Government Notifies DPDP Rules and Establishes the Data Protection Board

Government Notifies DPDP Rules and Establishes the Data Protection Board

By – Nikhil Anand

Table of Contents

Introduction and Context

The Central Government has notified the Digital Personal Data Protection Rules, 2025 (The Rules) under Section 40 of the Digital Personal Data Protection Act, 2023 (DPDP Act), thereby operationalising the substantive provisions of India’s new data-protection regime. Alongside the Rules, two key notifications have been issued: (i) the establishment of the Data Protection Board of India (DPB) and (ii) a graded commencement timeline3 for the Act. Together, these instruments create the legal, administrative, and enforcement framework that will govern personal data in India.

Phased Implementation Framework

The Rules adopt a structured, phased enforcement model. While certain institutional and procedural provisions come into force immediately, the core operational obligations such as notice, consent, breach reporting, rights facilitation, children’s-data safeguards, and Significant Data Fiduciary (SDF) requirements will become effective after 18 months. This staggered timeline offers organisations a realistic implementation window, particularly for high-impact compliance functions like data-mapping, security enhancement, and algorithmic-risk evaluation, etc.

Key Operational Provisions under the Rules

Notice and Consent Framework

A central feature of the Rules is the standardised notice framework, requiring Data Fiduciaries to provide clear, standalone, comprehensible notices detailing the categories of data collected, the purposes of processing, the rights available to Data Principals, and mechanisms for consent withdrawal and grievance redressal. Complementing this is the Consent Manager framework, which creates a formal registration and oversight regime for intermediaries tasked with managing user consents. These entities must meet prescribed eligibility criteria, adhere to mandatory duties, and remain subject to suspension or cancellation by the DPB.

Security and Breach Response Obligations

The Rules further codify a baseline set of technical and organisational security measures, including encryption, authentication, access controls, audit logging, breach detection, backup protocols, and continuity mechanisms. A rigorous data-breach notification system requires prompt communication to affected Data Principals and detailed incident reports to the DPB within hours of gaining knowledge of a breach. Data-retention requirements mandate deletion upon fulfilment of purpose while obligating entities to retain relevant logs and transactional records for at least one year to support audits and investigations.

Protection of Children’s Data

Special protections apply to children and persons with disabilities, with verified parental consent being a prerequisite. Verification pathways include documentation-based checks, Digital Locker-based authentication, or government-issued tokens. Limited processing exemptions are available for sectors listed in Schedule IV, subject to conditions. For SDFs, heightened requirements apply, including annual Data Protection Impact Assessments (DPIAs), annual audits, algorithmic-safety verification, and compliance with any government-notified cross-border transfer restrictions.

Key Gaps and Emerging Concerns

Despite these strengths, several lacunae remain. The Rules do not provide a detailed penalty-calculation framework, leaving enforcement unpredictable. The cross-border data-transfer mechanism empowers the Government to designate restricted jurisdictions but does not articulate the substantive criteria or due-process safeguards for such decisions. Technical standards are described only in broad terms as there is no guidance on encryption benchmarks, log formats, authentication protocols, or incident-response service-level expectations. Breach-notification timelines for Data Principals also lack precision, with the phrase “without delay” offering no concrete benchmark.

Enforcement Ambiguities

Further ambiguity arises in parental-consent verification, where the Rules cite examples but provide no binding workflow or acceptable error threshold, creating uncertainty for sectors like ed-tech and gaming. Obligations relating to “algorithmic harm” for SDFs are vague, with no prescribed testing methods or assessment frameworks. 

Technical and Sectoral Inconsistencies

The mandatory one-year retention of processing logs may conflict with sectoral laws requiring longer retention periods and could impose disproportionate burdens on smaller entities. The Rules also lack a defined procedure for Government agencies or regulators to request sector-specific data-retention directions from the DPB, leaving ambiguity on how customised retention timelines will be operationalised. The absence of standardised templates for notices, consent forms, breach reports, and DPIAs may lead to inconsistent industry practices until MeitY (Ministry of Information and Technology), or sectoral regulators issue supplementary guidance. Sector-specific rules for banking, health, telecom, and education are similarly absent, creating gaps in harmonisation with existing regulatory frameworks.

