The DPDP Rules 2025 are the operational rulebook for India's Digital Personal Data Protection Act 2023. Published by MeitY in early 2025 as draft rules open for public consultation, they translate the Act's broad principles into concrete compliance steps: how to give notice, obtain consent, handle data principal rights, report breaches, and meet the heightened obligations that apply to Significant Data Fiduciaries. If your business collects, processes, or stores personal data of Indian users, these draft rules define what "compliant" will look like once notified. This guide breaks down every major provision and tells you what to do now.
WARNING
The Draft DPDP Rules published by MeitY in January 2025 are still in consultation as of mid-2025 and have not yet been formally notified as law. However, the parent DPDP Act 2023 is already enacted. Businesses that begin preparing now will avoid the compliance sprint that typically follows formal notification.
What the DPDP Act 2023 Established
The Digital Personal Data Protection Act 2023 is India's first comprehensive data protection legislation. Passed by Parliament and receiving Presidential assent in August 2023, it:
- Defines Data Fiduciaries (entities that determine the purpose and means of processing) and Data Principals (the individuals whose data is processed)
- Establishes the Data Protection Board of India as the adjudicating authority
- Sets out a rights framework for Data Principals: right to access, correct, erase, and grieve
- Mandates that personal data of Indian users be processed only for lawful purposes with notice and consent
- Empowers the central government to designate Significant Data Fiduciaries based on volume, sensitivity, and risk
What the Draft DPDP Rules 2025 Operationalise
MeitY released the Draft DPDP Rules for a sixty-day public consultation window beginning January 2025. They cover six major areas.
1. Notice and Consent Mechanics
The draft rules prescribe the format, language, and granularity of the notice that must accompany or precede consent collection. Key requirements:
- Notice must be in plain language, available in multiple scheduled languages where practicable
- It must specify the purpose of processing, the categories of data, and the identity of any data processors engaged
- Consent must be freely given, specific, informed, and unambiguous — pre-ticked boxes and bundled consents are non-compliant
- A separate, itemised consent must be obtained for each distinct purpose
- Withdrawal of consent must be as easy as giving it, and the Data Fiduciary must cease processing within a reasonable time after withdrawal
TIP
Audit every consent form on your website and mobile app today. If a single checkbox covers multiple processing purposes, it is non-compliant with the Act's framework even before the draft rules are finalised.
2. Consent Managers
The draft rules introduce Consent Managers — registered entities that act as intermediaries allowing Data Principals to grant, review, and revoke consents across multiple Data Fiduciaries through a single interface. Consent Managers must:
- Be registered with the Data Protection Board
- Maintain an interoperable, auditable consent artefact for each Data Principal
- Provide Data Principals with a consolidated view of all active consents
- Transmit consent signals to Data Fiduciaries in a standardised format
3. Reasonable Security Safeguards
Data Fiduciaries are required to implement security safeguards proportionate to the risk posed by the personal data they hold. The draft rules do not prescribe a fixed standard (such as ISO 27001 or PCI-DSS verbatim) but use the language of "reasonable technical and organisational measures." Indicators of compliance drawn from the rules and related MeitY guidance include:
- Encryption of personal data at rest and in transit
- Access controls based on the principle of least privilege
- Regular vulnerability assessments and penetration testing of systems that hold or process personal data
- Logging of access to personal data records
- Data retention policies with defined deletion schedules
4. Breach Notification Procedure
The draft rules set timelines and formats for reporting personal data breaches to the Data Protection Board and, where required, to affected Data Principals. The framework mirrors global best practice:
- Breaches must be reported to the Board without delay after the Fiduciary becomes aware — the draft rules use a short window benchmark broadly aligned with the seventy-two-hour reference in international frameworks
