5 things to know about India's new Digital Personal Data Protection Rules

India notified the DPDP Rules on November 14

The Ministry of Electronics and Information Technology (MeitY)  on November 14 notified the Digital Personal Data Protection (DPDP) Rules, 2025, setting the operational contours for India’s privacy regime under the DPDP Act.

The rules were much awaited as, although the DPDP Act was passed in the Parliament in August 2023, it was yet to be implemented. However, not all of the rules' provisions are going to be operational right now. The government has gone in for a staggered approach for compliance to make the transition to this new regime as smooth as possible.

Here are the five most important takeaways.

Most obligations starting only after 18 months: According to the rules, “Rules 1, 2 and 17 to 21 shall come into force on the date of their publication in the Official Gazette.” Rule 4 which governs the registration and functioning of Consent Managers will apply “one year after the date of publication,” while the bulk of compliance obligations will activate “eighteen months after” notification.

"This staggered approach gives businesses vital breathing room, but they must move quickly, taking concrete steps now to identify and close compliance gaps before the obligations kick in," Supratim Chakraborty, Partner at Khaitan & Co said.

Security requirements far more prescriptive than before: The notified rules move beyond general obligations and prescribe specific technical safeguards. Rule 6 requires data fiduciaries to implement measures such as “encryption, pseudonymisation, anonymisation,” alongside other security measures. It also mandates that “logs of all data processing activities shall be retained for a period of one year.”

Platforms must erase user data once the purpose is served: A major development comes through Rule 8, which says that personal data of a user cannot be retained indefinitely. The rules mandate that once the purpose of the data has been met, that data has to be erased. The rule states that e-commerce entities, social media intermediaries, OTT platforms and gaming services must erase data within the timelines prescribed for their category. This provision will be operational after 18 months.

"Now, enterprises must immediately prioritise data discovery, classification and data-mapping exercises, implement consent and retention workflows, strengthen breach-response mechanisms, and deploy technology-led governance tools that provide real-time visibility across the data lifecycle," Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India said.

Children’s data gets sharper protection: Rule 11 of the DPDP Rules bars “tracking, behavioural monitoring or targeted advertising directed at children” and requires verifiable parental or guardian consent.  However, it also introduces exemptions for schools, healthcare, and emergency situations, allowing processing of a child’s data.

This provision, which will also be operational after 18 months, is expected to have direct implications for platforms such as gaming companies and social networks with a young user base.

Significant data fiduciaries and cross-border data transfer: Significant data fiduciaries --  a classification that will be ordained by the government for platforms that meet a certain threshold -- will be facing additional compliances under the DPDP Act. These include peroidic audits, algorithmic safeguards and so on.

The rule puts restrictions on cross-broder data transfer on significant data fiduciaries. Rule 13 (4) says that SDFs have to follow a government-approved framework for transferring personal data outside India, and this framework is anchored in a committee constituted by the Central Government.

"An interesting development is the formation of a committee that can at a later date notify data localisation norms for significant data fiduciaries. I believe this is reflective of the geo political environment and concerns around India's tech sovereignty. Global companies are likely to push back against any such localisation mandates as it creates operational difficulties for them," Aparajita Bharti, Founding Partner, The Quantum Hub said.