DPDP Rules 2025: Complete Compliance Guide for Data Fiduciaries
The DPDP Rules cover consent, breach notification, safeguards for personal data, and more. Find out what applies to your business and when each obligation takes effect.
Abeer Sehrawat • Jun 3, 2026
This guide will take you through everything you need to know about your obligations under the Digital Personal Data Protection Rules, which were notified on November 14, 2025 and set the compliance framework for any business that processes personal data of individuals in India.
What are the DPDP Rules 2025?
In 2024 alone, breaches at Star Health exposed 31 million people's medical records, BSNL leaked millions of subscriber details, and boAt saw data from 7.5 million customers go up for sale on the dark web. India had no dedicated data protection law to hold anyone accountable. The DPDP Rules 2025 change that. They exist for one reason: to give individuals meaningful control over their personal data.
When does the DPDP Act come into force?
What is live now: the core definitions and the Act's legal framework, the Data Protection Board's constitution, the penalty provisions, and the fundamental obligation to implement reasonable security safeguards under Section 8(5).
November 2026: The Consent Manager registration framework under Rule 4 becomes operative. If you plan to use a Consent Manager to manage Data Principal consent, this is the relevant date.
May 2027: The substantive compliance obligations come into full force. This includes the detailed notice requirements under Rule 3, the technical security safeguards under Rule 6, breach notification timelines under Rule 7, data erasure timelines under Rule 8, grievance redressal timelines under Rule 14, and the SDF-specific obligations under Rule 13.
What are the penalties under the DPDP Rules?
The penalties are steep and most businesses do not yet know what triggers them. Here is what you are risking:
This guide covers each obligation so you know exactly what to do before the May 2027 deadline.
Who does the DPDP Act apply to?
The DPDP Act applies to any person processing digital personal data within India, and also to processing outside India if it is in connection with offering goods or services to individuals in India. A foreign company with no Indian office but Indian customers is within scope.
The Act does not apply to personal data processed for personal or domestic purposes, or to data that has been made publicly available by the individual themselves or by someone legally required to make it public.
What are the roles under the DPDP Rules: Data Fiduciaries, Data Processors and other special categories?
The DPDP Rules give different parties different obligations. Understanding what role you fall into will allow you to accurately scope your obligations and meet them.
Data Fiduciary
If you are the party determining the purpose of collecting data and means of processing it, then you are the Data Fiduciary. In the eyes of the law, the full duty of ensuring the security of an individual's data sits with you.
Data Processor
If you are processing personal data on behalf of a Fiduciary, under a contract, and only for the purposes they specify, you are a Data Processor. You are not directly penalised under the Act, but the Fiduciary is liable for what you do and you will be signing a Data Processing Agreement (DPA) with the Fiduciary.
Data Principal
A Data Principal is the individual whose personal data is being collected and processed. That is your customers, your users, your employees. They are not a party to the processing; they are the subject of it. The Act gives Data Principals a set of rights over their data, and your obligations as a Data Fiduciary are built around your ability to honour those rights.
Significant Data Fiduciary
Significant Data Fiduciaries are designated by the Central Government based on the volume and sensitivity of data they process. They face extra obligations including a Data Protection Officer, an independent auditor, and periodic impact assessments. No one has been designated yet, but large platforms should assess their exposure now.
Special rules for children's data
Children under 18 are not a separate role, but processing their data triggers a distinct set of rules. You must obtain verifiable consent from a parent or lawful guardian — the child's own consent is not sufficient. Tracking a child's behaviour, monitoring them online, and directing targeted advertising at them are prohibited outright, regardless of any consent obtained.
What counts as personal data under the DPDP Rules?
Anything that can identify a person counts as personal data under the DPDP Act. That includes the obvious ones like name, phone number and email, but also photos, medical records, purchase history, location data and browsing behaviour.
If the data can point back to a real person, it is personal data.
What counts as data processing under the DPDP Rules?
Under the DPDP Rules, processing covers almost everything you do with personal data. Collecting it, storing it, using it, sharing it with third parties, and deleting it all count. So does analysing it, combining it with other data, or simply holding it on a server. If your systems are touching personal data in any automated way, that is processing.
What are the rights of a Data Principal?
The DPDP Act calls the individuals whose data you collect "Data Principals." That is your customers, your users, your employees. The Act gives them a set of rights over their personal data, and your compliance programme should be built around your ability to honour those rights when someone exercises them. Failing to do so is precisely what the Data Protection Board is empowered to act on.
