Skip to Content
CKonnect
  • Home
  • CourseKonnect
    • e-learning
    • Udemy
    • learning (Old LMS)
  • Career
    • Life @CKonnect
    • All Jobs
  • Knowledge Base
    • PrivacyReads
    • Community
    • Newsletters
    • Priv ToolKit
  • Stay Tuned
    • ComplyKonnect
    • E-PrivJournals
    • Priv-Books
  • Connects
    • 1:1
  • Contact Us
CKonnect
    • Home
    • CourseKonnect
      • e-learning
      • Udemy
      • learning (Old LMS)
    • Career
      • Life @CKonnect
      • All Jobs
    • Knowledge Base
      • PrivacyReads
      • Community
      • Newsletters
      • Priv ToolKit
    • Stay Tuned
      • ComplyKonnect
      • E-PrivJournals
      • Priv-Books
    • Connects
      • 1:1
  • Contact Us

DPDP Rules 2025: Implementation Timeline & Organizational Roadmap

  • All Blogs
  • Digital Personal Data Act, 2023
  • DPDP Rules 2025: Implementation Timeline & Organizational Roadmap
  • 17 July 2026 by
    DPDP Rules 2025: Implementation Timeline & Organizational Roadmap
    CKonnect

    The central government by Ministry of Electronics and information Technology notify the DPDP Rules, 2025 in exercise of powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023.

    Phase 1 (Effective Immediately: November 2025)

    These rules are primarily administrative, focused on setting up the Data Protection Board (DPB).

    • Rule 1: Short Title and Commencement (The name of the rules and timeline)
    • Rule 2: Definitions
    • Rule 17: Appointment of Chairperson and Members of the Board
    • Rule 18: Salary, allowances, and conditions of service
    • Rule 19: Procedure for meetings of the Board
    • Rule 20: Functioning of the Board as a digital office
    • Rule 21: Terms and conditions for officers and employees of the Board

    Phase 2 (Effective in 12 Months: by November 2026)

    This phase is focused on creating the technical infrastructure for consent.

    • Rule 4: Registration of Consent Managers

    Phase 3 (Effective in 18 Months: by May 2027)

    This phase includes all the core data protection duties and user rights.

    • Rule 3: Notice and Consent
    • Rule 5: Processing data for state functions (subsidies, benefits, etc.)
    • Rule 6: Security Safeguards (To prevent breaches)
    • Rule 7: Data Breach Reporting (To the Board and to users)
    • Rule 8: Data Retention Limits (How long data can be kept)
    • Rule 9: Publishing contact information for the Data Protection Officer
    • Rule 10: Processing data of Children
    • Rule 11: Processing data of Persons with Disabilities
    • Rule 12: Exemptions related to children's data
    • Rule 13: Additional duties for Significant Data Fiduciaries (Large companies)
    • Rule 14: Data Subject Rights (Correction, Erasure, Grievance)
    • Rule 15: Transferring personal data outside of India
    • Rule 16: Exemptions for research, archiving, and statistics
    • Rule 22: Procedure for appealing to the Tribunal
    • Rule 23: Board's power to require information

    Practical Implementation Roadmap for Organisation

    Phase one Immediately (0 -12 weeks)

    Goal: Prepare the foundation

    • Form a DPDP compliance team.
    • Map what personal data you collect and where it flows.
    • Fix basic security controls (access control, encryption, logging).
    • Draft a simple DPDP-compliant privacy notice.
    • Start monitoring announcements from the Data Protection Board.

    Phase Two By 12 Months (Before 13 Nov 2026)

    Goal: Get ready for the Consent Manager regime

    • Decide how your organisation will manage consent:

      • Integrate with a Consent Manager, or
      • Become a Consent Manager (if eligible), or
      • Build strong internal consent systems.
    • Update systems to store consent records properly.
    • Update vendor contracts to include DPDP security & consent sharing obligations.

    Phase Three By 18 months (Before 13 May 2027)

    Goal: Full operational DPDP compliance

    You must have all day-to-day processes working:

    1. Privacy Notice & Consent

    • Publish a clear, simple, DPDP-compliant privacy notice.
    • Implement easy consent withdrawal.

    2. Security & Breach Response

    • Complete security hardening.
    • Set up breach detection and 72-hour notification system.

    3. Data Principal Rights

    • Build a working rights request system
      (access, correction, erasure, grievance respond within 90 days).

    4. Data Retention & Deletion

    • Apply correct retention schedules.
    • Implement deletion workflow with a 48-hour warning to users.

    5. Children’s Data

    • Add age verification and parental consent mechanism.

    6. Significant Data Fiduciary (if applicable)

    • Identify if you are an SDF.
    • Start DPIA, audits, algorithmic accountability steps.

    7. Cross-Border Data Transfers

    • Align processes with government/Board transfer restrictions.

    Phase four Ongoing (Post 18 months)

    Goal: Sustain compliance

    • Annual audits (if SDF).
    • Continue log retention, update notices, retrain teams, and follow Board directions.

    By Naukhaiz Aftab

    in Digital Personal Data Act, 2023
    Share this post
    Our blogs
    • Where Privacy Meets Tech
    • Templates That Work: Built for Real Privacy Teams
    • The Privacy Perspective: Insights from the Real World
    • CKonnect Stories
    • e-learning from CourseKonnect
    • Privacy Team Pulse
    • Our blog
    • Digital Personal Data Act, 2023
    Digital Personal Data Protection Act, 2023 (DPDP Act)
    Follow us

    Privacy Notice ​​Refund Policy

     Terms & Conditions

        ​    connect@ckonnect.co.in

    How can we help?

    konnect with us

    Website Logo

    Respecting your privacy is our priority.

    Allow the use of cookies from this website on this browser?

    We use cookies to provide improved experience on this website. You can learn more about our cookies and how we use them in our Cookie Policy.

    Allow all cookiesOnly allow essential cookies