- Notification to affected Data Principals must include: nature of the breach, categories of data affected, likely consequences, and remediation measures taken or planned
- A Fiduciary must not delay notification on the grounds that investigation is ongoing; an initial report followed by a supplementary report is acceptable
5. Significant Data Fiduciaries — Elevated Obligations
The draft rules elaborate the additional duties that apply to entities designated as Significant Data Fiduciaries (SDFs) by the government. These entities — likely large platforms, aggregators, and businesses processing sensitive data at scale — must:
- Appoint a Data Protection Officer (DPO) based in India, accountable to the Board
- Conduct periodic Data Protection Impact Assessments (DPIAs) for high-risk processing activities
- Commission annual independent audits of personal data processing practices
- Implement algorithmic accountability measures for automated decision-making that produces significant effects on Data Principals
6. Children's Data and Verifiable Parental Consent
The Act classifies children as individuals under eighteen. The draft rules tighten how Data Fiduciaries must handle their data:
- Verifiable parental or guardian consent is mandatory before processing a child's personal data
- Data Fiduciaries must implement age-verification mechanisms — the draft rules acknowledge the technical challenge here and invite industry input
- Processing for purposes that may cause detrimental effects on a child's well-being is prohibited regardless of parental consent
- Behavioural monitoring and targeted advertising directed at children are expressly restricted
DPDP Readiness Workflow
graph TD
A[Map all personal data flows] --> B[Classify as Data Fiduciary]
B --> C{Significant Data Fiduciary?}
C -- Yes --> D[Appoint DPO and schedule DPIA]
C -- No --> E[Standard Fiduciary obligations]
D --> F[Implement Notice and Consent framework]
E --> F
F --> G[Integrate with or assess Consent Manager]
G --> H[Deploy reasonable security safeguards]
H --> I[Draft Breach Notification runbook]
I --> J[Establish Data Principal rights portal]
J --> K[Annual review and audit cycle]
style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style I fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
style J fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style K fill:#1e3d2f,stroke:#10B981,color:#e2e8f0Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanDPDP Readiness Checklist by Domain
pie title DPDP Readiness Domains
"Consent and Notice" : 25
"Security Safeguards" : 22
"Breach Response" : 18
"Data Principal Rights" : 20
"Governance and Audit" : 15Compliance Obligations at a Glance
| Obligation | Applies To | Key Requirement | Priority |
|---|---|---|---|
| Consent notice | All Fiduciaries | Plain language, purpose-specific | P0 |
| Consent withdrawal | All Fiduciaries | As easy as consent, timely cessation | P0 |
| Consent Manager integration | All Fiduciaries | Board-registered intermediary | P1 |
| Security safeguards | All Fiduciaries | Proportionate technical and org measures | P0 |
| Breach notification to Board | All Fiduciaries | Without delay, prescribed format | P0 |
| Breach notification to Principals | All Fiduciaries | Nature, impact, remediation | P0 |
| Data Principal rights portal | All Fiduciaries | Access, correction, erasure, grievance | P1 |
| DPO appointment | Significant Fiduciaries | India-based, Board-accountable | P0 for SDF |
| DPIA | Significant Fiduciaries | Periodic, for high-risk processing | P0 for SDF |
| Independent audit | Significant Fiduciaries | Annual | P0 for SDF |
| Children's consent | All Fiduciaries | Verifiable parental consent | P0 |
| Age verification | All Fiduciaries processing child data | Mechanism required | P1 |
Implementation Timeline Expectations
The draft rules propose a graded implementation timeline allowing smaller businesses longer runway compared to large platforms:
- Phase 1 (expected shortly after formal notification): Core notice and consent obligations, breach notification framework, Data Principal rights portal
- Phase 2: Consent Manager ecosystem operationalised; children's data verification mechanisms activated
- Phase 3: Significant Data Fiduciary designation and elevated obligations (DPIA, audit, DPO) become enforceable
DANGER
Do not wait for formal notification to begin. Consent management infrastructure, breach response playbooks, and security safeguards take months to implement correctly. Businesses starting after notification will be behind from day one, and the Board is expected to begin enforcement relatively quickly after rules come into force.
