November 21, 2025

|

by: ,

|

Tags: Consent Manager, Data Fiduciary Obligations, Data Minimization, Data Processor Liability, Data Protection, Data Protection Board of India, Data Retention Policy, DPB, DPDP, India Data Privacy Law, LegalTech, MeitY, privacy, Privacy By Design, Privacy Engineering, Right to Audit, Verifiable Parental Consent

|

Categories: Cybersecurity, Data Protection, Digital India Act, Finanace, Privacy

The Digital Personal Data Protection (DPDP) Rules 2025 – What it means for Businesses in India

Introduction

Last week the Government of India finally operationalised the first privacy law by passing the subordinate rules, giving companies 18 months to comply. After a little over a decade of litigation and debate, privacy was recognised by the Supreme Court in 2017 as a fundamental right in a historic judgment passed by a 10-judge constitutional bench in August 2017. The Digital Personal Data Protection (DPDP) Act, 2023 became the first legislation that framed a statutory code around privacy.

The notification of the rules under the 2023 Act by the Ministry of Electronic and Information Technology (MeitY) on 14th November now makes it fully operational and enterprises will have to quickly set up structures to become compliant.

Complying with the DPDP Act’s provisions will not be easy since data is always in flow and changes ownership and structure constantly. This poses a particular challenge for businesses that now see data as a critical tool.

The DPDP Act also identified three principal categories for establishing a compliance framework. First is the data principal, whose data is to be processed. Second is the data fiduciary, who will take the data from the principal to process it for a “legitimate purpose” (section 7 of the DPDP Act, 2023) and finally the data processor, who may be a vendor to the data fiduciary for processing the data.

This forms the bedrock of the compliance measures that are prescribed under the law and now clarified through the subordinate rules notified last week.

1. Why This Law Demands Executive Attention

Three shifts make this law business-critical:

  • Personal data is now a regulated asset.
    Every data points your organisation collects must be justified, minimised, stored securely, and processed with demonstrable consent. “Collect everything, figure out later” is now a liability.
  • Penalties can materially impact financial planning.
    Non-compliance can result in penalties running into hundreds of crores and CFOs will feel it first. Breaches, consent failures, and non-responsive grievance workflows are all susceptible to penalties.
  • Leadership accountability is explicitly expected.
    Boards, CEOs, CTOs, CISOs, and functional heads are expected to ensure readiness. A governance failure will not be seen as an IT glitch but an organisational failure.

2. The Strategic Message for Leadership: Compliance Is Not an IT Project

DPDP compliance touches finance (penalties, liability), technology (controls, systems), HR (employee data), marketing (consent management), procurement (vendor data), and operations (breach playbooks).

Companies that treat compliance as a checklist will struggle. Companies that operationalise it as a governance transformation will gain a competitive edge.

3. Understanding the Core Framework of DPDPA

DPDPA establishes a consent-led regime with defined obligations for entities (Data Fiduciaries) handling personal data. It introduces governance norms, reporting duties, user rights, and elevated safeguards for high-risk processors.

Key principles include:

  • Labelling and classification of data (Rule 8)
    The data collected and processed, at rest and in transit, will need to be mapped and labelled to ensure compliance.
  • Explicit consent and verifiable proof of the Data Principal (Parent/Guardian) is needed for processing and for child’s data. (rule 10)
    The children’s data collected by the data principal, should show verifiable proof that explicit consent was taken by the parent/ guardian.
  • Before May 2027, non-classified/ legitimate data must be deleted. (Rule 8)

Any data which is not legitimate has to be deleted before May 2027.

  • Data related grievance channel must be deployed, and companies ought to assign a Consent Manager
    Data Fiduciary must deploy proper grievance channel, where data principal can address and companies ought to assign a consent manager enabling a single interface to give, review and withdraw consent.
  • Major emphasis on data retention and minimization of data
    Data Fiduciary must erase personal data as soon as it is reasonable to assume that the original purpose for which it was collected is no longer being served. The only exception is if a longer retention period is mandated by another Indian law (e.g., tax, employment, or regulatory laws).

While the Act is centred on safeguarding personal data it simultaneously establishes a dense compliance landscape for data fiduciaries. Organisations must now operationalise obligations across three core vectors: technology, legal governance, and security architecture.

