Introduction
The Digital Personal Data Protection Act, 2023 laid the legislative foundation for data privacy in India, but the operational specifics were always going to depend on the rules notified under the Act. With the DPDP Rules now published in 2025, Indian businesses finally have the granular detail they need to build compliant systems, processes, and governance structures. These rules translate the Act's broad principles into actionable requirements - specifying everything from consent notice formats and breach notification timelines to the registration process for Consent Managers and the criteria for designating Significant Data Fiduciaries. For businesses that have been waiting for clarity before committing resources, the wait is over. The rules establish concrete obligations with defined timelines, and non-compliance carries the same severe penalties outlined in the parent Act.
Overview of the DPDP Rules 2025
The DPDP Rules 2025 serve as the implementation machinery for the Digital Personal Data Protection Act. They address the practical questions that the Act intentionally left to subordinate legislation. The rules cover eight major areas: consent and notice requirements, rights of Data Principals, obligations of Data Fiduciaries, Significant Data Fiduciary requirements, children's data protections, cross-border data transfer mechanics, the Data Protection Board's procedures, and breach notification protocols. Each area includes specific procedural requirements, timelines, and formats that organisations must follow. The rules also clarify several ambiguities in the parent Act, providing interpretive guidance on terms like 'reasonable security safeguards' and 'as soon as practicable' that had left businesses uncertain about the standard they were being held to.
- Detailed consent notice formats specifying mandatory disclosures and language requirements
- Breach notification timelines requiring reporting to the DPBI within 72 hours of becoming aware of a breach
- Registration and operational requirements for Consent Managers
- Criteria and process for designation as a Significant Data Fiduciary
- Specific requirements for verifiable parental consent for processing children's data
- Procedures for the Data Protection Board to hear complaints and adjudicate disputes
Consent and Notice Requirements Under the Rules
The rules provide significant detail on how consent notices must be structured and presented. Every notice must be available in English and all 22 languages listed in the Eighth Schedule to the Constitution, ensuring accessibility across India's linguistically diverse population. The notice must be presented in a standalone manner - it cannot be embedded within terms of service or bundled with other agreements. Each processing purpose must be listed separately with its own consent mechanism, preventing the practice of collecting blanket consent for multiple unrelated purposes. The rules also specify that the notice must include the contact details of the Data Protection Officer or the designated person responsible for responding to Data Principal queries. For organisations processing data collected before the Act's commencement, the rules provide a transition window to issue retrospective notices, but this window is finite and organisations must plan their outreach carefully to reach all affected Data Principals within the stipulated period.
Breach Notification Timelines and Procedures
One of the most operationally significant aspects of the rules is the establishment of concrete breach notification timelines. Data Fiduciaries must notify the Data Protection Board of India within 72 hours of becoming aware of a personal data breach. The notification must include the nature of the breach, the categories and approximate number of Data Principals affected, the likely consequences, and the measures taken or proposed to address the breach. Simultaneously, affected Data Principals must be notified without undue delay through their registered communication channels. The rules define what constitutes 'becoming aware' - a Data Fiduciary is deemed aware of a breach when any employee, officer, or data processor acting on its behalf has reasonable grounds to believe a breach has occurred. This definition is deliberately broad, preventing organisations from claiming ignorance while their technical teams investigate. Organisations need automated breach detection systems, pre-drafted notification templates, and clear internal escalation procedures to meet these tight timelines.
Significant Data Fiduciary Designation Criteria
The rules spell out the factors the Central Government will consider when designating a Data Fiduciary as a Significant Data Fiduciary (SDF). These criteria include the volume and sensitivity of personal data processed, the risk of harm to Data Principals, potential impact on India's sovereignty and integrity, risk to electoral democracy, security of the state, and public order. The rules also introduce quantitative thresholds - organisations processing personal data beyond specified volume thresholds will be automatically considered for SDF designation. Once designated, SDFs face additional obligations including appointing a Data Protection Officer who is based in India, conducting annual Data Protection Impact Assessments, undergoing periodic independent audits, and ensuring that their data processing algorithms do not pose a risk to Data Principals' rights. The designation process includes a notice period during which the organisation can make representations before the final designation order is issued.
