See how top teams stay future-ready for audits. 🚀
Go back to blogs

DPDP Rules 2025 explained: Key changes, implications, and compliance checklist

Last updated on
December 19, 2025
4
min. read

The management and security of digital personal data are now recognized globally as central to individual liberty and economic trust. This urgency is particularly pronounced in India, where awareness has lagged behind digital adoption. A recent PwC India survey found that only 16% of Indian consumers understand the Digital Personal Data Protection law, while more than half are unaware of their rights over personal data. 

India's decade-long quest for a robust data protection framework recently culminated in the notification of the Digital Personal Data Protection (DPDP) Act, 2023. This legislative effort reflects a critical shift, where Joseph Harisson, CEO at IT Companies Network, opined, "Privacy has transformed from a mere compliance requirement to a fundamental human right, essential for gaining consumer trust...".

While the DPDP Act, 2023, establishes the principles, the practical implementation relies entirely on the recently notified DPDP Rules, 2025 (November 14, 2025). These Rules transform the Act’s mandates, covering data principal rights, Data Fiduciary obligations, and strict security safeguards, into concrete, actionable compliance steps. For Data Fiduciaries, this signifies a new era of accountability in data governance and requires continuous compliance monitoring. 

The specific provisions introduced by these Rules, such as new requirements for Significant Data Fiduciaries regarding mandatory audits and assessments, are crucial. This blog will explore these core areas of the DPDP Rules, 2025, detailing their impact and how platforms like Scrut automation can help simplify adherence to this comprehensive new regime.

What are the DPDP Rules 2025?

The Digital Personal Data Protection (DPDP) Rules, 2025 are the essential regulatory framework issued by the Ministry of Electronics and Information Technology (MeitY) on November 14, 2025. These Rules define the specific compliance mechanisms and operational procedures required to enforce the DPDP Act, 2023

While the Act sets out the overarching rights of the data principal and the obligations of the Data Fiduciary, the Rules provide the concrete technical and organizational measures for crucial areas like managing consent, ensuring security safeguards, handling data breaches, and determining the criteria for Significant Data Fiduciaries.

In essence, the Rules transform the Act's principles of data governance into mandatory, actionable requirements for every entity processing digital personal data in India. The Rules adopt a strategic phased approach to allow industry time for comprehensive preparation and investment in necessary compliance monitoring infrastructure.

Component of DPDP Rules Effective date Notes
Data Protection Board (Rules 1, 2, 17–21) November 14, 2025 Board constitution and foundational provisions.
Consent manager registration (Rule 4) November 14, 2026 Allows time to establish the new framework (12 months post-notification).
Substantive compliance (Rules 3, 5–16, 22, 23) May 14, 2027 Includes obligations on notice, security, breach reporting, and data principal rights (18 months post-notification).

Why this matters: The regulatory intent behind the DPDP rules

The DPDP Rules, 2025, represent a critical regulatory step, formalizing a clear intent to build a secure and trustworthy digital economy. The core purpose is to elevate data protection from a voluntary practice to a mandatory, accountable business function.

Key intentions driving the framework include:

  • Establishing accountability: Shifting the onus onto the Data Fiduciary to demonstrate continuous compliance monitoring and responsible data governance.
  • Empowering the data principal: Making individual rights, such as clear consent and access to information, practically enforceable through designated mechanisms and plain language requirements.
  • Preventing data misuse: Mandating strict adherence to purpose limitation and data minimization principles, coupled with a minimum one-year retention of logs for security purposes, to curb unauthorised data accumulation and secondary use.

The risk is not theoretical. Cybersecurity incidents in India more than doubled from approximately 1.03 million in 2022 to 2.27 million in 2024, illustrating the growing threat landscape that the DPDP Rules aim to address.

  • Fostering trust: Creating a strong foundation of public confidence that ensures responsible innovation can flourish alongside robust personal privacy, thereby boosting the sustainable growth of the digital market.
  • Pragmatic implementation: Utilising a phased rollout to give businesses the essential time to invest in necessary technical infrastructure and automation solutions for systemic compliance.

The rules are fundamentally about setting clear, actionable, and measurable standards, ensuring that data processing is conducted with fairness and transparency across India's digital ecosystem.

Key changes and provisions in the DPDP Rules, 2025

The DPDP Rules, 2025, transform the broad principles of the Act into a set of non-negotiable, concrete operational requirements. For Data Fiduciaries, achieving full DPDP compliance necessitates deep technological and organizational shifts across the entire data processing lifecycle.

