New Delhi: The Ministry of Electronics and Information Technology has notified the long-awaited rules under the Digital Personal Data Protection (DPDP) Act, introducing a staggered compliance timeline of up to 18 months for companies, government bodies and other entities that collect and process personal data.
Under the new framework, large data fiduciaries will be required to store specific categories of personal data within India, marking a significant step toward strengthening domestic data security. At the same time, the rules allow the transfer of personal data outside India, subject to additional conditions the Centre may prescribe in the future.
The rollout is structured in phases. Provisions relating to the establishment and appointment of the Chairperson and members of the Data Protection Board come into force immediately. Rules governing the registration and functioning of Consent Managers will take effect after 12 months, while the core compliance obligations, including consent notices, data processing norms and operational procedures, will become applicable after 18 months.
Under the compliance framework, data-collecting entities must issue clear, plain-language notices specifying what personal data is being collected and for what purpose. They must also provide a dedicated link enabling users to withdraw consent at any time.
Individuals or organisations seeking to act as Consent Managers can apply for registration with the Data Protection Board and will be bound by defined operational responsibilities.
On data breaches, the rules introduce stringent reporting requirements. Users must be informed without delay about any breach affecting their personal data, including details of the incident, potential consequences and recommended safety steps. A detailed breach report covering the cause, impact and mitigation measures must be submitted to the Data Protection Board within 72 hours.
The DPDP rules also stipulate that if a user remains inactive, the entity must erase the stored personal data after issuing a notice 48 hours in advance.
For processing children’s data, entities must obtain verifiable parental consent. Exemptions are allowed only when the data relates to healthcare establishments, educational institutions or childcare facilities.
Data fiduciaries must also conduct a Data Protection Impact Assessment and a compliance audit and ensure that their algorithmic systems do not jeopardise user rights. They must additionally prevent the overseas transfer of personal data categories that the government may expressly restrict.
Notably, the DPDP rules do not apply to personal data processed for research or statistical purposes, a move seen as enabling AI development and related research activities in the country.
For reasons of national security, the government may seek personal data from any intermediary or entity and may prohibit them from informing users about such requests.
Aruna Sharma, Retired Secretary in Central Government and Practitioner Development Economist, told APAC Media that it is a long-awaited welcoming move which is “adhering to and compliance to protect the huge digital database as part of governance and business”.
“A reasonable timeframe will enable entities to gear up their systems and come on board. Some aspects of access to data by authorised agencies will need more caution and fine-tuning to ensure privacy norms,” she added.
Goldie Dhama, Partner – Deloitte, stated: “The phased coming into force provisions, with Rules 1, 2 and 17 to 21 effective on the date of publication in the Official Gazette, Rule 4 commencing one year from that date, and the broader obligations under Rules 3, 5 to 16, 22 and 23 activating eighteen months thereafter, provide enterprises with a realistic and sequenced implementation horizon. This deliberate temporal staging enables organisations to undertake impact assessments, restructure data flows, recalibrate vendor governance and align audit frameworks in a coherent and legally robust manner. For industry, the Rules do not merely create a compliance expectation; they inaugurate a transition period within which boards, compliance functions and technology teams must converge to embed demonstrable data stewardship into operational and process-centric practices.”
Arun Prabhu, Partner & Co-Head, Digital +, TMT, Cyril Amarchand Mangaldas, highlighred: “The Final Rules remain largely unchanged from the draft rules. While greater clarity on certain matters, such as consent and transfers, which were hoped for in several stakeholder submissions, has not come through, the final rules have been very helpful in that they provide a clear 18-month runway for implementation, thereby allowing organisations to commence compliance in earnest.”
Sujit Patel, CEO & MD SCS Tech India Pvt Ltd stated: The notification of the final DPDP Rules and their phased rollout marks an important milestone in India’s digital journey. For the IT and ITES industry, it provides long-awaited clarity on compliance, user consent, and breach-response expectations, while still giving room for innovation to thrive.”
“The focus on transparent data practices, responsible consent management for children and vulnerable users, and clear timelines for reporting breaches brings India closer to global data governance standards. More importantly, it helps strengthen the trust that our customers and partners expect from us. We see this as a timely and forward-looking move that gives every stakeholder a clear path to improve privacy, strengthen accountability, and support sustainable growth across the sector,” he further added.
Discussion about this post