- Volume of personal data processed annually as a quantitative threshold
- Sensitivity and nature of personal data - health, financial, biometric, or children's data increases the likelihood of designation
- Risk to Data Principals based on the nature of processing activities
- Impact on sovereignty, security, and public order
- A notice-and-hearing process before final designation
Children's Data Protection Provisions
The rules introduce detailed requirements for processing children's personal data, reflecting the heightened protections the Act provides for minors. Verifiable parental consent must be obtained before processing any personal data of a child below the age of 18. The rules specify acceptable methods for verifying parental identity and consent, including digital verification through DigiLocker, video-based verification, and other methods approved by the DPBI. Data Fiduciaries are expressly prohibited from undertaking tracking, behavioural monitoring, or targeted advertising directed at children. The rules also restrict the processing of children's data that could cause detrimental effects to the child's well-being. Importantly, the rules provide limited exemptions for educational institutions and healthcare providers processing children's data in the normal course of their functions, recognising that blanket restrictions would impede essential services. Organisations operating platforms or services used by children must implement age-gating mechanisms and robust consent collection flows to comply with these provisions.
Data Protection Board: Structure and Procedures
The rules detail the composition, appointment process, and operational procedures of the Data Protection Board of India. The DPBI will function as a digital-first adjudicatory body, with complaints, hearings, and orders handled primarily through an online platform. The Board will consist of a Chairperson and members appointed by the Central Government, with qualifications and experience requirements specified in the rules. The complaint adjudication process follows a structured timeline - the Board must issue a preliminary response within 30 days of receiving a complaint, and final orders should be issued within a reasonable period. The rules also establish the Board's powers to conduct inquiries, summon witnesses, examine evidence, and impose penalties. Appeals against DPBI orders can be made to the Telecom Disputes Settlement Appellate Tribunal (TDSAT). This digital-first approach to enforcement is intended to make the process accessible and efficient, but organisations should be prepared for a potentially high volume of complaints as Data Principals become aware of their rights.
Compliance Timelines and Transition Periods
The rules establish a phased implementation timeline that gives organisations a defined period to achieve compliance. Different provisions come into force at different dates, allowing businesses to prioritise their compliance efforts. The consent and notice requirements have the shortest transition period, reflecting their foundational importance. SDF obligations have a slightly longer runway, acknowledging the complexity of establishing the required governance structures. Cross-border transfer restrictions will take effect once the negative country list is notified. Organisations should map each requirement to its effective date and build a compliance roadmap that ensures they meet each deadline. Waiting until the last moment is inadvisable - the technical and organisational changes required for compliance typically take three to six months for mid-sized organisations and longer for large enterprises with complex data ecosystems.
- Consent and notice provisions: earliest compliance deadline, typically within 6-12 months of notification
- Breach notification procedures: effective alongside consent provisions
- SDF additional obligations: 12-18 months from notification for designated entities
- Consent Manager registration: registration process opens within 6 months
- Cross-border transfer restrictions: effective upon notification of the restricted country list
- Data Protection Board complaint procedures: operational upon the Board's formal constitution
How Kraver.ai Helps You Comply with the DPDP Rules 2025
Kraver.ai's platform has been updated to align with every requirement specified in the DPDP Rules 2025. Our multilingual consent notice generator produces compliant notices in all 22 scheduled languages, formatted to meet the standalone presentation requirements. Automated breach detection and notification workflows ensure you meet the 72-hour reporting timeline with pre-formatted notifications to both the DPBI and affected Data Principals. For organisations designated or likely to be designated as Significant Data Fiduciaries, Kraver.ai provides end-to-end DPIA management, audit scheduling, and DPO dashboards. Our compliance timeline tracker maps your organisation's obligations against the phased implementation dates, providing a clear view of what needs to be done and by when. With Kraver.ai, the complexity of the DPDP Rules 2025 becomes a structured, manageable compliance programme.