1. Data retention, erasure, and minimization

The Rules strictly enforce the principle of data minimization by limiting how long digital personal data can be held and mandating automated lifecycle management.

  • Purpose limitation: Data Fiduciaries (DFs) can only retain personal data for as long as the specified purpose of collection is being served. Once this purpose is exhausted, the data must be erased (Rule 8).
  • Retention for security: DFs must retain system and processing logs and associated traffic data for a minimum of one year for detection, investigation, and remediation purposes, establishing a baseline for security visibility (Rule 6).
  • Automated deletion: Large online platforms are mandated to erase certain user data if the individual has been inactive for a specified period, and the DF must inform the data principal at least 48 hours before the scheduled erasure.

2. Notice, consent, and consent managers

The framework elevates consent to an auditable transaction, placing transparency and the data principal’s control at the fore.

  • Standalone, clear notice: DFs must provide a notice (Rule 3) that is clear, plain-language, and standalone, containing an itemized list of the personal data collected and the specific purpose for processing.
  • Consent manager framework: A new regulatory intermediary, the Consent Manager, is established (Rule 4). These entities must be registered, India-based, and independent, providing an interoperable platform for the data principal to give, manage, review, and withdraw their consent with multiple DFs from one place.

3. Strengthening data principals’ rights and special protections

The Rules provide individuals with clear, enforceable rights and set a mandatory response timeline for Data Fiduciaries.

  • Access, correction, and erasure: Individuals gain the right to access a summary of their personal data and to request the correction or completion of inaccurate data. DFs must respond to all such requests, including those for access, correction, updating, and erasure, within a maximum period of 90 days.
  • Vulnerable groups: Verifiable parental or guardian consent is mandatory before processing the data of children (under 18) or persons with disabilities who cannot act independently. Targeted advertising and profiling of minors are explicitly prohibited.

4. Breach reporting and security safeguards

Compliance with security and incident response is strictly defined by specific technical measures and aggressive timelines.

  • Mandatory security safeguards: Rule 6 mandates DFs to implement "reasonable security safeguards," including techniques like encryption, masking, obfuscation, and strict access controls.
  • 72-Hour breach notification: Upon becoming aware of a personal data breach, the DF has a dual obligation (Rule 7):
    • Intimate the affected Data Principals without delay.
    • Provide a detailed report to the Data Protection Board (DPB) within 72 hours of discovery.

5. Transparency and accountability

Accountability for large-scale processing is enhanced through mandatory oversight mechanisms that require continuous, auditable data governance.

  • Grievance redressal: DFs must prominently publish clear contact points for data queries and complaints, typically of a designated officer or Data Protection Officer.
  • Significant Data Fiduciary (SDF) obligations: Entities designated as SDFs face stricter duties (Rule 13), including mandatory Data Protection Impact Assessments (DPIAs) and independent compliance audits once every twelve months.

6. Digital data protection board and enforcement

The Rules clarify the structure of the regulatory body, emphasizing a modern, accessible, and structured enforcement process.

  • Digital-first enforcement: The Digital Data Protection Board is established as a fully digital office, enabling citizens to file and track complaints online through a dedicated platform.
  • Appeals via TDSAT: Decisions made by the Data Protection Board can be appealed to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), providing a specialized legal avenue for judicial oversight.
  • Cross-border transfers: The framework adopts a "negative list" approach, allowing personal data to be transferred outside India unless the Central Government explicitly restricts a country or territory via notification.

Implications of the DPDP Rules, 2025

The finalization of the DPDP Rules, 2025, marks the transition of India's data protection regime from a legislative principle to an enforceable reality. The implications are profound, fundamentally altering the calculus for Data Fiduciaries, empowering citizens, and reshaping the regulatory landscape for government bodies.

For businesses: A shift to continuous compliance

The Rules mandate a complete overhaul of data governance and security practices for Data Fiduciaries, with non-compliance carrying penalties up to ₹250 Crore. Beyond regulatory penalties, the financial impact of poor data protection is already visible. A recent IBM report estimates the average cost of a data breach in India at approximately ₹220 million, driven largely by incident response, downtime, and loss of customer trust.

This existential risk makes compliance a top-tier operational priority.

