What DPDP Rules G.S.R. 846(E) Mean for Your India Operations

On 21 March 2025, the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025 vide G.S.R. 846(E) in the Gazette of India. These 22 Rules operationalise the Digital Personal Data Protection Act, 2023 (DPDPA) across 44 Sections and 1 Schedule. For foreign companies with India operations — whether through subsidiaries, joint ventures, GCCs, or SaaS deployments — these Rules convert abstract statutory obligations into concrete operational deadlines, technical specifications, and documentation requirements. This article maps each critical Rule to the operational action it demands from a foreign entity's India compliance function.

The notification published under G.S.R. 846(E) contains 22 Rules exercising powers under Section 40 of DPDPA read with Sections 5, 6, 8, 9, 10, 11, 13, 16, 17, 22, 24, 28, 30, 31, 36, and 37. The Rules were notified on 21 March 2025 with enforcement commencing 13 May 2027, providing a 26-month runway for implementation. For foreign operations, the critical architecture spans: consent infrastructure (Rules 3-4), processor governance (Rule 6), breach mechanics (Rule 7), grievance redressal (Rule 8), children's data (Rules 10-12), Significant Data Fiduciary obligations (Rule 13), and cross-border transfers (Rule 14-15).

Rule 3 prescribes the form and content of notice under Section 5 — it must be in clear, plain language, available in English and all 22 scheduled languages upon request. For foreign operations running centralised consent platforms (OneTrust, TrustArc, Cookiebot), this means India-specific consent flows cannot simply mirror GDPR templates. Rule 4 operationalises Consent Managers under Section 2(g) — registered intermediaries who manage consent on behalf of Data Principals. A foreign entity using a Consent Manager must verify its registration with the Data Protection Board. The consent record must capture: timestamp, notice version, language presented, mechanism used, and withdrawability confirmation.

Rule 6 operationalises Section 8(2) — the Data Fiduciary's effectively non-delegable responsibility over processors. Every vendor processing personal data on behalf of a foreign entity's India operations must have a written contract specifying: processing scope, security safeguards, sub-processor controls, deletion obligations on termination, breach notification chain, and audit rights. The Rule does not permit incorporation by reference to a global DPA — the contract must address DPDPA-specific obligations independently. This has direct implications for outsourced HR (ADP, Workday), cloud infrastructure (AWS, Azure, GCP), and SaaS vendors (Salesforce, ServiceNow) servicing India operations.

Rule 7 prescribes the form and manner of breach notification under Section 8(6). The Data Fiduciary must notify both the Data Protection Board and affected Data Principals "without unreasonable delay." For foreign operations, this creates a parallel reporting obligation alongside CERT-In's 6-hour cyber incident reporting requirement under Directions of 2022. The notification must contain: nature of the breach, categories and approximate number of Data Principals affected, likely consequences, and measures taken. A foreign entity's global incident response playbook must be augmented with India-specific notification templates, escalation trees, and Board communication protocols.

Rule 10 mandates verifiable parental or guardian consent for processing data of individuals under 18 years. Rule 11 prohibits tracking, behavioural monitoring, and targeted advertising directed at children. Rule 12 provides specific exemptions for prescribed categories of Data Fiduciaries. For foreign operations running consumer-facing platforms (e-commerce, gaming, ed-tech, social media), this requires: age-gate implementation at the India entry point, parental consent collection infrastructure, complete suppression of behavioural ad targeting for minor users, and separate data retention policies for children's data. The age threshold of 18 (versus GDPR's 16 or COPPA's 13) catches many foreign platforms that have calibrated their systems to lower thresholds.

Rule 13 operationalises Section 10 — the enhanced obligations for entities notified as Significant Data Fiduciaries (SDFs). An SDF must appoint a Data Protection Officer resident in India, conduct periodic Data Protection Impact Assessments (DPIAs), undertake independent audits, and publish algorithmic assessment results where automated decision-making significantly affects Data Principals. For a foreign entity's India subsidiary that processes large volumes of personal data, SDF notification is a realistic possibility. The compliance cost differential between a standard Data Fiduciary and an SDF is substantial — DPO appointment, DPIA infrastructure, audit cycles, and Board reporting create an ongoing operational overhead that must be budgeted in the India compliance plan.

The DPDPA adopts a permissive-with-exception model for cross-border data transfers under Section 16. Data may flow to any jurisdiction except those on the Central Government's restricted list (the "negative list"). As of this writing, the negative list has not been notified, meaning transfers to all jurisdictions remain permissible. However, sectoral regulators impose independent localisation requirements: RBI mandates domestic storage of payment system data; IRDAI requires insurance data within India; SEBI has specific data governance requirements. A foreign entity's data architecture must account for both the DPDPA framework and sectoral overlays — a transfer compliant under DPDPA may still violate RBI's circular on storage of payment data.