DPDP Act Rules 2025 - MeitY notifies the final DPDP Rules

On 14 November 2025, the Ministry of Electronics and IT (MeitY) notified the final rules under the Digital Personal Data Protection Act, 2023. These rules explain how the Act will work in real life and what specific obligations for businesses will apply. The government has also set a phased rollout so organisations get time to prepare. This post summarises the rules that matter for most companies. It avoids technical language and focuses on what the rules say.

DPDP ACT RULES 2025

Balasubramanyam Gopatipalyam

11/14/20254 min read

Download official gazette here - DPDP Act Rules 2025 pdf

MeitY notifies DPDP Act Rules

  • The Indian Data Protection Board to be setup with a chairman and four members.

  • The Data Protection Board will have the jurisdiction of a civil court to enforce penalties up to INR 250 Crores.

  • Businesses get 18 months before enforcement and penalties hit.

  • Strict mandates on seeking valid consent from individuals.

  • Detailed Technical and Organizational measures for data security.

  • Data Breach timelines for reporting a personal data breach.

  • Exceptions to Healthcare industry with respect to the consent framework

  • Exceptions to Educational institutions for tracking of the geo-location of children for safety purpose.

  • Clear time limits for personal data retention and disposal.

  • Clarity on what businesses are considered as Significant Data Fiduciaries/SDFs is awaited

The much-awaited DPDP Rules are here. A few key highlights from the rules are:
Looking for a DPDP Consultant for your business?
Get in Touch

What the DPDP Act Rules cover?

DPDP Act Rule 3

Clear and independent Privacy Notices

Data Fiduciaries must provide standalone, plain‐language notices that include:

  • itemized personal data collected;

  • specific processing purposes;

  • direct links for consent withdrawal;

  • Individual's data privacy rights and grievance redressal procedure.

This rule aligns with the DPDP Act obligation on Data Fiduciaries to provide notice to the data principal. The requirement for “plain language” and “direct links” is a strengthening of usability.

DPDP Act Rule 4

Consent Manager registration framework

Consent Managers must meet conditions in First Schedule; registration by the Data Protection Board; Board can suspend/cancel for non‐compliance.

The DPDP Act gives the government power to prescribe rules for consent (and related infrastructure). The introduction of a “Consent Manager” category is novel and unique to the DPDP Act and operationalises how consent can be managed.

None of the other jurisdictions including the EU has such a concept mandating the use of a third-party to manage consent!

DPDP Act Rule 5

Government Bodies NOT exempted from the Act!!!

This rule comes as a pleasant surprise as it extends data fiduciary obligations and personal data protection accountability to government bodies!

If personal data is processed for subsidies/benefits/services/licenses by the Union government or the State governments, then the standards in the Second Schedule apply. The Second schedule defines the standards to be met by the government body.

DPDP Act Rule 6

Reasonable Security Safeguards (Technical and organizational measures)

Data fiduciaries will need to implement basic security measures to reduce the risk of a personal data breach. In addition, the data fiduciary is responsible for ensuring such security measures are also in place for all vendors (Data Processors) that have access to personal data. Specifically, the following security measures are listed in this rule:

  • Anonymization or pseudonimization (Encryption, obfuscation, or masking) of personal data

  • Strict access control mechanisms for systems processing personal data

  • Audit trail of access to personal data

  • Monitoring for unauthorized access to personal data

  • Security Incident and Event Management processes, including Root Cause Analysis (RCA) and Corrective Actions/Preventive Actions (CAPA).

  • Disaster recovery mechanisms, including but not limited to Data backups, to ensure business continuity in case of incidents affecting confidentiality, integrity, and availability of personal data.

  • Retention of logs related to access to personal data for a period of one year.

  • Contractual commitments from vendors (data processors) to ensure that vendors implement the security measures.

  • Oversight mechanisms for ensuring the operational effectiveness of security measures. For example, designing, tracking, and monitoring Key Performance Indicators (KPIs), Key Control Indicators(KCIs), conducting internal audits, and third-party attestations, among others.

DPDP Act Rule 7 (1)

Immediate data breach notification to individuals

Businesses (Data Fiduciaries) on identifying that a personal data breach has occured should immediately notify the individuals whose personal data has been breached. The rule specifically mentions "without undue delay" implying that businesses should act swiftly and notify the individuals about the unauthorized access.

The notification sent to individuals should include information about:

  • A detailed description of the breach, including the timing of its occurrence.

  • The consequences/potential risks relevant to the individual that are likely to arise from the breach.

  • The risk mitigation measures being implemented by the Data Fiduciary.

  • The safety measures that the individuals may take to protect their interests, and

  • Contact information of a person who is able to respond on behalf of the Data Fiduciary.

DPDP Act Rule 7 (2)

Data breach notification to the Data Protection Board

When a business discovers a personal data breach, it must notify the Data Protection Board in two steps:

Step 1: Immediate notice (as soon as possible)

Send the Data Protection Board a quick summary that covers:

  • What exactly happened?

  • What kind of personal data was involved?

  • How many records of personal data were breached?

  • When and where it happened?

  • The likely risks to individuals

Step 2: Detailed report (within 72 hours)

Within 72 hours of becoming aware of the breach or a longer period if the Board approves, the business must send a detailed breach report containing:

  1. Updated description of the breach
    Any details you have gathered since the first notification to the Board.

  2. Facts and background
    What led to the breach, including the sequence of events, and the underlying reasons.

  3. Risk mitigation steps
    Actions you have taken or plan to take to reduce risks to users.

  4. Information on the person responsible
    Any findings about the individual who caused the breach.

  5. Prevention measures
    Steps taken to avoid similar incidents in the future.

  6. Confirmation of user notifications
    A summary of how and when you informed affected Data Principals.

DPDP Act Rule 8

Retention and Disposal of Personal Data

Businesses are required to retain any personal data and related activity logs for a period of one year, even if the purpose of processing is served. After one year, the personal data, along with activity logs, must be deleted. Before deleting the personal data, the individual should be notified at least 48 hours in advance. However, a business can retain the personal data for a longer period (beyond one year), if there is a requirement to retain such data under any existing law.

The compulsory retention of personal data, even after the purpose is served, comes as a surprise! No other data protection law, including the EU-GDPR, mandates a compulsory retention period.

This rule may result in increased data storage costs for businesses with large user base.

DPDP Act Rule 9

Contact details of DPO

Every business needs to provide the contact details of a person responsible for addressing any questions about their personal data.

The person should be knowledgeable about the data processing activities and respond to enquiries by individuals.