4. What Businesses Must Understand

 Under DPDPA, organisations need to shift from minimal compliance to demonstrable governance. The following checklist outlines core action points:

  • Figure out the role of personal data in your business
    Mapping data acquisition, retention and processing is a key element to figuring out the compliances. Added to this are the complexities of catering to different privacy regimes across different jurisdictions such as the European Union of Southeast countries like Malaysia, Singapore and Republic of Korea – all of whom have distinct compliance requirements under their privacy laws. Mapping and harmonising data flows at an enterprise level across functions and jurisdictions with India’s DPDP Act will be a key challenge.
  • Mapping and classify all personal data
    Identify what personal data is collected, where it resides, how it flows across systems, and who has access. Establish clear data inventories, proper labelling of the metadata at each level and classify data by sensitivity and purpose.
  • Update consent and notice mechanisms
    Ensure all consent requests are clear, specific, and accessible. Notices must outline purpose, data retention, user rights, and grievance mechanisms.
  • Consent for Children and person with disability (Section 9 read with Rules 10)
    If your organisation collects data of children (under 18) or persons with disabilities who require legal guardian, ensure proper age-gating, parental consent mechanisms, and guardian verification systems during your current build phase. Use reasonable checks to verify age or guardian authority, design parent/guardian consent workflows.
  • Implement purpose limitation and retention rules
    Retain data only for as long as required for the declared purpose, once the purpose of that data is completed, establish a time-bound automated deletion system and audit trails.
  • Strengthen security controls
    Introduce measures such as encryption, access controls, and incident response protocols. Conduct periodic assessments and maintain evidence of applied safeguards.
  • Establish a grievance redressal process
    Create a transparent, time-bound mechanism to address user requests and rights. One should appoint dedicated personnel to manage grievances.
  • Assess whether you qualify as a Significant Data Fiduciary (Section 10 read with Rule 13)
    Large enterprises with the risk to the rights of Data Principle; potential impact on the sovereignty and integrity of India; risk to electoral democracy; security of the state; and public order, platforms handling sensitive personal data, fintech, health tech, and entities with high processing volumes may fall into this category. If so, obligations increase and may include appointing a Data Protection Officer (DPO), conducting Data Protection Impact Assessments (DPIAs), and enabling independent audits. Failure to comply with these enhanced obligations can result in substantial penalties of up to Rs 250 crore.
  • Prepare breach notification protocols
    Develop an incident reporting workflow to notify the Data Protection Board and affected individuals within mandated timelines. This will insure clear and direct process.
  • Embed privacy-by-design in products and processes
    Build governance controls into operations, technology platforms, and vendor ecosystems. Align internal teams’ security, legal, product, HR, and operations under unified compliance objectives. For most organisations, these steps demand cross-functional coordination, structured planning, and continuous monitoring.
  • Cross border data transfer (Section 16 read with Rule 14)
    Businesses must invest in strong encryption, access controls, and other security measures to protect data during transfer. When sharing data with third parties, such as cloud providers or analytics companies, businesses should use Data Sharing Agreements (DSAs) to ensure compliance with the act.
  • Identify and audit Data Processor controls  As a Data Fiduciary, outsourcing processing functions does not mean outsourcing liability, Data Fiduciary remain legally accountable for any mishandling of data by their vendors. Therefore, organisations must contractually mandate “mirror protections” ensuring third-party security and deletion protocols are as stringent as their own and operationalise a “Right to Audit” that permits direct inspection of processor systems to verify compliance, rather than relying on passive self-certifications.

5. The New Obligations: What Companies Must Get Right

DPDP compliance is not a single action. It is a structured, multi-layer transformation. Below are the foundational pillars CEOs, CFOs, and CTOs must operationalise immediately.

  1. Consent & Purpose Governance (The Core Compliance Engine)

Organisations must be able to show:

  • why you are collecting each category of personal data,
  • how long you will retain it,
  • and how users can withdraw consent easily.

Expectation: No dark patterns. No buried opt-outs.
Risk if ignored: Consent violations will be one of the first areas regulators examine.

