The countdown for India's digital giants is officially underway. On 13 November, the government finally published the Digital Personal Data Protection Rules, 2025, marking the much awaited effective commencement of core governance elements of the Digital Personal Data Protection Act, 2023.
This is a holistic rewriting of the social contract between corporations and the millions of Indian citizens whose data fuels their profits.
This progressive legislation is the first to adopt the default use of the pronoun “her,” and it fundamentally re-centres the focus and authority on individuals’ digitised data. Under the Act, individuals are recognised as Data Principal (DP), being the individuals to whom the personal data pertains such as name, address, contact details, etc.
The Staggered Implementation Timeline
Compliance is not a flip of a switch, it is a phased mandate. The government has appointed different commencement dates for different provisions, ensuring a controlled transition.
Phase 1 (Immediate: 13.11.2025): The foundational rules and the establishment of the Data Protection Board came into effect immediately. This phase also commenced key sections of the Act related to definitions, powers to make rules, and general applicability. Crucially, the Board and the Appellate Tribunal are mandated to function as digital offices, adopting techno-legal measures to conduct proceedings that may not require the physical presence of any individual.
Phase 2 (One Year Later): Registration rules for the Consent Manager will come into force. This independent entity acts as a single point of contact for DPs to manage and withdraw their consent.
Phase 3 (Eighteen Months Later): The bulk of compliance obligations, including core DF (data fiduciary) duties, security mandates, erasure requirements, and most children’s data rules, will commence. This 1.5-year window will define winners and losers in the market.
Rights Revolution: What Changes for the Data Principal
The shift in power is dramatic.
* Empowered Consent:Consent represent a clear affirmative action. The accompanying notice must be presented in clear and plain language, detailing an itemized description of the personal data and the specific purpose of processing.
* Easy Withdrawal: DPs gain the right to withdraw their consent at any time. Critically, the facility to withdraw consent must be of comparable ease to that with which the consent was initially given.
* Grievance Mechanism: DFs must establish an effective mechanism to redress grievances and must ensure their systems respond to DP grievances within a reasonable period not exceeding ninety days.
* Children’s Protection: The personal data of a child (under 18 years) cannot be processed without verifiable consent from the parent. DFs must observe due diligence to confirm the parent is an identifiable adult.
Compliance Imperatives for Businesses
The compliance requirements for DFs are rigorous, demanding significant investment in security and governance:
# Data Security Mandates: DFs must adopt reasonable security safeguards to prevent personal data breach. This must minimally include securing data through methods such as encryption, obfuscation, masking, etc.
# Data Retention and Erasure: DFs must retain processing logs and personal data for a minimum period of one year for unauthorized access detection and investigation.
# Data Breach Reporting: Upon becoming aware of a personal data breach, the DF must notify the affected DP without delay and provide a detailed report to the Board within seventy-two hours of becoming aware of the breach, unless granted a written extension.
Higher Bar for Significant DFs and Monetary Risk
The biggest change is reserved for Significant Data Fiduciaries (SDFs). While the law will determine SDF status based on factors like the volume and sensitivity of data, examples provided in the Rules include e-commerce entities and social media intermediaries with over two crore registered users, and online gaming intermediaries with over fifty lakh registered users in India.
- They must conduct a Data Protection Impact Assessment and an audit at least once annually.
- SDFs must exercise due diligence to verify that algorithmic software adopted by them is not likely to pose a risk to the DP rights.
- SDFs may be restricted from transferring personal data outside the territory of India based on committee recommendations.
The penalties for failure are staggering. A breach in observing the obligation to protect personal data using reasonable security safeguards can result in penalties extending up to ₹250 crores. This rigorous, phased implementation ensures India’s digital economy aligns with global privacy standards, fundamentally reshaping both consumer interaction and corporate data governance.
(Anandaday Misshra is Founder & Managing Partner, AMLEGALS.)
Views are personal and do not represent the stand of this publication.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