Right to Access
A Data Principal can ask you what personal data you hold about them, why you are processing it, and who else you have shared it with. You must provide a clear summary.
Right to Erasure
A Data Principal can ask you to erase their personal data. You must comply unless you are required by law to retain it or it is still needed for the purpose it was collected for.
Right to Withdraw Consent
A Data Principal can withdraw their consent at any time. Withdrawing must be as easy as giving consent in the first place. Processing based on that consent must stop, though it does not affect anything you did before the withdrawal.
Right to Nominate
A Data Principal can nominate someone to exercise their rights on their behalf in the event of their death or incapacity. You must have a mechanism to handle such nominations.
Right to Correct
A Data Principal can ask you to correct inaccurate, incomplete or outdated personal data you hold about them. You are required to make those corrections.
What are a Data Fiduciary's obligations under the DPDP Rules?
Being a Data Fiduciary comes with a core set of obligations that apply to every business, regardless of size or sector. Notice, consent, built-in security and data erasure capabilities — here is what each one actually requires of you.
Notice
Before you collect any personal data, you need to tell the individual what you are collecting, why, and how they can withdraw consent or raise a complaint. The notice must be in plain language and available in any of India's 22 scheduled languages on request.
What the notice must contain
Your notice must cover three things: each item of personal data being collected and why, how the individual can exercise their rights including withdrawing consent, and how they can raise a complaint with the Data Protection Board. A vague "to improve your experience" does not meet the standard.
Purpose limitation
You can only use personal data for the exact purposes stated in your notice. Consent to one purpose does not extend to anything that was not specifically described. If you want to use the data differently, you need a fresh notice and fresh consent.
Data minimisation
Only collect personal data that is actually necessary for the purpose you stated. The Act ties what you can collect directly to what you said you would use it for. Collecting more than you need puts you in violation from the moment you gather it.
Consent
Consent must be free, specific, informed, unconditional and unambiguous. Pre-ticked boxes and bundled consent do not qualify. The person must take a clear affirmative action to give consent, and withdrawing it must be just as easy.
Security Safeguards
You must implement reasonable security safeguards to protect the personal data you hold. The Act specifically requires that your technical safeguards be proportionate to the sensitivity of the data and the risk it carries.
If you are using AI tools in your workflows, traditional security controls may not be enough. Prompt-level data leakage is a real and underappreciated risk, and most off-the-shelf controls were not built with AI in mind. A dedicated control layer for AI is worth building in now. We cover what this means for DPDP compliance in our guide to DPDP compliance for AI use. You can also explore how Mavs helps with DPDP compliance.
Data protection
Personal data must be protected through technical controls like encryption and masking. These are not optional hygiene measures. Failing to have them in place is what triggers the highest penalty under the Act.
Data Backup
You must maintain backups so that personal data remains accessible and processing can continue if your primary systems go down.
Logs
Processing logs and associated traffic data must be retained for at least one year. These logs must be preserved even after the underlying personal data has been erased.
Access limitation
Access to personal data must be controlled and monitored. Only those who need it for the stated purpose should have it, and you should be able to see who accessed what and when.
Retention timeline
You cannot hold personal data indefinitely. Once the purpose for which it was collected is no longer being served, you must erase it. For large platforms in e-commerce, gaming and social media, the Rules specify a three-year inactivity period after which data must be deleted. For everyone else, the trigger is purpose expiry.
Data breach obligations
If a personal data breach occurs, you have two simultaneous obligations. You must notify affected individuals without delay, telling them what happened, what data was involved, and what steps they can take to protect themselves. You must also notify the Data Protection Board, with an initial report without delay and a detailed report within 72 hours. Failing to notify is a separate violation from the breach itself and carries a penalty of up to Rs. 200 crore.
Data residency
Unlike GDPR, the DPDP Act does not require a legal transfer mechanism or adequacy decision before sending personal data abroad. Transfers are permitted by default, and can only be restricted if the Central Government issues a specific notification. No such restrictions have been notified as of this guide, but this is an area worth monitoring. Your standard obligations around notice, consent and security safeguards apply regardless of where the data is sent.
What are the additional obligations of a Significant Data Fiduciary?
