From Act to Rules
India’s DPDP Act, passed in 2023, established the legal foundation for personal data protection. However, the Act alone provided only high-level obligations. Organizations still lacked clarity on how to operationalize compliance.
That clarity arrived on 14 November 2025, when the government of India released the DPDP Rules 2025 – transforming the Act’s principles into enforceable processes, mechanisms, and safeguards. The Rules detail practical requirements for consent, notices, governance, security, breach handling, cross-border transfers, and special protections for children and high-risk processing.
This guide provides a structured breakdown of the DPDP Rules 2025.
1. Key Changes in the DPDP Rules 2025
While the DPDP Act set the overarching principles, the DPDP Rules introduce specific operational changes that organizations must now implement.
Key differences include:
1) Detailed Consent & Notice Framework
The Act required consent; the Rules now define how consent must be obtained, verified, and withdrawn. New elements include:
- Plain-language notices in specified languages
- Standardized notice components (purpose, categories, retention, grievance contact)
- Mechanisms for consent withdrawal
- Procedures for integrating Consent Managers
2) Mandatory Logging, Monitoring & Retention
The Act required “reasonable safeguards”; the Rules specify:
- Minimum log-retention periods (e.g., one year or more)
- Requirements for monitoring access, modifications, and transfers
- Periodic risk-based security reviews
3) Enhanced Verification for Children & Vulnerable Individuals
The Rules define:
- How to verify parent/guardian identity
- Documentation formats for verification
- Restrictions on profiling or targeted advertising to children
4) Practical Security Safeguards
The Act referenced “security measures”; the Rules list them explicitly:
- Encryption and making/tokenization
- Access controls and authentication standards
- Backup and recovery requirements
- Vendor security alignment and processor oversight
5) Structured Breach Notification Mechanism
The Act required breach reporting; the Rules define:
- Notification timelines
- Information to include in breach reports
- Requirements to inform affected Data Principles
- Cooperation expectations with the Data Protection Board
6) Governance, Audits & Accountability
The Rules introduce:
- Documented retention schedules
- Governance structures for Data Fiduciaries
- Internal escalation workflows
- Additional documentation expectations for audits
In short, the Rules convert the Act into a practical compliance system with concrete steps, procedures, and evidence requirements.
2. Key Definitions Introduced or Clarified
To help organizations understand their obligations, the Rules refine and expand several important terms.
Term | What It Means |
|---|---|
Data Principal | The individual to whom personal data relates. For children and persons with disabilities, the parent or lawful guardian acts as the Data Principal. |
Data Fiduciary | The organization that determines the purpose and means of processing personal data. Most compliance obligations fall on this role. |
Data Processor | An entity that processes personal data on behalf of a Data Fiduciary under a contractual relationship. Must follow fiduciary instructions and safeguards. |
Consent Manager | A registered entity that enables individuals to give, manage, review, or withdraw consent through a standardized platform. |
Significant Data Fiduciary (SDF) | A Data Fiduciary designated by the government due to scale, sensitivity, risk of processing; must meet additional legal obligations |
3. Who Falls Under DPDP, and Who is Exempt
1) Covered Under DPDP
- All organizations processing digital personal data within India
- Entities outside India processing personal data of individuals located in India (e.g., global SaaS platforms, e-commerce, telecoms)
- Data Fiduciaries and Data Processors – public or private
- Any organization digitizing offline personal data
2) Exemptions
- Personal or household use (non-commercial)
- Government functions involving national security, law enforcement, or court operations
- Data made publicly available by the individual or under the law
- Research, statistical, or archiving work where data is anonymized
- Specific processing categories exempted by the government notification
These exemptions typically relax some obligation, not removing them entirely.
4. Penalties Under DPDP
The DPDP imposes some of the highest data-protection penalties in Asia. The Data Protection Board of India (DPB) oversees investigating complaints and imposing financial penalties .
