India’s new Digital Personal Data Protection Rules, 2025: A Detailed Reading
The final DPDP Rules are detailed, comprising 23 rules and seven schedules, and cover a wide range of topics, including consent notices, data breach protocols, and the powers of the new Data Protection Board. Here’s our breakdown.
Harsh Gour
Published on: 15 November 2025, 11:56 am
ON NOVEMBER 13, 2025, the Government of India notified the Digital Personal Data Protection Rules, 2025 (‘DPDP Rules’), under the enacted Digital Personal Data Protection Act, 2023 (‘the Act’). This long-awaited step comes two years after the Act’s passage and marks a landmark moment in India’s digital privacy regime. The Rules translate the Act’s broad mandates into concrete procedures for businesses, government agencies, and data principals (individuals). They arrive at a crucial moment - as India’s digital economy and services increasingly peg on personal data - and under the shadow of landmark privacy jurisprudence. The Supreme Court’s K.S. Puttaswamy (Retd.) vs Union of India (2017) judgment recognised privacy and informational self-determination as fundamental rights. In that spirit, the DPDP framework seeks a balance between individual autonomy and legitimate public and commercial uses of data. The Rules will determine how effectively that balance is struck in practice.
The final DPDP Rules are detailed, comprising 23 rules and seven schedules, and cover a wide range of topics, including consent notices, data breach protocols, and the powers of the new Data Protection Board. They build on a draft published on January 3, 2025 (which drew extensive comments) and reflect some public input: the Gazette makes clear that “objections and suggestions” on the draft were “considered” before finalisation.
Framework and Commencement
The Rules come into force in phases. By design, Rules 1, 2 and 17-21 take effect immediately upon notification; Rule 4 (consent manager registration) kicks in after one year; and the remaining provisions (notably Rules 3, 5-16, and 22-23) apply after an 18-month transition. In other words, basic structures (like the Board’s constitution, definitions, and a mandate for digital processes) start now, while most fiduciary obligations are deferred to mid-2027. This staggered timeline gives organisations time to adapt, but also means that legal safeguards for data principals roll out gradually.
Rule 1 formally names the regime: “These rules may be called the Digital Personal Data Protection Rules, 2025.” Rule 2 provides a glossary (e.g. defining “techno-legal measures” and “user account”), but largely the Act’s definitions prevail. Notably, “verifiable consent” is defined by reference to the later rules. With these preliminaries in place, the substantive obligations take effect, beginning with notice and consent protocols.
