Summarization of DPDP Rules 2025
The Digital Personal Data Protection (DPDPA) Rules provide the practical framework for implementing India's data protection law by clearly defining how personal data must be collected, processed, stored, and protected. They outline key requirements around consent, privacy notices, security safeguards, data breach reporting, user rights, data retention, and cross-border transfers, along with phased timelines for compliance. Together, these Rules help organizations understand what actions are required and when, enabling responsible, transparent, and secure handling of personal data across India's digital ecosystem.
Scroll Below for the Full Resource
Download the Resource as PDF
Fill out the form below to download this resource instantly.
A comprehensive overview of all DPDP rules, their mandates, and implementation timelines to help your organization stay compliant
| Rule No. | Category / Theme | What the Rule Mandates | Commences From |
|---|---|---|---|
Rule 1 | Short title & commencement | Establishes the name of the Rules and sets a phased timeline: Rule 4 commences in 12 months; Rules 3, 5–16, 22, and 23 commence in 18 months. | Nov 2025 |
Rule 2 | Definitions | Defines key terms used in the Rules, such as "user account," "techno-legal measures," and "verifiable consent". | Nov 2025 |
Rule 3 | Notice Requirements | Mandates that the privacy notice must be independent, in clear language, itemize data collected, specify purposes, and provide links for withdrawal and grievances. | May 2027 |
Rule 4 | Consent Managers | Sets registration conditions (Part A, Schedule 1) and operational obligations (Part B, Schedule 1) for Consent Managers to enable users to manage consent. | Nov 2026 |
Rule 5 | State Processing (Subsidies/Benefits) | Mandates that processing by the State for issuing subsidies, licenses, or certificates must follow the standards in the Second Schedule. | May 2027 |
Rule 6 | Security Safeguards | Mandates technical measures (encryption, access control), log retention for a minimum of one year, and contracts with processors to ensure security. | May 2027 |
Rule 7 | Personal Data Breach Intimation | Mandates notifying Data Principals (with contact details) without delay and the Data Protection Board within 72 hours of becoming aware of a breach. | May 2027 |
Rule 8 | Data Retention & Erasure | Mandates erasure of data (unless legally required) based on timelines in the Third Schedule (e.g., 3 years for social media) and requires notifying users 48 hours before deletion. | May 2027 |
Rule 9 | Contact Information | Requires publishing the contact details of the DPO or a representative to answer user queries on the website/app and in every response to a user request. | May 2027 |
Rule 10 | Child Data (Verifiable Consent) | Mandates verifying that the parent is an adult using reliable ID details or virtual tokens before processing a child's data. | May 2027 |
Rule 11 | Persons with Disabilities | Mandates due diligence to verify that a guardian has been appointed by a court or designated authority before obtaining consent for persons with disabilities. | May 2027 |
Rule 12 | Exemptions (Children) | Exempts specific classes of Fiduciaries (e.g., schools, healthcare) from the ban on tracking children if processing is for purposes listed in the Fourth Schedule (e.g., safety, education). | May 2027 |
Rule 13 | Significant Data Fiduciary (SDF) | Mandates SDFs to conduct a DPIA and independent audit every 12 months, and verify that algorithms do not pose a risk to user rights. | May 2027 |
Rule 14 | Rights of Data Principals | Mandates publishing the means/identifiers to exercise rights, responding to grievances within 90 days, and providing a mechanism for nomination. | May 2027 |
Rule 15 | Cross-Border Transfer | Allows data transfer outside India subject to restrictions or requirements specified by the Central Government via general or special orders. | May 2027 |
Rule 16 | Research & Statistics Exemption | Exempts processing for research, archiving, or statistics from the Act, provided it follows the standards in the Second Schedule. | May 2027 |
Rule 22 | Appeals | Mandates that appeals to the Appellate Tribunal must be filed digitally and accompanied by fees similar to those under the Telecom Regulatory Authority of India Act. | May 2027 |
Rule 23 | Information Requests | Mandates Fiduciaries/Intermediaries to furnish information to the Central Government for purposes listed in the Seventh Schedule (e.g., national security, SDF assessment). | May 2027 |
Note: Rules 17 to 21 are for the DPBI and do not apply to Data Principals or Data Fiducaries.