Penalties for key violations are:
Violation | Penalty (Up To) |
|---|---|
Failure to implement “reasonable security safeguards” | ₹ 250 crore (≈ $28.3 million) |
Failure to notify data breach / violation of children’s data obligations | ₹ 200 crore (≈ $22.6 million) |
Failure of a SDF to meet its additional obligations | ₹ 150 crore (≈ $17 million) |
Any other breach under the Act (catch-all) | ₹ 50 crore (≈ $5.65 million) |
Frivolous or malicious compliant by a Data Principal | ₹ 10,000 (≈ $113) |
5. Additional Obligations for Significant Data Fiduciaries (SDFs)
SDFs face higher compliance requirements due to scale, sensitivity, or risk.
Obligations include:
- Appointment of a Data Protection Officer (DPO)
- Mandatory Data Protection Impact Assessments (DPIAs)
- Annual independent data-protection audits
- Algorithmic and automated processing risk assessments
- Enhanced record-keeping and governance measures
Organizations handling large-scale profiles, behavioral data, or sensitive datasets should assume SDF designation.
6. Cross-Border Data Transfers Under DPDP Rules 2025
The Rules empower the government to:
- Restrict transfers of specific categories of personal data
- Notify “negative lists’ of countries where data cannot be transferred
- Require additional conditions for certain transfers
- Impose localization requirements for specific data types
Organizations must map all data flows and ensure that offshore vendors, cloud services, and international teams comply with upcoming restrictions.
7. DPDP Rules 2025 Compliance Readiness Checklist
The checklist below serves as a practical tool for CISOs, DPOs, compliance teams, and IT governance teams to evaluate their current readiness under the DPDP Rules 2025 and identify gaps that require immediate attention.
Governance & Rules | |
|---|---|
Have you identified all Data Fiduciaries and Processors within your organization? | |
Is there a designated privacy lead or DPO (if SDF)? | |
Are data-protection responsibilities documented across teams? | |
Notice & Consent Requirements | |
Have you presented a clear, plain-language notice at or before data collection? | |
Did notice explain categories of data collected, purpose, retention, rights, and grievance contracts? | |
Is consent collected through explicit, affirmative action? | |
Is consent withdrawal simple and accessible? | |
Are Consent Manager integrations planned? | |
Data Minimization, Retention & Deletion | |
Have you mapped all data collection points? | |
Are data-retention schedules documented and enforced? | |
Does deletion apply across live systems, archives, and backups? | |
Security Safeguards | |
Are encryption, masking/tokenization, and access controls implemented? | |
Are logs retained for the minimum required duration? | |
Is there continuous monitoring of access or misuse? | |
Do vendors adhere to equivalent safeguards? | |
Breach Notification | |
Is there a documented breach-response plan? | |
Can you notify DPB and affected individuals within prescribed timelines? | |
Are breach records maintained and reviewable? | |
Cross-Border Transfer Readiness | |
Have you mapped all international transfers? | |
Are you prepared to comply with country-specific restrictions? | |
Do vendors or cloud providers meet transfer conditions? |
Data-Centric Governance for DPDP Readiness
With the DPDP Rules 2025, India now has a complete operational framework governing personal data. As organizations prepare for enforcement, the challenge will be less about interpreting the law and more about demonstrating real, continuous control over how personal data is collected, used, shared, stored, and deleted.
This is where next-generation information protection and governance technologies, like Fasoo Data Security Platform, play an important role. The comprehensive platform helps organizations maintain persistent control over privacy data, regardless of whether it resides on endpoints, in cloud applications, or with external partners. By unifying discovery, classification, encryption, access control, and audit logging, Fasoo supports many of the operational disciplines required under the DPDP Rules. As the enforcement timeline approaches, organizations that invest in scalable, data-level controls will be better positioned to meet compliance obligations, reduce regulatory exposure, and strengthen the overall integrity of their data-handling practices.