  • Operational overhaul: Businesses face clear compliance deadlines (full obligations by May 14, 2027) requiring redesign of consent workflows, implementation of the Consent Manager interface, and deployment of systems for automated data minimization and erasure.
  • Risk and governance: The requirement for annual DPIAs and independent audits for Significant Data Fiduciaries demands embedding privacy-by-design principles and establishing robust audit trails. The mandatory one-year retention of logs for security purposes requires a new architecture to ensure traceability and rapid breach response.
  • Competitive advantage: The shift promotes a culture of ethical data handling. Companies that demonstrate transparency and reliable security safeguards will build stronger consumer trust, turning strict DPDP compliance into a powerful competitive differentiator in the digital marketplace.

For consumers and citizens: Enhanced control and transparency

The framework's core intent is to empower the data principal, giving individuals unprecedented control and clarity over their digital personal data. This empowerment is overdue. The PwC survey also indicated that nearly 70% of Indian consumers are unaware that they can withdraw consent, and over 70% do not know that children’s data carries additional protections, highlighting the gap the DPDP Rules aim to close.

  • Actionable rights: Citizens now have the non-negotiable right to access their data, request its correction within a 90-day window, and demand erasure when the stated purpose of processing is fulfilled.
  • Transparency and trust: The requirement for standalone, plain-language notices and the introduction of the independent Consent Manager system remove ambiguity from data usage. This clarity fosters greater confidence in digital services, addressing long-standing public anxiety about opaque data collection practices.

For government and public bodies: Balancing privacy and transparency

The Rules have significant implications for public authorities, particularly in relation to existing transparency laws.

  • Dual obligations: Public authorities are also considered Data Fiduciaries and must adhere to all obligations, including implementing security safeguards and providing grievance redressal channels.
  • RTI and privacy: The most critical implication is the amendment of Section 8(1)(j) of the Right to Information (RTI) Act. This amendment effectively removes the "larger public interest" override for disclosing personal data held by public authorities. This legislative change necessitates careful navigation to balance the fundamental Right to Privacy with the public's right to information, a core challenge for democratic data governance in India.

Next steps: An action plan for DPDP readiness

The transition to full DPDP compliance requires decisive, action-oriented preparation. The phased timeline offers a strategic window for both Data Fiduciaries and data principals to align their operations and expectations with the new regime.

For organizations: The compliance roadmap

Organizations must move quickly to implement systemic and technological solutions to ensure accountability and meet the strict timelines.

  • Audit current data flows: The first critical step is conducting a comprehensive data inventory and mapping exercise. Identify every system, vendor, and workflow that collects, stores, or processes India-linked digital personal data. This clarity is essential for defining the purpose and ensuring data minimization.
  • Update privacy notices and consent mechanisms: Immediately redesign user interfaces and onboarding flows. Privacy notices must be standalone, clear, and detail the specific, itemised purpose of processing. Consent must be captured using clear affirmative action and must be easily withdrawable.
  • Prepare for consent manager frameworks: While full registration is due later, Data Fiduciaries must ensure their systems are technically prepared to integrate with interoperable platforms run by registered Consent Managers, ready to accept and honour consent requests from these third parties.
  • Build rapid breach response playbooks: Given the stringent 72-hour breach notification mandate, implement automated detection and internal escalation tools. Create clear incident response teams, conduct tabletop exercises, and establish communication templates for notifying the Board and data principals without delay.
  • Establish or enhance governance structures: Formally designate a privacy point of contact (or a Data Protection Officer for SDFs). Define data retention and erasure policies, ensuring data is securely deleted once its purpose is served, and maintain logs for the mandatory one-year period.

For consumers and citizens: Exercising your data rights

The DPDP framework places control directly in the hands of the individual. Citizens must understand and actively use their rights to drive compliance.

  • Understanding consent and how to manage it: Always read the standalone notice before giving consent. Use the designated mechanisms (often through a website link or app setting) to easily withdraw consent if the purpose changes or the service is no longer used.
  • How to exercise data rights: If you need to access, correct, or request the erasure of your data, use the readily published grievance redressal channels on the Data Fiduciary's website or app. Be aware that the DF has a maximum of 90 days to respond to your request. If the DF fails to respond, you can escalate the matter through the online complaint mechanism of the Digital Data Protection Board.
  • The right to nominate: Consider formally nominating an individual to act on your behalf, which is crucial for ensuring continuity in managing your data in case of incapacity.

How Scrut helps you operationalize DPDP compliance

DPDPA compliance is not about one-time documentation. It is about building repeatable, defensible processes. Scrut helps you translate DPDP Rules 2025 into day-to-day execution by automating data mapping, evidence collection, access controls, vendor risk workflows, and policy management from a single platform. With 100+ integrations and continuous runtime security, you can track compliance posture, respond to data principal requests, and stay audit-ready as rules evolve. Instead of stitching together spreadsheets and tools, you get a clear, centralized view of your DPDP compliance status.

