Go Back
Data Privacy Alerts

India Notifies Final DPDPA Rules - Phased Enforcement Begins

Check out this data privacy alert to learn how the Indian Ministry of Electronics and Information Technology is operationalizing the DPDPA privacy rules.

Why This Alert Is Important

India has officially operationalized the Digital Personal Data Protection Act, marking a major shift for every organization handling personal data in the country by introducing India-specific compliance mechanisms around consent, breach notification, governance, and rights fulfillment. Companies now need to begin structured readiness work to avoid bottlenecks, penalties, and governance gaps.

Overview of the Enforcement Action

In November 2025, the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025, ending a long wait since the passage of the DPDPA in 2023.
The rules clarify operational obligations around consent, notice, data retention, parental verification, significant data fiduciary responsibilities, and dispute mediation mechanisms, and bring DPDPA into force through a phased implementation model:
- Effective immediately: Establishment and functioning of the Data Protection Board (DPB).
- Effective in 12 months: Registration and operational requirements for Consent Managers.
- Effective in 18 months: Full enforcement of all remaining obligations, including notices, breach notifications, children’s data safeguards, governance duties, and rights fulfilment.

As India’s privacy regime shifts from policy to enforcement, organizations should focus on building audit-ready visibility into their data: what is collected, where it resides, how it flows, who accesses it, and when it should be deleted. A one-size-fits-all compliance model will not hold up under the DPDPA’s consent-first, rights-driven framework.

What It Covers

  • Consent-Centric Architecture Becomes Core
    India’s uniquely regulated Consent Manager model is now formalized. Consent managers must be registered with the DPB and act as a single, standardized interface through which individuals can give, manage, review, or withdraw consent. This means organizations will need to restructure internal systems to integrate consent capture, routing, logging, and withdrawal through designated channels.
  • Stronger Accountability and Governance
    Significant Data Fiduciaries (SDFs) must conduct annual audits, data protection impact assessments, and maintain detailed internal records. Even non-SDF organizations must demonstrate traceability of data collection, use, sharing, and storage across business functions.
  • Mandatory Breach Notification & Retention Rules
    Organizations must notify both affected individuals and the DPB without undue delay. Data must be erased once the purpose is met unless retention is legally required—placing sharper focus on lifecycle governance and defensible retention strategy.
  • Children’s Data and Special Conditions
    Rules introduce obligations for verifiable parental consent, and India’s DigiLocker-based identity verification may play a role. Healthcare, education, and safety-related data processing carry unique exemptions and safeguards.
  • Phased Rollout = Urgent Preparation Window
    The 12–18-month transition period is not long. Organizations must use this time to refresh data inventories, align consent and notice, strengthen vendor oversight, update data retention and deletion practices, and enable data subject rights fulfillment workflows.

Expert Analysis

India's Digital Personal Data Protection Act 2023 and Rules 2025 aren't just compliance requirements - they're your catalyst for building a data-resilient organization that customers trust and regulators respect.
Start with what truly matters: knowing your data. Launch a comprehensive data mapping initiative that reveals the complete journey of personal information through your organization. Discover where data originates, how it flows between departments, where it resides, who accesses it, and when it should retire. Map your third-party relationships and cross-border data movements.
This clarity transforms compliance from burden into competitive advantage. You'll make smarter security investments, respond confidently to data subject requests, and demonstrate transparency that builds customer loyalty. Organizations that master their data landscape don't just avoid penalties - they unlock operational efficiency and innovation. Embrace this as your strategic advantage. Assign champions, empower teams, and build your data intelligence foundation today. The organizations that act now will lead tomorrow's resilient and trusted digital economy.

Sujit Christy - Founder/ President | Circulo de CISO

Data Privacy Tip

For practical guidance on strengthening your privacy foundations - data mapping, consent readiness, retention hygiene, breach governance, and audit preparedness, explore Exterro’s Privacy Program Assessment Checklist, a comprehensive self-evaluation resource for building a defensible privacy program.

Download PDF

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy Policy
Do Not Sell or Share My Personal Information