India’s Digital Personal Data Protection Act, 2023 set the principles. The DPDP Rules 2025 set the procedures.
When MeitY notified the Digital Personal Data Protection Rules, 2025 on November 13, 2025, they converted the Act’s broad obligations into concrete, operational requirements, specifying exactly how a privacy notice must be written, what security controls are mandatory, what breach notifications must contain, when data must be deleted, and what it actually takes to verify a child’s age online.
If you have already read our overview of the DPDP Act 2023 (which covers the full penalty framework, Data Fiduciary obligations, and Data Principal rights in detail), this post picks up where that one ends. The focus here is entirely on what the Rules add: the ‘how’ behind the Act’s ‘what’.
1. What the DPDP Rules 2025 Are and How They Were Made
The Digital Personal Data Protection Rules 2025 are subordinate legislation made by the Central Government under Section 40 of the DPDP Act 2023. Section 40 empowers the government to make rules on a list of specified matters, everything from the form and manner of consent notices to the qualifications of data auditors. The Rules were notified in the Official Gazette in early 2025, following a period of public consultation on the draft Rules released in late 2023.
As subordinate legislation, the Rules sit below the Act in the legal hierarchy. They cannot override the Act. Where there is ambiguity in the Act, the Rules provide clarification but where the Act is clear, the Rules cannot narrow or expand the Act’s requirements beyond what the Act authorises. This matters when you encounter a tension between what a Rule says and what the Act says: the Act prevails.
The Rules are also not the complete picture. The DPDP Act empowers the government to issue notifications and orders on a range of matters separately from the Rules and several critical elements of the compliance framework depend on those notifications rather than the Rules themselves. The Rules tell you what the framework looks like in its current state. The notifications fill in what is still missing.
2. The Rules at a Glance: What Each One Covers
The DPDP Rules 2025 contain thirteen Rules plus a Schedule. The following is a plain-language orientation to each Rule what it addresses and where to find the operational detail in this cluster.
Rule 1: Title and Commencement
Rule 1 establishes the formal title the Digital Personal Data Protection Rules, 2025 and the commencement date. The Rules do not all come into force simultaneously. Rule 1 specifies which provisions came into force on the date of notification and which come into force on dates to be separately notified. This staged commencement means that some obligations under the Rules are already operative while others are not yet live. The commencement status of each Rule is the first thing any compliance team should verify before building against it.
Rule 2: Definitions
Rule 2 defines terms used in the Rules that are not defined in the Act itself, or that require elaboration beyond the Act’s definitions. Key definitions include the Data Protection Manager (the SDF-specific role), the Consent Manager’s operational parameters, and the technical specification of what constitutes a valid consent record. These definitions are not merely academic they determine how broadly or narrowly obligations apply. An organisation building its consent architecture needs to understand Rule 2’s definition of a valid consent record before designing the record format.
Rule 3: Notice
Rule 3 operationalises the Act’s Section 6 notice requirement. It specifies what a consent notice must contain, the level of granularity required in describing data categories and purposes, the language requirements (English or Eighth Schedule languages), and the form in which notice must be provided. Rule 3 is one of the most operationally detailed Rules in the document and has direct implications for privacy policy architecture, app onboarding flows, and website data collection practices. The DPDP Consent guide covers Rule 3 in full depth.
Rule 4: Consent
Rule 4 adds operational mechanics to the Act’s Section 6 consent standard. It addresses how consent must be sought (separate for each purpose, no pre-ticked checkboxes, no bundling with terms acceptance), how it must be recorded (timestamp, notice version, mechanism, purpose all logged per Data Principal), and how the withdrawal mechanism must function (accessible at the same level as the original consent, not buried). Rule 4 is where the Act’s five-element consent standard free, specific, informed, unconditional, unambiguous gets its operational teeth.
Rule 5: Consent Manager
Rule 5 establishes the Consent Manager framework the registration requirements, eligibility criteria, technical standards, and ongoing obligations for entities seeking to operate as registered Consent Managers. It specifies the minimum net worth, the interoperability technical standards that Consent Manager systems must meet, and the governance requirements for the entities operating them. The Data Protection Board is the registration authority. The November 2026 deadline for Consent Manager integration is driven by this Rule. The Consent Manager DPDP guide covers Rule 5 in full depth.
