India's DPDPA implementing regulations come into force

21 November 2025
Natalya Thotahewage
Counsel

The Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), have now been notified and the same has been passed qua the Digital Personal Data Protection Act (DPDP Act), 2023.

Changes 

The DPDP Rules introduce a three-phase compliance framework, and the DPDP Rules are important for all data-processing entities to be aware of the timelines and corresponding obligations. A brief overview is set out below::

Phase 1 (effective immediately, i.e., from 14th November 2025)

  • Rules relating to the constitution, appointment, procedures, digital functioning, and service conditions of the Data Protection Board have come into force with immediate effect.

  • While these Rules do not impose direct compliance obligations on organisations, they operationalise the Board and activate the enforcement mechanism under the Act.

Phase 2 (effective 12 months from the date of the notification, i.e., 14th November 2026)

This phase brings into effect Rule 4, relating to Consent Managers, who may mediate consent flows between Data Principals and Data Fiduciaries.

Eligibility requirements for registration as a Consent Manager include:

  • Company incorporated in India.

  • Adequate technical, operational, and financial capacity.

  • Financial stability and sound management.

  • Minimum net worth of INR 2 crore.

  • Adequate business volume and financial prospects.

  • “Fit and proper” directors, KMPs, and senior management.

  • Independent certification confirming that the interoperable consent-management platform complies with Board standards..

Key obligations of a registered Consent Manager include:

  • Enabling consent flow between Data Principals and Data Fiduciaries.

  • Ensuring that shared data is not accessible or readable by the Consent Manager.

  • Maintaining detailed records of all consents, notices, and data-sharing instances.

  • Providing access to consent records and retaining them for the prescribed period.

  • Maintaining a dedicated website or application.

  • Not subcontracting statutory obligations.

  • Taking reasonable security measures to prevent data breaches.

  • Acting in a fiduciary capacity towards Data Principals.

  • Implementing conflict-of-interest safeguards.

  • Maintaining effective audit and compliance mechanisms.

Phase 3 (effective 18 months from the date of the notification, i.e., 14th May 2027)

The remaining operational rules will come into force at this stage. These include provisions relating to:

  • Privacy notices and consent requirements;

  • Rights of Data Principals;

  • Security safeguards and breach notifications;

  • Retention and deletion obligations;

  • Processing of children’s data;

  • Obligations of Significant Data Fiduciaries;

  • Cross-border data transfers; and

  • Applicable exemptions.

This phase represents the primary compliance milestone for organisations.