EverydayPDF Logo
DPDP Act 2023 · India

DPDP Rules 2025: What Was Notified and What It Means

Updated July 5, 2026·8 min read·EverydayPDF Research

For two years after the DPDP Act was passed in August 2023, it existed only on paper — the Act needed subordinate rules to become operational. That changed on 13 November 2025, when the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 via Gazette notification G.S.R. 846(E).

The phased commencement timeline

DPDP Rules 2025 — commencement phases
PhaseEffective dateWhat becomes operational
Phase 113 November 2025 (immediate)Data Protection Board of India constituted and operational; complaint mechanisms live
Phase 2November 2026 (12 months)Consent Manager framework — registration and obligations of consent managers
Phase 313 May 2027 (18 months)All remaining substantive obligations: notice, consent, security safeguards, breach notification, data principal rights, retention and erasure

The date that matters

13 May 2027 is the hard enforcement date. From that day, the Data Protection Board can impose penalties — up to ₹250 crore for failure of security safeguards — on organisations that have not implemented the required measures. The 18-month window is a preparation period, not a grace period after violations.

What the Rules actually specify

  • Notice standards: consent notices must be standalone, itemised, and understandable — listing the personal data collected, the purpose, and how to withdraw consent or complain, available in English or any of the languages in the Eighth Schedule of the Constitution.
  • Reasonable security safeguards: a baseline including encryption, access control, logging and monitoring, and data backups — with the fiduciary contractually obligated to ensure its processors maintain the same standard.
  • Breach intimation: affected individuals must be informed of a breach without delay, and the Data Protection Board must be notified with detailed information within prescribed timelines.
  • Retention and erasure: personal data must be erased once its purpose is served; specified large platforms face defined retention windows after which data of inactive users must be deleted.
  • Children's data: verifiable parental consent is required before processing the personal data of anyone under 18, with limited exemptions for certain entities such as healthcare and education.
  • Consent Managers: registration criteria and obligations for interoperable consent platforms, operational from November 2026.
  • Significant Data Fiduciaries: annual Data Protection Impact Assessments, audits, and a Data Protection Officer based in India.

What you should be doing during the transition window

  1. Map every flow of personal data in your organisation — including documents (PDFs of KYC, tax filings, contracts) that carry personal data, not just databases.
  2. Rewrite consent notices to the new itemised standard.
  3. Audit every third-party tool that personal data passes through — each one is a Data Processor requiring a contract and equivalent security safeguards.
  4. Implement the baseline security measures: encryption at rest and in transit, access logs, and a tested breach-response plan.
  5. Set retention schedules and build the ability to actually erase data on request.

Shrink your processor list

Every cloud document tool you use is one more processor to audit and contract with. Browser-native tools like EverydayPDF process files locally on your machine — nothing is transmitted, so there is no processor relationship to manage.

Is your PDF tool DPDP-safe?

Frequently asked questions

When were the DPDP Rules 2025 notified?+

On 13 November 2025, via Gazette notification G.S.R. 846(E), issued by the Ministry of Electronics and Information Technology (MeitY).

When does the DPDP Act become fully enforceable?+

13 May 2027 — 18 months from notification of the Rules. From that date all substantive obligations (consent, notice, security safeguards, breach notification, data principal rights) are enforceable and the Data Protection Board can impose penalties.

Is the Data Protection Board of India functional now?+

Yes. The provisions establishing the Data Protection Board took effect immediately on 13 November 2025, and its complaint mechanisms are operational. The Board functions as a digital office — filings and hearings are designed to happen online.

What are Consent Managers and when do they start?+

Consent Managers are registered platforms that let individuals give, review and withdraw consent across multiple services from a single interoperable dashboard. The consent-manager provisions take effect 12 months from notification — November 2026.

Do the Rules apply to paper documents?+

The Act covers personal data collected digitally, and data collected offline that is subsequently digitised. The moment a paper form is scanned into a PDF, the personal data in it falls within the DPDP regime — which is why document-handling workflows matter for compliance.

Continue reading

This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.