# DPDPA Rules 2025: What Changed and What Your Business Must Do Now
India's data protection journey took its most significant step on 13 November 2025, when the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025. After two years of waiting since the DPDPA Act was passed in August 2023, businesses finally have a concrete compliance roadmap — and a ticking clock.
If you process personal data of Indian citizens, this article tells you exactly what changed, what the three compliance phases mean, and the specific actions your team must take.
What Was Missing Before November 2025
The DPDPA Act 2023 established the legal framework but deliberately left the operational details to subordinate rules. Businesses knew what was required in principle — consent, breach reporting, data principal rights — but not how to implement any of it. The Rules change that. They convert broad legal principles into specific, actionable requirements with defined timelines, formats, and thresholds.
The Three Compliance Phases You Must Know
One of the most critical things the 2025 Rules introduced is a phased implementation timeline. Not everything is due at once.
Phase 1 — Immediate (13 November 2025)
The Data Protection Board of India (DPBI) was established immediately. This is the enforcement authority that will investigate complaints and levy penalties. Its existence matters even during the grace period — the Board can already receive complaints.Phase 2 — 12 Months After Notification (13 November 2026)
Consent manager registration and operations become active. If your business plans to use a consent manager as an intermediary between you and data principals, you need to be ready by this date.Phase 3 — 18 Months After Notification (13 May 2027)
This is the hard deadline. All remaining operational requirements kick in simultaneously:Eighteen months sounds like a long time. It is not. Mapping data flows, updating vendor contracts, training employees, and building breach response processes takes most organisations 12 to 16 months. Starting now puts you ahead. Starting in 2027 puts you at risk.
What Specifically Changed: 6 Key Requirements
1. Consent Must Be Specific, Informed, and Unambiguous
- Generic privacy policies and pre-ticked boxes are no longer acceptable. The Rules require consent requests to be accompanied by a standalone notice in clear, plain language that specifies:
- Exactly what personal data is being collected
- The precise purpose of processing
- Retention periods
- How to withdraw consent
This means your existing cookie banners, app permissions, and registration flows almost certainly need to be rewritten. Every data collection point must be mapped and assessed.
What to do now: Conduct a consent audit. List every point in your product or service where personal data is collected and check whether the consent mechanism meets the new standard.
2. Breach Notification Within 72 Hours
- If a personal data breach occurs, your business has two obligations running in parallel:
- Notify affected data principals without delay
- File a detailed report with the Data Protection Board within 72 hours
This is not a theoretical requirement. The Board is already operational. The 72-hour window starts from the moment you become aware of a breach — not when you finish investigating it.
Most Indian companies currently have no documented incident response process. Building one before May 2027 is not optional.
What to do now: Assign a breach response owner. Create a checklist for what to do in the first hour, first 24 hours, and first 72 hours after discovery. Test it.
3. Data Retention Must Be Purpose-Linked
The Rules introduce a one-year retention floor for all data fiduciaries — personal data cannot be deleted before one year if it was collected with consent. More importantly, retention periods must be tied to the specific purpose for which data was collected.
Keeping customer data indefinitely "just in case" is no longer compliant. Organisations must define retention timelines for each data category and build automated erasure workflows.
What to do now: Map your data categories. For each one, define the purpose and the logical retention period. Build this into your data governance documentation.
4. Children's Data Requires Verifiable Parental Consent
If your product or service is used by or directed at children under 18, you must obtain verifiable parental consent before collecting their data. The Rules also prohibit tracking children's behaviour or serving them targeted advertising.
Some categories are exempt — healthcare professionals, educational institutions, and child transport providers in specific circumstances — but the default rule is strict.
What to do now: If your service could be accessed by minors, build age verification into your onboarding. Document your approach.
5. Significant Data Fiduciaries Face Enhanced Obligations
- Organisations that process large volumes of sensitive personal data, or data that carries significant risk, may be designated as Significant Data Fiduciaries (SDFs) by the government. SDFs face additional requirements:
- Appointment of a Data Protection Officer (DPO) who must be an Indian resident
- Annual Data Protection Impact Assessments (DPIAs)
- Independent audits
- Algorithmic fairness assessments
- Stricter controls on cross-border data transfers
SDF provisions are not expected to be notified until May 2027, giving larger organisations time to prepare. However, if your company processes data at scale — fintech, healthtech, edtech, large e-commerce — you should assume SDF designation is possible and prepare accordingly.