Rule 6: Security Safeguards
Rule 6 translates the Act’s general security obligation into specific technical requirements. It requires Data Fiduciaries to implement encryption of personal data in transit and at rest, access controls based on the need-to-know principle, authentication controls including multi-factor authentication, monitoring and logging of personal data access, regular security vulnerability assessments, and documented incident response procedures. Rule 6 is the technical security baseline the minimum that every Data Fiduciary must meet, with SDFs facing additional audit scrutiny of their Rule 6 implementation.
Rule 7: Breach Notification
Rule 7 operationalises the Act’s breach notification obligation. It specifies what constitutes a notifiable breach, what the notification to the Data Protection Board must contain, the 72-hour window from discovery to notification, the requirement to notify affected Data Principals as soon as possible with no minimum threshold, and the format and content of both Board notification and Data Principal notification. Rule 7 has no risk threshold every personal data breach triggers it. The DPDP Breach Notification guide covers Rule 7 in full depth.
Rule 8: Retention and Erasure
Rule 8 operationalises the Act’s data minimization principle for retention. It requires Data Fiduciaries to define retention periods for each category of personal data, delete personal data when the purpose for which it was collected has been served and no legal retention obligation applies, and implement automated erasure mechanisms rather than relying on manual deletion requests. Rule 8 closes the gap between data minimization as a principle and data minimization as an operational practice. The DPDP Data Minimization guide covers Rule 8 in full depth.
Rule 9: Grievance Redressal
Rule 9 requires every Data Fiduciary to appoint a Grievance Officer, publish the officer’s contact details, and implement a grievance procedure with defined response timelines. The Grievance Officer must acknowledge a complaint within a specified period and provide a reasoned response within 30 days. If a Data Principal is not satisfied with the response, they can escalate to the Data Protection Board. Rule 9 is the most direct interface between Data Principals and Data Fiduciaries a functioning grievance procedure is the first line of defence against Board complaint volume, because every unresolved grievance that escalates to the Board is a complaint your procedure failed to handle.
Rule 10: Processing of Children’s Data
Rule 10 adds operational requirements to Section 9 of the Act, which prohibits processing children’s data without verifiable parental consent and prohibits tracking or behavioural monitoring of children under 18. Rule 10 specifies what ‘verifiable’ means in practice the Data Fiduciary must have a mechanism that actually verifies the consenting parent is an adult, not merely a checkbox declaration. This is technically demanding: the Rule requires real age verification infrastructure, not a ‘I confirm I am 18 or over’ self-declaration. The Rule also specifies the prohibition on targeted advertising to children with enough clarity to make non-compliance unambiguous.
Rule 11: Obligations of Data Processors
Rule 11 specifies the contractual requirements for the relationship between Data Fiduciaries and Data Processors. Every Data Processor must operate under a written contract that specifies the processing purpose, the categories of data, the security measures the Processor must implement, the Processor’s obligation to notify the Fiduciary of breaches, the prohibition on sub-processing without Fiduciary consent, and the deletion or return of data at the end of the processing relationship. Rule 11 is why a vendor governance programme is not optional under DPDP every SaaS tool, cloud provider, and analytics vendor that processes your personal data needs a Rule 11-compliant agreement.
Rules 12 and 13: SDF DPIA and Data Audit
Rules 12 and 13 apply exclusively to Significant Data Fiduciaries. Rule 12 requires SDFs to conduct periodic Data Protection Impact Assessments covering their processing activities. Rule 13 requires SDFs to have their processing activities audited periodically by an independent data auditor. Both Rules create ongoing obligations rather than one-time compliance events. The Significant Data Fiduciary guide covers both Rules in full depth.
3. What the Rules Deliberately Do Not Resolve
This is the section most compliance guides skip. Understanding what the Rules leave open is as important as understanding what they specify because building a compliance programme against a gap is building on sand.