  1. Data Mapping & Minimisation (Know What You Store)
    Most organisations hold more personal data than they realise scattered across SaaS tools, internal systems, vendor platforms, and legacy databases.

CXOs must mandate:

  • a complete data inventory,
  • classification of personal vs. sensitive personal data,
  • deletion of unnecessary datasets,
  • and tight access controls.

 This is the baseline for compliance and the prerequisite for everything else.

  1. Breach Readiness & Incident Governance
    Under the DPDP Act, delays in breach reporting will be treated as compliance failures.

Organisations need:

  • Breach playbooks,
  • 24/7 escalation workflows,
  • pre-designated communication teams,
  • and coordinated IT–legal responses.

 A breach is no longer just a cybersecurity issue it is also a regulatory event.

  1. User Rights Fulfilment (Grievance, Correction, Deletion)

Users can demand:

  • Corrections,
  • Erasure,
  • Data access,
  • Complaint escalation,
  • Deletion of data

Legally, you must respond within defined timelines, or the issue moves to the Data Protection Board.  CXOs need to ensure that internal systems can track, process, and audit these requests seamlessly.

  1. Vendor & Third-Party Compliance

 Your organisation is responsible for the data your vendor’s process.  That means upgraded vendor agreements, audits, monitoring tools, and due-diligence systems. A single weak vendor can expose your entire organisation.

  1. Processor Governance & Contractual Control

Data Processor Governance & Contractual Control Organizations must be able to demonstrate:

  • that processors are selected based on their ability to protect data, not just cost, 
  • that valid Data Processing Agreements (DPAs) exist for every external data flow,
  • and that mechanisms are in place to prevent a processor from sub-contracting data handling to another party without prior consent.

Expectation: Active supervision. “Set it and forget it” vendor relationships are now a compliance violation.

Risk, if ignored: If a payroll provider or cloud storage vendor leaks data, the Data Protection Board will penalise the contracting organization (Data Fiduciary), not just the vendor.

 

6. Timeline for Compliance as specified under DPDPA 2023 and DPDP Rules 2025

The phased rollout as mandated under the Act says:

Timeline  Commencement Date Legal Provisions Coming into Force Key Organizational Impact (Legal Trigger)
Month 0 (Immediate) November 13, 2025 Rules 1, 2, 17–21. Act Sections 1(2), 2, 18–26, 35, 38, 39, 40, 41, 42, 43, and 44(1) and (3).

 

 Establishment of the Data Protection Board (DPB) foundational definitions and framework; procedures for appointing DPB members.

 
12 Months November 13, 2026 Rule 4. Act Sections 6(9) and 27(1)(d). Registration of Consent Managers (Rule 4) and the initiation of certain aspects of Data Protection Officer (DPO) accountability and audits (Section 27(1)(d)).
18 Months May 13, 2027 Rules 3, 5–16, 22, and 23. Act Sections 3–5, 6(1)– (8) and (10), 7–10, 11–17, 27 (except section 27(1)(d)), 28–34, 36, 37, and 44(2). Core operational requirements for Data Fiduciaries begin. This includes detailed obligations related to Notice (Rule 3), Security Safeguards (Rule 6), Data Breach Intimation (Rule 7), Erasure/Retention (Rule 8), Verifiable Consent (Rules 10, 11), and Additional obligations for Significant Data Fiduciaries (SDFs) (Section 13/Rule 13).

 

7. Conclusion

The DPDP Act 2023 and DPDP rules 2025 represents a structural shift in India’s data governance regime. It prioritises accountability, risk-based compliance, and individual rights, while giving organisations a clear framework for responsible data management. In practice, businesses that invest early in mapping data flows, streamlining consent operations, and strengthening governance will not only meet regulatory expectations but also enhance trust with users and partners across the digital ecosystem

For companies of all sizes from large IT enterprises to emerging digital businesses the transition is both a compliance mandate and an opportunity to build resilient, transparent data practices aligned with global standards. As regulatory expectations continue to develop,

 

(The authors are advocates and programme associates with RiskStrat, the consulting arm of DeepStrat. RiskStrat helps companies with their data protection and other regulatory compliances as a part of its wide array of risk mitigation offerings)