The Government of India has operationalized the Digital Personal Data Protection Act, 2023 (“Act”), through the notification of the Digital Personal Data Protection Rules, 2025 (“Rules”) on November 13, 2025. Together, the Act and the Rules have created India’s first privacy legislative text that confers new rights to citizens, such as the right to revoke consent for processing personal data, the right to correct and erase personal data and right to redressal against grievances relating to misuse of personal data. In this Article, we aim to provide a comprehensive breakdown of the newly notified Rules and explain its implementation.

The Rules outlay a pragmatic, phased implementation schedule that gives institutions time to build governance capacity before the full-scale compliance begins. Nonetheless this period does not lessen the gravity of the forthcoming obligations and timely commencement of compliance preparations shall be determinative in preventing future lapses.

THREE PHASED IMPLEMENTATION

The Rules and the provisions of the Act are to be implemented in three phases, with the initial phase being effective immediately, the second phase to commence in twelve (12) months and the final phase commencing eighteen (18) months post notification.

  • It is important to note that the first phase, which is now in effect is focused entirely on the establishment of the Data Protection Board (“Board”), the State’s adjudicatory machinery under the Act. This initial phase establishes the Board’s structure, its composition, authority, and the appointment processes for its chairperson, members, officers, and staff.
  • The next phase of enactment begins in November 2026, when the provisions relating to the registration of Consent Managers comes into force.
  • Finally, the 18-month timeline, ending in May 2027, is the final and most crucial phase, activating all remaining provisions of the Act including the obligations relating to reasonable security safeguards, privacy notices, breach reporting, data erasure, and verifiable parental consent.
  1. CLICKWRAP TO CONSCIOUS CONSENT:

One of the key requirements under Rule 3 mandates that data privacy notices be “presented and be understandable independently of any other information”, signalling the end of ‘clickwrap’ prompts where crucial terms are buried within lengthy privacy policies, which are accepted comprehensively by Data Principals through a single “I Accept” checkbox.

Notices must instead now use clear and plain language with itemized descriptions of the personal data to be processed, the specific purpose linked to specific goods or services and explicitly address mechanisms for Data Principals to withdraw consent, exercise rights or file complaints with the Board. This itemized requirement forces businesses to abandon vague justifications like “improving our services”. This operates in the benefit of Data Principals and triggers substantial implementation work for Fiduciaries, spanning legal redrafting, UI/UX redesign and the development or modernisation of consent management mechanisms.

  1. MANDATORY SAFEGUARDS AND THE 72-HOUR BREACH REPORTING CLOCK:

By mandating “reasonable security safeguards”, Rule 6 transforms the internal IT security measures from a voluntary best practice into a binding legal requirement. In particular, all Data Fiduciaries must implement, at a minimum, appropriate data security measures such as encryption, obfuscation, masking or the use of virtual tokens, while taking measures to effectively control access to the physical computer resources. Data Fiduciaries are required to retain access logs for a period of one year, which will necessitate corresponding investments in storage infrastructure and audit capabilities.

Rule 7 operationalizes the most high-pressure obligation with a detailed, two-part breach reporting mechanism: (a) one with respect to notifying Data Principals and (b) with respect to notifying the Board. In the event of a personal data breach, Fiduciaries must notify the affected Data Principals without delay in clear language, outlining consequences and mitigation steps. Simultaneously, a report must be filed with the Board, which is further divided into two steps.

An initial breach intimation must be sent without delay, followed by a detailed report within 72 hours starting from the point of becoming aware of the breach. This detailed report requires a comprehensive breakdown of the events, root causes and any findings regarding the perpetrators of the breach. This creates a unique dual clock scenario where legal and technical teams must meet this reporting standard while simultaneously complying with the existing 6-hour CERT-In mandate requiring the same incident to be reported through two separate disclosures.

  • VERIFIABLE CONSENT FOR VULNERABLE PRINCIPALS:

Rule 10 clarifies the mechanism for obtaining “verifiable parental consent”. It requires that before collecting or processing personal data of a child, the Data Fiduciary must ensure that the parent approves such collection and processing on the basis of reliable verification of the child’s identity and age. Reliable identity details may be retrieved from data already held by the Data Fiduciary or can be voluntarily provided through virtual tokens like Aadhaar Virtual ID and authenticated via digital locker services like DigiLocker. This establishes a de facto technical standard for parental verification tied directly into the India Stack ecosystem. While innovative, this presents significant integration challenges, particularly for non-Indian entities who must build entirely new workflows to accommodate these authentication requirements. These conditions are however subject to certain legitimate exemptions under Rule 12 and the Fourth Schedule to the Rules. Similar obligations are placed with respect to the data of persons with disability under Rule 11, wherein the Data Fiduciary must verify the guardianship status requiring the ingestion and verification of legal guardianship documents.

  1. SIGNIFICANT DATA FIDUCIARIES, ALGORITHMS, AND THE SUNSET CLAUSE:

Rule 13 sets a higher burden for Significant Data Fiduciaries (“SDFs”). Going beyond Data Protection Impact Assessments (“DPIAs”), cross-border transfer restrictions and independent audits, the Rules also add the requirement to verify that any “algorithmic software” employed by SDFs do not pose risks to user rights. This effective inclusion of a continual algorithmic audit forces SDFs to scrutinize artificial intelligence and automated decision-making systems for possible bias or harm to Data Principals. These systems introduce an additional layer of complexity which grants Data Principals the right to access, correct, erase and nominate. SDFs must now ensure that the algorithmic systems they employ can also operationally support such user rights.

Rule 14 also operationalizes the grievance redressal right by mandating Fiduciaries to establish an accessible 90-day grievance redressal system, which must be statutorily followed before a complaint may be escalated to the Board. This encourages companies to resolve most issues internally, thereby preventing the Board from being burdened with simple or frivolous complaints at the first instance. Further, Rule 8 provides for the data retention limits, mandating that data must be erased once its deemed purpose is served.

CONCLUSION

With a hard deadline of May 2027 set, the notification of the Rules signals a reset for India’s digital economy and the prevailing business logic that taught to capture as much data as possible, even if for undefined future use. The DPDP regime fundamentally inverts that model, replacing infinite data hoarding with a system based on purpose limitations and mandatory erasures. While the 18-month implementation window may appear generous, it practically offers little cushion for businesses that have not already begun reorienting their data handling practices. The operational overhaul from re-engineering user interfaces to integrating India Stack mechanisms, demands both institutional unlearning and substantial new infrastructure. Businesses may now have to dismantle legacy systems built on implicit consent and rebuild them around the strict architecture of privacy-by-design, a transition that requires more than just IT upgrades. With the Rules relying on qualitative thresholds like ‘reasonable security safeguards’ and ‘demonstrable consent,’ compliance under this new regime ultimately demands both robust engineering and strategic legal guidance that can navigate ambiguities and ensure technical implementations withstand regulatory scrutiny.

More from Saga Legal