What Indian Businesses Should Do Right Now
Immediate (within 30 days):
- Conduct a personal data inventory — every dataset, every processing purpose, every third-party processor
- Identify whether your scale or data sensitivity could qualify you as a Significant Data Fiduciary
- Audit existing consent flows for specificity, withdrawal mechanisms, and language clarity
- Draft a Breach Notification Runbook aligned with the draft rules' disclosure requirements
- Assess your current security posture with a vulnerability assessment — if you process personal data on internet-facing systems, this is non-negotiable. Bachao.AI provides automated VAPT scanning that surfaces the technical gaps the DPDP's "reasonable safeguards" standard will scrutinise
- Begin vendor due diligence: identify which of your processors and SaaS tools handle personal data, and review their sub-processing agreements
- Implement a Data Principal rights portal covering access requests, correction workflow, and grievance redressal
- Begin integration with a Board-registered Consent Manager once the registry is published
- If potentially SDF-bound, commission a preliminary DPIA for your highest-risk processing activity
5Core rights Data Principals can exercise under the DPDP Act 2023 — information, correction, erasure, grievance redressal, and nomination (MeitY 2023)
Multiple tiersPenalty structure in the DPDP Act 2023 First Schedule — highest tier applies to failure to implement adequate data safeguards (MeitY 2023)
60Days MeitY's public consultation window for the Draft DPDP Rules 2025 (MeitY 2025)
Key Takeaway
The DPDP Rules 2025 — still in draft form — operationalise India's landmark data protection law into concrete, enforceable mechanics. The businesses that treat this period of consultation as a preparation window, not a waiting room, will be compliant at notification. The ones that wait will face a sprint that security and legal infrastructure cannot support at speed.
Further Reading
How We Can Help
Dhisattva AI Pvt Ltd, a DPIIT Recognized Startup, works with Indian businesses on the technical security layer that DPDP compliance demands. Automated VAPT scanning surfaces the vulnerabilities in your personal-data-holding systems before an auditor or adversary does. For CERT-In empanelled audit requirements, we work with a CERT-In empanelled partner and can facilitate that engagement.
Start with a free VAPT scan to baseline your current technical exposure, then use the results to scope the remediation work your DPDP readiness programme will require.
Frequently Asked Questions
Is the DPDP Act 2023 already in force?
Yes, the DPDP Act 2023 was enacted in August 2023 and is law. However, most operational obligations only become enforceable once the subordinate rules are formally notified. The Draft DPDP Rules published by MeitY in early 2025 are still under consultation as of mid-2025, so the full enforcement machinery is not yet active — but preparation is urgent.
What is the difference between the DPDP Act and the DPDP Rules?
The Act is the parent legislation that establishes rights, obligations, and the Data Protection Board. The Rules are subordinate legislation that provide operational detail: the exact format for consent notices, breach notification timelines, the registration process for Consent Managers, and the specific criteria for Significant Data Fiduciary designation. Both are required for a functioning compliance framework.
Who is a Significant Data Fiduciary under the DPDP framework?
The central government designates Significant Data Fiduciaries based on volume and sensitivity of data processed, potential risk to Data Principals, national security implications, and public order considerations. The draft rules elaborate the criteria but final designation lists have not been published. Large consumer platforms, data aggregators, and businesses processing sensitive categories at scale are most likely to be designated.
Does DPDP apply to B2B companies that do not deal directly with consumers?
Yes. The DPDP Act applies to any entity that processes the personal data of Indian Data Principals — this includes employee data, vendor contact data, and business contact data of individuals. B2B companies that collect names, email addresses, phone numbers, or any other personal data of natural persons in India are Data Fiduciaries subject to the Act.
What counts as a personal data breach under the DPDP framework?
Any unauthorised access, disclosure, alteration, or destruction of personal data constitutes a breach triggering notification obligations. This includes ransomware attacks that encrypt data, misconfigurations that expose data publicly, insider access beyond authorised scope, and third-party vendor breaches where your data was involved.
What should a business do immediately to prepare for DPDP compliance?
Three actions deliver the most immediate value: conduct a personal data inventory to know what you hold and why, audit all consent collection flows for specificity and withdrawal mechanisms, and baseline your technical security posture through a vulnerability assessment of all internet-facing systems that process personal data.