DPDP Rules 2025
Complete Guide
The Digital Personal Data Protection Rules, 2025 were notified by MeitY on November 13, 2025, operationalizing India's landmark data protection framework. This guide provides a comprehensive breakdown of all 23 rules and their compliance requirements.
What Are the DPDP Rules 2025?
The Digital Personal Data Protection Rules, 2025 are implementing regulations issued by the Ministry of Electronics and Information Technology (MeitY) under Section 40 of the Digital Personal Data Protection Act, 2023. Published via Gazette notification G.S.R. 846(E), these rules provide the operational framework for India's data protection regime.
Draft rules were published on January 3, 2025 for public consultation, with the final rules notified on November 13, 2025 after considering stakeholder objections and suggestions.
DPDP Act 2023 vs DPDP Rules 2025
| Aspect | DPDP Act 2023 | DPDP Rules 2025 |
|---|---|---|
| Nature | Parent legislation (44 sections) | Implementing regulations (23 rules) |
| Enacted By | Parliament of India | Central Government (MeitY) |
| Content | Rights, obligations, penalties | Procedures, timelines, formats |
| Amendment | Requires Parliamentary process | Central Government notification |
When Do the DPDP Rules Come Into Effect?
The rules establish a phased implementation schedule, providing organizations with structured timelines for compliance readiness.
Phase 1
Foundation and governance framework
- ▪Short title and commencement (Rule 1)
- ▪Key definitions established (Rule 2)
- ▪Data Protection Board appointments (Rule 17)
- ▪Board procedures and digital office (Rules 19-20)
Phase 2
Consent infrastructure development
- ▪Consent Manager registration opens
- ▪₹2 crore net worth requirement
- ▪Platform interoperability standards
- ▪First Schedule obligations activate
Phase 3
Full compliance obligations
- ▪Notice and consent requirements (Rule 3)
- ▪Security safeguards mandatory (Rule 6)
- ▪Breach notification protocols (Rule 7)
- ▪Cross-border transfer mechanisms (Rule 15)
All 23 DPDP Rules Explained
A comprehensive breakdown of each rule category, organized by functional area for easy reference and implementation planning.
Foundation
Establishes phased implementation timeline for different rule categories
Defines "techno-legal measures", "user account", and "verifiable consent"
Notice & Consent
Itemized data description, specified purpose, withdrawal mechanism with comparable ease
Board registration, ₹2 crore net worth, interoperable platform, fiduciary duties
State Processing
Processing by State for subsidies, benefits, services, certificates, licences, or permits must follow Second Schedule standards including lawful processing, purpose limitation, data minimization, and security safeguards
Security & Breach
Encryption/tokenization, access controls, logging with 1-year retention, backups
Immediate notification to Data Principals, 72-hour notification to Board with detailed report
48-hour erasure notice, 3-year retention for large platforms per Third Schedule
Children & PWDs
Verifiable parental consent, identity verification via Digital Locker or government-issued details
Lawful guardian verification under RPwD Act 2016 or National Trust Act 1999
Healthcare, education, child safety tracking, transport monitoring per Fourth Schedule
Significant Data Fiduciary
Annual DPIA and audit, algorithmic risk assessment, data localization for specified categories
Rights & Transfers
Rights exercise mechanism, 90-day grievance redressal, nomination facility
Subject to Central Government requirements for foreign state data sharing
Processing for research/archiving/statistics per Second Schedule standards
Data Protection Board
Search-cum-Selection Committee process, ₹4.5L/month Chairperson salary
Meeting quorum (1/3 members), digital office functioning, techno-legal measures
Officers on deputation up to 5 years per Sixth Schedule
Appeals & Information
Digital filing to Appellate Tribunal, UPI/RBI-authorized payment methods
Government power to require information per Seventh Schedule purposes
Key Compliance Numbers
Essential deadlines and thresholds that organizations must know for DPDP compliance.
Platform User Thresholds (Third Schedule)
Platforms exceeding these user thresholds must erase personal data after 3 years of inactivity
The Seven Schedules
The DPDP Rules 2025 include seven schedules containing detailed requirements, conditions, and operational parameters.
Registration conditions (Part A) and operational obligations (Part B)
Standards for State processing under Section 7(b) and research exemption
Erasure timelines for e-commerce (2Cr users), gaming (50L users), social media
Healthcare, education, transport tracking, safety monitoring exemptions
Salaries, allowances, provident fund, travel, medical assistance
Deputation terms, gratuity, leave travel concession
Purposes and authorised persons for government data requests
Official Sources
For authoritative text of the DPDP Rules 2025, always refer to the official Gazette of India notification. The rules were published under notification number G.S.R. 846(E) dated November 13, 2025.
Frequently Asked Questions
What are the DPDP Rules 2025?
The DPDP Rules 2025 are implementing regulations notified by MeitY on November 13, 2025, under Section 40 of the Digital Personal Data Protection Act, 2023. They contain 23 rules and 7 schedules that operationalize the Act's provisions.
When do the DPDP Rules come into force?
The rules come into force in three phases: Rules 1, 2, 17-21 took effect immediately (November 13, 2025); Rule 4 comes into force on November 13, 2026; and Rules 3, 5-16, 22-23 come into force on May 13, 2027.
What is the difference between DPDP Act and DPDP Rules?
The DPDP Act 2023 is the parent legislation enacted by Parliament that establishes rights, obligations, and penalties. The DPDP Rules 2025 are subordinate regulations made by the Central Government that provide operational details, procedures, timelines, and formats.
What are the penalties under DPDP Rules?
Penalties are specified in the DPDP Act Schedule: up to ₹250 crore for security safeguard failures, up to ₹200 crore for breach notification failures, up to ₹200 crore for children's data violations, and up to ₹150 crore for Significant Data Fiduciary non-compliance.
Who is a Significant Data Fiduciary?
A Significant Data Fiduciary is any Data Fiduciary notified by the Central Government based on volume/sensitivity of data processed, risk to Data Principals, impact on sovereignty/security, risk to electoral democracy, and public order considerations.
Next Steps
Now that you understand what the DPDP Rules require, explore our implementation resources to begin your compliance journey.
Implementation Tracker
Track the implementation status of every DPDP obligation — see which notifications have been issued and what remains pending
Implementation Roadmap
Step-by-step compliance guide with priority matrix and checklists
DPDP Training Programme
Build organizational capacity with certified training courses
Compliance Advisory
Expert guidance tailored to your organizational context
Need Help Interpreting the Rules?
Our team of legal and compliance experts can help you understand how the DPDP Rules 2025 apply to your specific organizational context.