The DPDP Rules, 2025: what the November notification actually does — and when

The Digital Personal Data Protection Act, 2023, was passed by Parliament in August 2023 and notified in the Gazette later that month. For more than two years, the substantive provisions of the Act sat in abeyance — awaiting the rules that would operationalise them. On 13 November 2025, the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025. The Gazette publication followed the next day.

The structure of the notification is staged in a way that has not always been clearly understood. The Rules do not all come into force on the date of notification. The framework is sequenced into three tranches, with the result that most of the substantive obligations on data fiduciaries are still some way off — and the practitioner advising in this space needs to be clear about which tranche applies to which obligation, and when.

The three tranches

The notification distinguishes between provisions that come into force immediately, provisions that come into force after twelve months (November 2026), and provisions that come into force after eighteen months (May 2027).

Tranche 1 — Effective on notification (13 November 2025)

A small set of provisions came into force on notification. These principally relate to the institutional framework — the establishment of the Data Protection Board, the appointment of members, the constitution of administrative machinery, and certain procedural rules necessary to operationalise the Board's functioning.

For the bar, the practical relevance of the tranche-1 provisions is the constitution of the appellate and adjudicatory architecture. The Data Protection Board is the first-instance adjudicatory body for DPDP complaints and inquiries; the Telecom Disputes Settlement and Appellate Tribunal is the designated appellate forum. Both must be in operating condition before the substantive obligations take effect — and tranche 1 puts the institutional machinery in place ahead of the operational deadlines.

Tranche 2 — Effective 13 November 2026 (Consent Manager regime)

Rule 4, which governs the registration, obligations, and operational architecture of Consent Managers, takes effect twelve months after notification — that is, on 13 November 2026.

The Consent Manager regime is the operational heart of the DPDP framework. The Act envisions a category of intermediary — the Consent Manager — that stands between the data principal and the data fiduciary, holding the consent record, facilitating consent grants, withdrawals, and audit, and providing data principals with a single interface across multiple fiduciaries.

The Rules attach significant obligations to Consent Managers:

• No subcontracting. Consent Managers cannot delegate their statutory functions to other entities.
• Conflict-of-interest discipline. Consent Managers must avoid conflicts with the data fiduciaries on whose behalf they are operating.
• Seven-year retention. Records of consents, notices, and data-sharing activities must be retained for a minimum of seven years.
• No content access. Consent Managers cannot read the contents of the personal data being shared through them; their role is consent management, not content management.
• Reporting and audit obligations to the Data Protection Board, on a calendar to be specified.

The twelve-month lead time was, by design, intended to permit the technology and operational infrastructure for Consent Managers to be built out. Several technology platforms have publicly indicated that they are preparing to seek registration; some financial-sector regulators have indicated that they are aligning their sectoral frameworks with the Consent Manager architecture.

Tranche 3 — Effective 13 May 2027 (substantive obligations)

The bulk of the substantive obligations on data fiduciaries — including Significant Data Fiduciary obligations — come into force on 13 May 2027, eighteen months after notification. The provisions in this tranche are Rules 3, 5 to 16, 22 and 23.

These provisions cover:

• Rule 3 — Notices to data principals (the standard form, content and timing).
• Rule 5 — Security safeguards required of data fiduciaries (encryption, access controls, incident response).
• Rule 6 — Personal data breach notification (timelines for notification to the Board and to affected data principals).
• Rule 7 — Data erasure obligations on retention period expiry or consent withdrawal.
• Rules 8–9 — Contact information obligations and grievance redressal frameworks.
• Rule 10 — Children's data protections (verifiable parental consent and prohibition on profiling).
• Rules 11–13 — Data principal rights management (access, correction, erasure, nomination).
• Rule 14 — Cross-border data transfer notifications and restrictions.
• Rule 15 — Exemptions and notifications by Central Government.
• Rule 16 — Significant Data Fiduciary obligations (independent audits, data protection impact assessments, additional reporting).
• Rules 22–23 — Procedural provisions for the Board's functioning under the substantive framework.

The Significant Data Fiduciary classification is the most consequential of these. The Central Government can notify any data fiduciary as a Significant Data Fiduciary, based on factors including the volume and sensitivity of data processed, risk to electoral democracy, security of the State, public order, and the volume of cross-border transfers. Notified Significant Data Fiduciaries face higher obligations — independent audits, data protection impact assessments, the appointment of a Data Protection Officer, and stricter checks on the use of new or sensitive technologies.

What the framework means for practitioners

The compliance work runs to multiple categories of client, and the priorities differ.

For data fiduciaries (entities processing personal data)

The eighteen-month window before the substantive obligations take effect is shorter than it seems. Building DPDP-compliant data processing, consent capture, retention discipline, breach notification machinery, and data principal rights management takes time. The standard implementation curve for major data-protection compliance projects is twelve to eighteen months — and the work is best started early, not late.

