DPDP Rules 2025
Where the Act ends, the Rules begin.
DPDPA 2023 sets the principles. The Digital Personal Data Protection Rules 2025 operationalise them — prescribing notice content, breach reporting timelines, Consent Manager registration, DPIA frameworks, and the procedure of the Data Protection Board. Without the Rules, the Act is silent.
Rules prescribed under DPDP Rules 2025
Subordinate legislationMaximum window to notify the Board of a breach
Rule 7Minimum net worth for Consent Manager registration
Rule 4Rule-making authority of the Central Government
DPDPA 2023The Act sets the principles. The Rules tell you what to actually do.
Read the Act in isolation and most obligations remain abstract. Section 5 says a notice must be given. Rule 3 tells you what the notice must contain. Section 8 says breaches must be notified. Rule 7 tells you the form, content, and 72-hour window.
The DPDP Rules 2025 turn principles into operational requirements. They prescribe what Consent Managers must look like, how DPIAs must be conducted, what reasonable security safeguards entail, and how the Data Protection Board will conduct inquiries.
A compliance programme that has not been re-mapped against the Rules is a compliance programme built on assumptions. The Rules close interpretive gaps that the Act deliberately left open.
The 12 operationally critical Rules
Of the 22 prescribed Rules, twelve directly drive day-to-day compliance operations. Each Rule below identifies its operational impact and the specific section of the Act it operationalises.
Notice by Data Fiduciary to Data Principal
Prescribes the minimum content of the notice required under Section 5 — specific purpose, categories of personal data, manner of withdrawing consent, contact details of grievance officer, and rights exercise mechanism.
Registration and Obligations of Consent Manager
Establishes the framework for Consent Managers under Section 6(8) — ₹2 crore minimum net worth, interoperability requirements, audit obligations, and the duties of Consent Managers in respect of Data Principals and Data Fiduciaries.
Processing for Subsidies, Benefits, Services, and Functions
Operationalises the deemed consent provisions under Section 7 for State entities and government services. Specifies the manner of issuing notice for processing in connection with subsidies, benefits, certificates, licences, and permits.
Reasonable Security Safeguards
Mandates technical and organisational measures — encryption, access controls, periodic audits, incident response procedures, monitoring, log preservation, and other safeguards proportionate to the volume and sensitivity of data processed.
Intimation of Personal Data Breach
Specifies the 72-hour breach notification timeline under Section 8(6). Requires Data Fiduciaries to notify the Board with specific details — nature, affected data, mitigation measures — and notify affected Data Principals without unreasonable delay.
Time Period for Erasure of Personal Data
Operationalises Section 8(7) and Section 8(8). Prescribes the time period after which personal data shall be erased once the purpose is no longer served, balanced against legitimate business and legal retention requirements.
Contact Information of Person Responsible
Requires Data Fiduciaries to publish on their website or app the business contact information of the Data Protection Officer or other authorised person responsible for answering queries about processing activities.
Children's Data — Verifiable Consent and Exemptions
Prescribes verifiable parental consent mechanisms, age verification standards, and categories of Data Fiduciaries that may be exempted from specific children’s data obligations based on demonstrated safety standards under Section 9(5).
Significant Data Fiduciary — Additional Obligations
Specifies the manner of conducting Data Protection Impact Assessments and periodic audits required of Significant Data Fiduciaries under Section 10(2). Prescribes report content, frequency, and submission protocols.
Rights of Data Principal — Exercise Mechanism
Operationalises Sections 11–14. Specifies the manner of submission, identity verification, response timelines, and the framework for exercising the rights to access, correction, erasure, nomination, and grievance redressal.
Cross-Border Transfer Restrictions
Establishes the procedure for restricting transfers under Section 16. The Central Government may by notification specify a country or territory outside India to which a Data Fiduciary shall not transfer personal data.
Procedure of the Data Protection Board of India
Lays out procedural rules for the Board — composition, manner of inquiry under Section 28, evidence procedures, hearing protocols, and the framework for issuing directions and imposing penalties under Section 33.
How sequencing affects exposure
The Rules can be implemented in any order, but enforcement risk does not distribute evenly. These priorities reflect what we counsel clients to address first.
Rule 3 (Notice content), Rule 7 (Breach response), Rule 6 (Security safeguards baseline), Rule 9 (DPO contact publishing)
Rule 12 (Rights exercise mechanism), Rule 11 (DPIA framework if SDF), Rule 8 (Erasure timelines)
Rule 4 (Consent Manager onboarding), Rule 10 (Children’s data verification), Rule 5 (State entity processing flows where applicable)
Rule 13 (Cross-border transfer monitoring), Rule 14 (Board inquiry preparedness)
Request a Rules Implementation Briefing
Our practitioners will walk through your operational footprint, identify which of the 22 Rules apply to your operations, and frame an implementation roadmap mapped to enforcement risk.
Request a Rules Implementation Briefing
A senior practitioner will reach out within one working day.