DPDP Rules 2025: What Was Notified and What It Means
For two years after the DPDP Act was passed in August 2023, it existed only on paper — the Act needed subordinate rules to become operational. That changed on 13 November 2025, when the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 via Gazette notification G.S.R. 846(E).
The phased commencement timeline
| Phase | Effective date | What becomes operational |
|---|---|---|
| Phase 1 | 13 November 2025 (immediate) | Data Protection Board of India constituted and operational; complaint mechanisms live |
| Phase 2 | November 2026 (12 months) | Consent Manager framework — registration and obligations of consent managers |
| Phase 3 | 13 May 2027 (18 months) | All remaining substantive obligations: notice, consent, security safeguards, breach notification, data principal rights, retention and erasure |
The date that matters
13 May 2027 is the hard enforcement date. From that day, the Data Protection Board can impose penalties — up to ₹250 crore for failure of security safeguards — on organisations that have not implemented the required measures. The 18-month window is a preparation period, not a grace period after violations.
What the Rules actually specify
- Notice standards: consent notices must be standalone, itemised, and understandable — listing the personal data collected, the purpose, and how to withdraw consent or complain, available in English or any of the languages in the Eighth Schedule of the Constitution.
- Reasonable security safeguards: a baseline including encryption, access control, logging and monitoring, and data backups — with the fiduciary contractually obligated to ensure its processors maintain the same standard.
- Breach intimation: affected individuals must be informed of a breach without delay, and the Data Protection Board must be notified with detailed information within prescribed timelines.
- Retention and erasure: personal data must be erased once its purpose is served; specified large platforms face defined retention windows after which data of inactive users must be deleted.
- Children's data: verifiable parental consent is required before processing the personal data of anyone under 18, with limited exemptions for certain entities such as healthcare and education.
- Consent Managers: registration criteria and obligations for interoperable consent platforms, operational from November 2026.
- Significant Data Fiduciaries: annual Data Protection Impact Assessments, audits, and a Data Protection Officer based in India.
What you should be doing during the transition window
- Map every flow of personal data in your organisation — including documents (PDFs of KYC, tax filings, contracts) that carry personal data, not just databases.
- Rewrite consent notices to the new itemised standard.
- Audit every third-party tool that personal data passes through — each one is a Data Processor requiring a contract and equivalent security safeguards.
- Implement the baseline security measures: encryption at rest and in transit, access logs, and a tested breach-response plan.
- Set retention schedules and build the ability to actually erase data on request.
Shrink your processor list
Every cloud document tool you use is one more processor to audit and contract with. Browser-native tools like EverydayPDF process files locally on your machine — nothing is transmitted, so there is no processor relationship to manage.
Is your PDF tool DPDP-safe?Frequently asked questions
When were the DPDP Rules 2025 notified?+
On 13 November 2025, via Gazette notification G.S.R. 846(E), issued by the Ministry of Electronics and Information Technology (MeitY).
When does the DPDP Act become fully enforceable?+
13 May 2027 — 18 months from notification of the Rules. From that date all substantive obligations (consent, notice, security safeguards, breach notification, data principal rights) are enforceable and the Data Protection Board can impose penalties.
Is the Data Protection Board of India functional now?+
Yes. The provisions establishing the Data Protection Board took effect immediately on 13 November 2025, and its complaint mechanisms are operational. The Board functions as a digital office — filings and hearings are designed to happen online.
What are Consent Managers and when do they start?+
Consent Managers are registered platforms that let individuals give, review and withdraw consent across multiple services from a single interoperable dashboard. The consent-manager provisions take effect 12 months from notification — November 2026.
Do the Rules apply to paper documents?+
The Act covers personal data collected digitally, and data collected offline that is subsequently digitised. The moment a paper form is scanned into a PDF, the personal data in it falls within the DPDP regime — which is why document-handling workflows matter for compliance.
Continue reading
Enforcement timeline
From the 2023 Act to the May 2027 hard deadline — every date, and what to do in each quarter.
Compliance checklist
Twelve concrete steps — from data mapping to breach drills — sized for firms without a compliance department.
Penalties under DPDP
The full fine schedule — from ₹10,000 for individuals to ₹250 crore for security-safeguard failures.
What is the DPDP Act?
India's first comprehensive data protection law, explained in plain English — definitions, scope, rights and duties.
This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.