The practical compliance map:

• Inventory of personal data processing. Most entities do not have a full inventory of what personal data they collect, why, how it flows, and how long they retain it. This is the foundational step.
• Consent architecture. Where consent is the lawful basis (the default under the DPDP Act), the architecture for capture, evidence, withdrawal, and audit must be rebuilt.
• Notice content. Notices to data principals must be redrafted to meet the DPDP framework's specific requirements.
• Data principal rights infrastructure. Access, correction, erasure, nomination — each requires a working operational channel.
• Vendor and processor due diligence. Data processors handling personal data on behalf of fiduciaries must be brought under DPDP-compliant contractual frameworks.
• Breach notification machinery. Internal incident-response procedures must be brought into line with the DPDP timing and notification requirements.
• Cross-border transfer compliance. Where data is processed outside India, the cross-border transfer framework must be assessed.

For law firms specifically

Law firms are data fiduciaries in their own right. The privileged-information character of much of what a law firm holds does not exempt the firm from the DPDP framework's structural obligations — though it shapes how those obligations are implemented in practice. The November 2026 / May 2027 timelines apply to law firms as they apply to other entities.

The legal-sector-specific issues:

• Privilege and the data principal's rights. Where a data principal is the client, the rights regime aligns with the privilege framework. Where a data principal is a third party (the opposite side's witness, for example), the rights regime engages — and the firm must be prepared to respond to access, correction, and erasure requests subject to the privilege carve-outs.
• Litigation hold and erasure. The erasure obligations under the DPDP framework must be reconciled with the firm's litigation hold obligations. Data subject to a litigation hold cannot be erased; the framework must accommodate this.
• Cross-border arbitration data. Where the firm handles arbitration matters with foreign parties or foreign seats, the cross-border transfer rules in Rule 14 affect the firm's practice.

For the corporate-sector bar advising on M&A and capital markets

Due diligence on personal data processing is now a standard part of M&A diligence. The DPDP framework adds specific items:

• Significant Data Fiduciary status of the target (or of its subsidiaries) is a diligence item with substantive implications for valuation and integration.
• Cross-border transfer compliance affects acquirer's ability to consolidate data processing post-acquisition.
• Pending Data Protection Board inquiries or proceedings are disclosure items.
• Material weakness in data protection compliance is a representation that should be sought and warranted.

For capital markets practice, the DPDP framework adds disclosure items to offer documents — particularly for fintech, healthtech and consumer technology issuers.

The penalties framework

The DPDP Act includes penalty provisions that the Rules now make operational. The penalty regime is substantial:

• Up to ₹250 crore for failure to protect personal data from breach.
• Up to ₹200 crore for failure to notify breaches to the Board or affected data principals.
• Up to ₹150 crore for failure to fulfil children's data obligations.
• Up to ₹150 crore for failure of Significant Data Fiduciaries to meet their additional obligations.
• Up to ₹50 crore for breach of other obligations.

These penalties are calibrated to the size of the fiduciary. For a major data fiduciary with substantial India operations, the maximum exposure is significant — and the architecture for managing that exposure requires institutional engagement, not just legal advice.

What the Rules do not address

Three areas remain less developed in the November 2025 notification:

• Sectoral exemptions and notifications under Rule 15. The Central Government's power to notify specific entities or processing activities for exemption is broad, and the practical use of that power will affect compliance work materially.
• The independent-audit framework for Significant Data Fiduciaries under Rule 16. The technical specifications for the audit framework — who can conduct it, what it must cover, how findings are reported — will be the subject of subsequent guidance.
• The cross-border transfer framework under Rule 14. The general framework is in place, but the country-specific notifications and the "trusted geography" framework are still being developed.

The bar should track the supplementary notifications, circulars, and Data Protection Board guidance that will accumulate over 2026 and into 2027. These are likely to be at least as important as the Rules themselves for operational compliance.

The bottom line

The DPDP Rules, 2025, do not impose immediate compliance obligations on most data fiduciaries. They sequence the substantive obligations into two future tranches — November 2026 for the Consent Manager regime, May 2027 for substantive data-fiduciary obligations. But the compliance work that needs to be done before those dates is substantial: inventory, consent architecture, notice redrafting, rights infrastructure, vendor contracts, breach machinery, and — for Significant Data Fiduciaries — audit and impact-assessment frameworks. The eighteen-month window is the runway, not the destination. Practitioners advising in this space should be planning to those dates now.

---

Verify against the DPDP Act, 2023, the DPDP Rules, 2025, the official MeitY notifications, and Data Protection Board guidance as it accumulates. The framework's operational detail will continue to develop through 2026 and 2027; the present piece reflects the position as at April 2026.