The Digital Personal Data Protection Act 2023 (DPDPA) is India's comprehensive data protection law that governs how organizations collect, process, store, and transfer personal data of Indian citizens. It was notified on August 11, 2023, with the DPDP Rules 2025 published on November 13, 2025, and full enforcement beginning May 13, 2027.

When does DPDPA 2023 come into full force?

DPDPA 2023 comes into full force on May 13, 2027, which is 18 months after the notification of DPDP Rules 2025 on November 13, 2025. Consent Manager registration must be completed within 12 months (by November 2026).

What are the penalties under DPDPA 2023?

DPDPA 2023 prescribes penalties up to ₹250 crore for the most severe violations including failure to implement reasonable security safeguards leading to data breaches. Lesser penalties apply for other violations such as failure to notify breaches (up to ₹200 crore) or non-compliance with data principal rights (up to ₹50 crore).

What is a Significant Data Fiduciary under DPDPA?

A Significant Data Fiduciary (SDF) is a Data Fiduciary notified by the Central Government based on factors like volume and sensitivity of personal data processed, risk to data principal rights, potential impact on sovereignty and integrity of India, and risk to electoral democracy. SDFs have additional obligations including appointing a Data Protection Officer and conducting Data Protection Impact Assessments.

What are Data Principal rights under DPDPA 2023?

Under DPDPA 2023, Data Principals have the right to: access information about their personal data being processed, request correction and erasure of data, grievance redressal, nominate another person to exercise rights in case of death or incapacity, and withdraw consent at any time with the same ease as giving consent.

How does DPDPA handle cross-border data transfers?

DPDPA 2023 adopts a blacklist approach for cross-border data transfers. Personal data can be transferred to any country except those specifically restricted by the Central Government through notification. This is different from GDPR's adequacy-based whitelist approach.

How much is DPDPA penalty?

DPDPA penalties range from ₹10,000 to ₹250 crore depending on the violation. The maximum penalty of ₹250 crore applies to failure to implement reasonable security safeguards resulting in data breaches. Failure to notify breaches can attract up to ₹200 crore, while non-compliance with data principal rights can result in penalties up to ₹50 crore.

What is 72 hour breach notification under DPDPA?

Under DPDPA 2023 and DPDP Rules 2025, Data Fiduciaries must provide a detailed breach report to the Data Protection Board within 72 hours of becoming aware of a personal data breach. The initial intimation must be given without unreasonable delay. The 72-hour report must include breach details, affected data principals, and remedial measures taken.

Is DPDPA applicable to foreign companies?

Yes, DPDPA 2023 has extraterritorial applicability. It applies to processing of personal data outside India if such processing is in connection with offering goods or services to Data Principals in India. Foreign companies processing Indian citizens' data must comply with DPDPA requirements.

How to become a Consent Manager under DPDPA?

To become a registered Consent Manager under DPDPA, you must apply to the Data Protection Board of India. Requirements include: being incorporated in India, having adequate technical and organizational capacity, maintaining an accessible and interoperable platform, and meeting prescribed capital and infrastructure requirements. Registration deadline is 12 months from DPDP Rules notification (by November 2026).

What is verifiable parental consent under DPDPA?

Verifiable parental consent under DPDPA means obtaining consent from a parent or lawful guardian before processing personal data of children (persons below 18 years). The verification mechanism must reasonably ensure that the person giving consent is the child's parent or guardian. Processing children's data without verifiable parental consent is prohibited.

What documents are needed for DPDPA compliance?

Key documents for DPDPA compliance include: Privacy Notice, Consent Records, Data Processing Register, Data Protection Impact Assessments (for SDFs), Breach Response Plan, Data Principal Rights Procedures, Vendor/Data Processor Agreements, Cross-border Transfer Assessments, Training Records, and Audit Reports. SDFs must also maintain DPO appointment documentation.

DPDP Rules 2025: What the November Notification Means for Your Organisation

The Notification and Its Significance

On 13th November 2025, the Ministry of Electronics and Information Technology (MeitY) published the Digital Personal Data Protection Rules, 2025 ("DPDP Rules" or "the Rules") in the Official Gazette, marking a pivotal moment in India data protection regulatory landscape. The Rules operationalise the Digital Personal Data Protection Act, 2023, providing the detailed procedural framework that organisations require for practical compliance.

The notification date of 13th November 2025 is of particular significance as it triggers the commencement of statutory timelines. All organisations processing personal data of individuals in India must achieve full compliance within 18 months of this date, establishing 13th May 2027 as the definitive enforcement deadline.

Implementation Timeline

Critical Dates

Rules Notification13th November 2025
Consent Manager Registration DeadlineNovember 2026 (12 months)
Full Compliance Deadline13th May 2027 (18 months)

The phased timeline acknowledges the operational complexity of achieving compliance. Consent Managers, being specialised intermediaries, are granted 12 months to complete registration, allowing organisations to integrate their services into consent management frameworks before the full compliance deadline.

Key Provisions of the Rules

Rule 4: Notice Requirements

Rule 4 prescribes the content and manner of providing notice to Data Principals. The notice must be provided at the time of or before collection of personal data, containing a clear itemised description of personal data to be collected and the specific purposes for processing.

Rule 5: Consent Manager Framework

Rule 5 establishes the regulatory framework for Consent Managers. Eligibility criteria include incorporation in India, minimum net worth requirements, technical infrastructure capable of ensuring interoperability, and absence of conflict of interest. Registration applications must be submitted to the Data Protection Board within 12 months of the Rules notification.

Rule 6: Data Principal Rights Response

Rule 6 specifies the procedure for responding to Data Principal requests for access, correction, and erasure. Data Fiduciaries must acknowledge receipt and provide substantive response within prescribed timelines, with clear grounds stated for any refusal.

Rule 7: Breach Notification

Rule 7 prescribes the two stage breach notification process. Upon becoming aware of a personal data breach, the Data Fiduciary must provide initial intimation to the Data Protection Board. A detailed report must follow within 72 hours, containing breach description, categories of affected Data Principals, likely consequences, and remedial measures undertaken.

Significant Data Fiduciary Requirements

Rules 12 and 13 impose enhanced obligations upon Significant Data Fiduciaries. These include:

Appointment of a Data Protection Officer who is resident in India and possesses appropriate professional competence
Appointment of an independent Data Auditor to conduct annual compliance audits
Conduct of Data Protection Impact Assessments before undertaking processing that poses significant risk to Data Principals
Submission of annual compliance reports to the Board

Practical Steps for Compliance

Organisations should commence the following activities during the transitional period:

Conduct comprehensive data mapping to identify all personal data processing activities
Review and update privacy notices to meet Rule 4 requirements
Implement or enhance consent management systems compliant with Section 6 of the Act
Establish Data Principal rights response procedures meeting Rule 6 timelines
Develop breach response protocols aligned with Rule 7 requirements
Assess whether organisation may be notified as a Significant Data Fiduciary
Engage with registered Consent Managers for consent management outsourcing where appropriate

Conclusion

The DPDP Rules 2025 provide the operational detail necessary for organisations to achieve compliance with DPDPA 2023. The 18 month transitional period, whilst appearing substantial, requires immediate action given the breadth of organisational changes required. Compliance officers should treat 13th May 2027 not as a target date but as a hard deadline, with internal milestones established to ensure progressive compliance throughout the transitional period.