If the Central Government designates you as a Significant Data Fiduciary, you take on a further set of obligations on top of the standard ones. These are designed for organisations that process data at a scale or sensitivity level where a failure would have widespread impact. No designations have been made yet, but large social media platforms, large healthcare companies and BFSI firms should be preparing now, not waiting for the notification.
Records of Processing Activities (RoPA)
Significant Data Fiduciaries must maintain a Record of Processing Activities, documenting what personal data they hold, why they hold it, who they share it with, and how long they retain it. This is your audit trail and the first thing the Data Protection Board will ask for.
Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment must be conducted once every twelve months from the date you are designated as an SDF. It requires you to assess the risks your data processing activities pose to individuals, document what you are doing to address those risks, and have the findings reported to the Data Protection Board. It is also triggered whenever you make significant changes to how you process data.
Third-party audit
An independent Data Auditor must be appointed to audit your compliance once every twelve months. The auditor assesses whether your data processing practices actually meet your stated obligations under the Act, and their significant findings are reported to the Data Protection Board.
Algorithmic due diligence
If you use algorithms to make decisions about individuals, you must assess and document the risks those algorithms pose to Data Principals. This is particularly relevant for AI-driven credit scoring, content recommendation, hiring tools and similar systems.
FAQs
What should I do about personal data I collected before the DPDP Act?
Section 5(2) covers this. If you collected personal data before the Act came into force and already have consent, send a notice to those individuals as soon as reasonably practicable — explaining what you hold, why you're processing it, and how they can withdraw consent or raise a grievance. Processing can continue until they withdraw. If you never had valid consent, obtain it before 13 May 2027.
Does verbal consent count under the DPDP Rules?
No. Section 6(1) requires a clear affirmative action — free, specific, informed, unconditional and unambiguous. Section 6(10) puts the burden of proof on you to demonstrate that valid notice was given and consent obtained. Verbal consent leaves you nothing to prove that. Re-obtain consent in a documented form before 13 May 2027.
Are Data Fiduciaries responsible for what their Data Processors do?
Yes. Section 8(2) requires you to engage Data Processors only under a valid contract, and Section 8(1) makes you responsible for compliance regardless of any third-party agreement. If your processor mishandles data, you face the penalty. Ensure vendor contracts include clear data protection obligations, and choose processors you can rely on.
What counts as a legitimate use of personal data for research under the DPDP Act?
Section 17(2)(b) exempts research, archiving or statistical processing from the entire Act, provided two conditions are met: the processing must not be used to make a decision specific to an individual Data Principal, and it must follow the standards in the Second Schedule to the Rules. If both conditions are met, you do not need consent. The moment your research is used to make a decision about a specific person, the exemption falls away.
If an ethics committee approved my data request before, do I still need consent from a Data Principal?
If you're relying on consent under Section 6, prior ethics approval does not substitute for it, you still need valid consent from each Data Principal. If your processing qualifies under Section 7's legitimate uses or the research exemption in Section 17(2)(b), consent may not be required at all. Which applies depends on your legal basis.
What happens to DPDP obligations when two organisations process data jointly?
The question is who determines the purpose and means of processing. If both parties jointly decide, both are Data Fiduciaries under Section 2(i). Unlike GDPR, the Act has no formal joint controller concept, but obligation sits with whoever is calling the shots. In a joint venture, document clearly in your agreement who is making those decisions.
What are the legitimate uses of personal data without consent under the DPDP Act?
Section 7 lists nine situations where consent is not required — including voluntary disclosure for a clear purpose, processing required by law, and processing for employment purposes. In all cases, legitimate use only removes the consent requirement; every other obligation under the Act still applies.
Does the DPDP Act apply to small businesses and startups?
Yes. The Act applies regardless of business size. Section 17(3) allows the Government to exempt certain classes of Fiduciaries — including startups — from specific obligations, but that notification hasn't been issued. Until it is, startups carry the same obligations as any other Data Fiduciary.
What is the difference between the DPDP Act and GDPR?
Both laws share common principles but differ on key points. GDPR has six legal bases for processing; the DPDP Act has two — consent and the defined legitimate uses under Section 7. GDPR applies a risk-based approach to most obligations; the DPDP Act sets a uniform standard, with additional obligations only for designated SDFs. GDPR has a formal joint controller concept; the DPDP Act does not. Both give individuals rights including access, correction, erasure and withdrawal of consent.