Want to see how this works in practice? Explore how Scrut can help you build and maintain DPDP compliance without manual overhead. Book a demo now.

FAQs

1. What data is covered by the DPDP Act and Rules?

The DPDP Act, 2023, and the Rules cover the processing of digital personal data, any information that identifies an individual, collected online, or collected offline and subsequently digitised. It applies regardless of where the company is located, provided the processing is in connection with offering goods or services in India.

2. Who is covered under the DPDP Rules, 2025?

The Rules cover all Data Fiduciaries (entities determining the purpose and means of processing) and Data Processors that handle the digital personal data of individuals in India. This includes all businesses (large and small, domestic or foreign) and government bodies if their processing involves India-based data principals. Processing done for personal or domestic purposes is excluded.

3. Is our old privacy policy and consent system still valid?

No. The Rules mandate that consent requests must be accompanied or preceded by a standalone, clear, and plain language notice detailing the specific data collected and the precise purpose of processing. Generic policies or pre-ticked boxes are no longer acceptable under the requirement for unambiguous consent.

4. When must a company appoint a Data Protection Officer (DPO)?

A DPO is not mandatory for all Data Fiduciaries. The requirement applies only to entities that the government designates as Significant Data Fiduciaries based on the volume and sensitivity of the data they process. SDFs must also conduct mandatory annual DPIAs and independent compliance audits.

5. What is the immediate requirement if a personal data breach occurs?

A Data Fiduciary has a dual notification obligation: they must notify the affected Data Principals without delay and provide a detailed report to the Data Protection Board (DPB) within 72 hours of becoming aware of the breach. This necessitates a mature, automated incident response plan.

6. Can my personal data be transferred outside India?

Yes. The Rules permit cross-border data transfer to any country or territory, except for any country that the Central Government explicitly restricts via notification (adopting a "negative list" approach).

7. What control do I have over my data once consent is given?

You have the right to withdraw consent at any time, which must be as easy as giving it. You can request a summary of your data, seek correction of inaccuracies, and request erasure if the data's original purpose is no longer being served. The Data Fiduciary must address these requests within a maximum of 90 days.

Liked the post? Share on:
Megha Thakkar
Technical Content Writer at
Scrut Automation

Megha Thakkar is a Certified Information Systems Auditor (CISA) and technical content writer who loves turning complex cybersecurity and compliance topics into stories people actually want to read. With a background as an Associate CPA (Australia) and CA Intermediate (India), she blends her love for finance and technology to bring clarity to every piece she writes. She’s known for her sharp eye for editing and content management, making sure every word earns its place.

Authored by
Table of contents
Example H2
h3
Example H3
h4
Example H4
h5
Example H5
h6
Example H6
Subscribe to our newsletter
Get monthly updates and curated industry insights
Subscribe
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join our community and be the first to know about updates!

Subscribe
I agree to receive marketing insights and other communications from Scrut Automation.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Compliance Essentials
Risk Management
Risk Grustlers EP 19 | Securing AI agent ecosystems
Compliance Security
NIST SP 800-171 explained with a downloadable compliance checklist
Scrut Updates
Scrut innovations: November 2025 snapshot

Ready to see what security-first GRC really looks like?

The Scrut Platform helps you move fast, stay compliant, and build securely from the start.

Book a Demo
Book a Demo
Platform
Why ScrutExplore the PlatformSimplify ComplianceStreamline AuditsEmpower Your EmployeesMonitor Cyber RiskAssess Third-Party RiskValidate User PrivilegesManage Asset InventoryDemonstrate TrustAI-Powered GRCIntegrate Your Tech Stack
Frameworks
SOC 2ISO 27001GDPRPCI DSSHIPAANIST AI RMFCustom FrameworksAll Frameworks
Company Stages
StartupGrowthEnterprise
Industry
Enterprise SoftwareFinancial ServicesHealthcareTravel and TourismEducation
Resources
BlogEbooksPodcastSuccess StoriesWebinarsEventsGlossaryFAQs
Hubs
SOC 2 HubISO 27001 HubHIPAA HubExplore All Hubs
Partners
Become a PartnerFind a Partner
Company
CustomersAboutCareersNewsroomSecurity
TrustTerms of UsePrivacy PolicyCookies Policy
© 2024 Scrut Automation. All Rights Reserved.