Way Forward and Sectoral Integration

In essence, the Rules provide strong structural clarity and establish the backbone of a national privacy regime. However, their long-term effectiveness will depend on further governmental guidance, detailed technical standards, and sector-specific rulemaking. Organisations should utilise the 18-month transition period to overhaul data-governance mechanisms, strengthen cybersecurity controls, and operationalise rights-management and breach-response systems in alignment with the new compliance architecture.

FAQs

  1. What are the key changes in DPDP 2025?

    The DPDP Rules, 2025 operationalise India’s data-protection regime by laying down detailed obligations on how personal data must be collected, processed, secured, and retained. They mandate a standardised notice-and-consent framework requiring Data Fiduciaries to issue clear, standalone notices and obtain informed, unbundled consent. The Rules also introduce a formal regulatory structure for Consent Managers, who must be registered, monitored, and governed by the Data Protection Board (DPB). On the security front, organisations are required to implement baseline technical and organisational controls, including encryption, authentication, access-management, audit logs, breach-detection systems, backup, and continuity measures. Breach reporting is stringent, requiring prompt notification to affected individuals and detailed submissions to the DPB within hours of becoming aware of the incident. Data-retention norms mandate deletion once the processing purpose is complete, but require entities to retain logs and transaction records for a minimum of one year. Additional safeguards apply to children and persons with disabilities through verified parental consent. For Significant Data Fiduciaries (SDFs), the Rules prescribe heightened compliance such as annual DPIAs, independent audits, algorithmic-risk checks, and adherence to any cross-border transfer restrictions notified by the Government.

  2. What are digital personal data protection rules 2025?

    The Digital Personal Data Protection Rules, 2025 are the implementing regulations issued under the DPDP Act, 2023 that operationalise India’s new personal-data governance framework. They set out how organisations must collect, use, secure, retain, and delete personal data. The Rules introduce a mandatory notice-and-consent structure, define technical and organisational security requirements, prescribe strict breach-notification obligations, and regulate the functioning of Consent Managers. They also formalise special safeguards for processing children’s data, impose enhanced duties on Significant Data Fiduciaries such as DPIAs and annual audits, and establish a phased enforcement timeline to support compliance readiness across sectors.

  3. Are the DPDP rules 2025 released?

    Yes. The DPDP Rules, 2025 have been officially notified by the Central Government under Section 40 of the DPDP Act, 2023. Alongside the Rules, the Government has also notified the establishment of the Data Protection Board of India (DPB), specified that it will comprise four members including a Chairperson, and issued a phased commencement schedule outlining when different provisions of the Act and the Rules will come into effect.

  4. What is the role of the Data Protection Board of India (DPB)

    The Data Protection Board of India is the principal enforcement body under the DPDP Act. It is empowered to receive and adjudicate complaints relating to personal-data breaches, direct corrective or preventive measures, and impose penalties for non-compliance. The DPB also supervises the functioning of Consent Managers, including their registration, compliance assessment, and potential suspension or cancellation for violations. Operating through a digital-first model, the Board can conduct inquiries, seek reports, summon information, and issue binding directions in cases of breaches or systemic lapses in data-governance practices.

  5. What are the data-breach notification requirements in the DPDP Rules 2025?

    The Rules impose a strict dual-notification requirement. Data Fiduciaries must inform affected Data Principals without delay so that individuals can take protective steps against potential harm. Simultaneously, the Data Fiduciary must notify the DPB within hours of gaining knowledge of the breach, providing details on the incident, affected data categories, potential risks, and the mitigation measures being implemented. This regime emphasises speed, transparency, and rapid response in breach situations.

  6. When was the DPDP Act passed?

    The Digital Personal Data Protection Act, 2023 was passed by both Houses of Parliament in August 2023 and was notified in the Official Gazette on 11 August 2023, laying the foundation for India’s overarching personal-data protection framework.

References –

  1. DPDP Rules, 2025
  2. Notification dated 13.11.2025; establishing Data Protection Board.
  3. Notification dated 13.11.2025; notifying implementation timelines of DPDP Rules, 2025.

More from Neeti Niyaman Team –