechanism.
6. Significant Data Fiduciary (if applicable)
- Identify if you are an SDF.
- Start DPIA, audits, algorithmic accountability steps.
7. Cross-Border Data Transfers
- Align processes with government/Board transfer restrictions.
Phase four Ongoing (Post 18 months)
Goal: Sustain compliance
- Annual audits (if SDF).
- Continue log retention, update notices, retrain teams, and follow Board directions.