The Rules That Operationalise the Act
The Digital Personal Data Protection Rules 2025 were notified by the Ministry of Electronics and Information Technology on 13 November 2025. They translate the DPDP Act 2023’s framework obligations into operational requirements — prescribing formats, timelines, processes, and specific procedures that enterprises must implement.
If the Act defines what must be done, the Rules define how it must be done.
Key Provisions That Enterprises Must Act On Immediately
1. Breach Notification — 72-Hour Requirement
The Rules prescribe a specific format and timeline for data breach notification. When a breach occurs:
Within 72 hours of becoming aware:
- Notify the Data Protection Board using the prescribed format
- The notification must include: nature of breach, data categories affected, approximate number of data principals affected, likely consequences, measures taken or proposed
After 72 hours (ongoing):
- Notify affected data principals in a form they can understand
- If the number is large, notification may be through a public notice
What this means for enterprises: You must have a breach response procedure that begins within hours of detection, not days. The 72-hour window starts from the time the enterprise becomes aware — not when it completes its internal investigation.
2. Notice Requirements
Before or at the point of collecting personal data, the notice must contain in clear and plain language:
- The personal data proposed to be collected
- The purpose for which it will be processed
- How data principals can exercise their rights
- How they can make a complaint to the Board
- Contact details for the grievance officer
The Rules specify that notice must be available in English and may optionally be provided in any of the 22 Scheduled languages. For enterprises serving rural or non-English-speaking customers, this creates an operational obligation to maintain multi-language notice infrastructure.
3. Consent Manager Framework
The Rules establish a Consent Manager registration process with the Data Protection Board. Enterprises that process data through Consent Managers must:
- Integrate with registered Consent Managers for consent recording
- Maintain verifiable consent artefacts for every processing activity
- Be able to produce consent evidence on demand for Board investigations
Alternatively, enterprises maintaining equivalent consent record systems internally must implement the same level of auditability.
4. SDF Obligations Timeline
For entities designated as Significant Data Fiduciaries:
- Annual DPIA must be completed and submitted to the Board
- Data audit by an independent auditor must be completed annually
- DPO appointment must be completed and registered
- Algorithmic impact assessments for automated processing systems
5. Children’s Data Processing
The Rules operationalise the Act’s children’s data provisions:
- Verifiable parental consent must be obtained before processing any child’s personal data
- “Verifiable” means the method must reliably confirm the consent-giver is the parent/guardian
- No targeted advertising or profiling of children
- No processing that could harm a child’s well-being
Compliance Timeline
| Obligation | Timeline |
|---|---|
| Notice format compliance | Immediate on notification (Nov 2025) |
| Breach notification procedure | Immediate |
| Consent mechanism review | Immediate |
| SDF designation assessment | Q1 2026 (MeitY designation process) |
| Annual DPIA programme (SDFs) | Before May 2027 compliance deadline |
| Consent Manager integration | Before May 2027 |
| Annual audit completion (SDFs) | Before May 2027 |
Assess your compliance against DPDP Rules 2025
The CreativeCyber DPDP Assurance Platform includes DPDP Rules 2025 as a mapped control pack — run a gap assessment, generate evidence, and produce audit-ready reports.
Explore the Platform →