Most DPDP obligations pushed to 18 months; Data Protection Board related rules take effect immediately

India released the rules for the DPDP Act on November 14

The Centre has officially notified the Digital Personal Data Protection (DPDP) Rules, 2025, but only a fraction of the framework will take effect immediately, with the bulk of compliance obligations deferred.

According to a government notification issued on November 14, Rules 1 and 2, which cover the short title, commencement, and definitions, along with Rules 17 to 21 that outline the constitution, appointment, and functioning of the Data Protection Board, will come into force right away.

However, key compliance provisions have been pushed to a later date. Rule 4, which sets out the obligations for Consent Managers, entities responsible for managing, reviewing, and withdrawing user consent, will take effect one year after notification.

The majority of other provisions, including Rules 3, 5 to 16, 22, and 23, will come into force 18 months after publication. These include:

• Requirements for issuing clear notices to users
• Implementing security safeguards
• Reporting data breaches
• Managing retention and erasure timelines
• Obtaining verifiable consent for children and persons with disabilities
• Providing mechanisms for users to exercise their rights
• Additional duties for Significant Data Fiduciaries.

Speaking to Moneycontrol, Meghna Bal, Director, Esya Centre said, "We had done a study in 2024 which surveyed companies about how long it would take them to implement different provisions in the DPDPA. Most of them said 24 months, given the complexity of implementation.

"Firms have to map their data processes, make changes to their technical architectures, and interfaces, and also understand what compliance means for their product. Notably, we also found that the implementation timeline across the world for data protection laws has been around 2 years, whether in Brazil, Japan, or the EU.

"Given that many firms may have to implement provisions sequentially due to resource constraints, it makes sense to allow a longer period for compliance - though it is not 24 months right now, I think as the period for implementation comes closer there will be many representations sent to the Government, requesting extensions," she added.