What to do now: Assess your data volumes and sensitivity. If SDF designation is plausible, begin DPO candidate identification and DPIA planning.
6. Data Principal Rights Must Be Respected Within 90 Days
- Under the Rules, individuals (data principals) have the right to:
- Access the personal data you hold about them
- Correct inaccurate data
- Request erasure of their data
- Withdraw consent
- Nominate a representative to act on their behalf
Your organisation must have a published grievance redressal mechanism — typically a link or form on your website or app. If a data principal makes a request and you fail to respond within 90 days, they can escalate to the Data Protection Board.
What to do now: Build a data rights request workflow. Decide who handles requests, how they are logged, and how you will meet the 90-day response obligation.
The Employee Training Gap Nobody Is Talking About
Here is what most compliance articles miss: the Rules can only be implemented by people, not just by policies and technology.
Your breach notification process fails if the employee who discovers the breach does not know it is a breach, does not know who to tell, and does not act within the first hour. Your consent flows fail if your marketing team adds a new form field without going through the right review. Your data erasure process fails if your support team does not know how to handle a deletion request.
The DPDPA Rules create a legal framework. Employee awareness training is what makes it real.
Under ISO 27001 Annex A.6.3 — which many organisations pursuing ISO certification are already implementing — security awareness training is mandatory and must cover data handling, incident reporting, and acceptable use. DPDPA compliance aligns directly with this requirement.
Training does not need to be a half-day workshop nobody remembers. The most effective format is short, scenario-based modules — five minutes, one topic, one real-world example — delivered regularly throughout the year. This is exactly the approach that achieves the 95% completion rates seen on platforms built for modern workforces.
Your DPDPA Compliance Checklist
Use this as a starting point for your internal assessment:
- Immediate (do this month):
- ☐ Assign a DPDPA compliance owner or working group
- ☐ Map all personal data flows across your product, operations, and marketing
- ☐ Review and update your privacy notice and consent mechanisms
- ☐ Document a breach response process and assign roles
- Before November 2026:
- ☐ Assess whether you need to work with a consent manager
- ☐ Update vendor and processor contracts to include data protection clauses
- ☐ Establish a data rights request handling process with 90-day SLA
- Before May 2027:
- ☐ Complete employee awareness training across all departments
- ☐ Define and implement purpose-linked retention periods
- ☐ Build automated erasure workflows
- ☐ If potentially an SDF: identify DPO candidates, plan DPIA process
- ☐ Conduct a full internal audit against the Rules
What Happens If You Miss the Deadline
The Data Protection Board has enforcement powers including the ability to investigate complaints and levy significant financial penalties. While the Board's full operational powers are still being established, the framework is already in place. The risk is not hypothetical.
More immediately, reputational risk matters. Indian consumers are increasingly aware of their data rights. Businesses that are seen to take data protection seriously — and can demonstrate it — will have a meaningful advantage over those scrambling to comply after an incident.
The Bottom Line
The DPDPA Rules 2025 are not a paperwork exercise. They require real changes to how your business collects consent, handles personal data, responds to breaches, and trains its people. The 18-month window to May 2027 is a genuine opportunity to build compliance into your operations properly — before the enforcement deadline, not in response to it.
Start with awareness. Make sure every person in your organisation who handles personal data knows what DPDPA requires of them, how to recognise a breach, and what to do when something goes wrong.
That is where compliance lives — not in the policy document, but in what your team does on Tuesday morning.
Written by Namita Kumari, Director of Growth & Partnerships at CyberSek. Namita drives CyberSek's growth strategy and connects organisations with the compliance training programmes that match their regulatory obligations. CyberSek offers India-specific DPDPA 2023 compliance training for employees — short, scenario-based modules built by security researchers.
Interested in getting your team DPDPA-ready? Start a free trial at cybersek.in