Sensitive Personal Data Categories: Still Pending
The DPDP Act provides for the Central Government to notify specific categories of personal data as ‘sensitive personal data’ attracting heightened obligations. The Rules 2025 do not specify these categories. They are pending a separate government notification. Until that notification arrives, there is no official DPDP sensitive personal data designation.
The practical implication: organisations cannot definitively identify which of their data attracts heightened obligations under the sensitive personal data framework, because that framework is not yet complete. The working approach is to treat data categories that were sensitive personal data under the SPDI Rules 2011 health data, financial data, biometric data, credentials, sexual orientation as likely sensitive personal data under DPDP, because these categories are certain to be included when the notification arrives. But this is prudent anticipation, not compliance against a live requirement.
Significant Data Fiduciary Designation: Still Pending
The Rules establish the SDF obligation framework comprehensively DPIAs, audits, DPM appointment, algorithmic transparency. What they do not do is designate any entity as an SDF. That designation comes through a separate Central Government notification under Section 10(1). Until that notification lands, no organisation is formally an SDF, and the SDF-specific obligations are not yet operative for any specific entity.
As discussed in the Significant Data Fiduciary guide, the monitoring responsibility is yours. When the designation notification arrives, it may take effect immediately or with a short transition period. Organisations in the plausible SDF universe large banks, payment platforms, telecom operators, major consumer internet companies should be building SDF compliance infrastructure now.
Cross-Border Transfer Whitelist and Blacklist: Still Pending
Section 16 of the DPDP Act gives the Central Government the power to restrict transfers of personal data to specified countries (a blacklist) or to approve transfers to specified countries (a whitelist). The Rules 2025 operationalise the transfer mechanism specifying how transfers must be documented and what contractual protections apply. But the actual list of restricted and approved countries is a separate government notification that has not been published.
Until the notification arrives, there is no country-specific transfer restriction under the DPDP Act. This means that transfers from India to any destination are not currently blocked by DPDP, regardless of the destination country. This will change when the notification is published. Organisations with significant cross-border data flows should model their exposure against plausible whitelist and blacklist scenarios and build the documentation infrastructure to comply quickly when the notification lands.
Consent Manager Technical Standards: Still Pending
Rule 5 requires Consent Managers to comply with technical interoperability standards published by the Data Protection Board. Those standards have not yet been published. The Consent Manager registration framework is in place, but the technical specification that Data Fiduciaries need to build their integrations against is still pending. The November 2026 Consent Manager integration deadline creates urgency but it is difficult to complete an integration whose technical specification has not yet been published. Monitor the Board’s publications closely and plan for a compressed integration window once the standards arrive.
Data Auditor Qualification Criteria: Still Pending
Rule 13 requires data audits to be conducted by independent data auditors, but does not specify qualifications, certification requirements, or a recognised list of qualified auditors. The government may publish auditor qualification criteria through a subsequent notification. Until then, SDFs selecting data auditors are working without a formal qualification framework which means they need to apply their own rigour to auditor selection. Independence, genuine data protection expertise, and technical audit capability are the criteria to apply.
4. What Is Live and Buildable Right Now
Despite the gaps, a substantial portion of the DPDP compliance programme can and should be built now against the Rules as they stand. Waiting for all pending notifications before starting is not a strategy it is a guarantee of non-compliance when the remaining notifications land with short transition periods.
The obligations that are live and fully specified include the security safeguards of Rule 6, the breach notification procedure of Rule 7, the grievance officer and grievance procedure of Rule 9, the data retention and deletion framework of Rule 8, the processor contract requirements of Rule 11, and the children’s data verifiable consent requirement of Rule 10. These are not waiting on any further notification. They are operational obligations now.
The consent architecture under Rules 3 and 4 is also substantially buildable. The five-element consent standard, the per-purpose specificity requirement, the notice format requirements, and the consent record logging obligations are all specified. The one element that remains pending the Consent Manager technical standards affects the final Consent Manager integration but does not block the consent architecture redesign that needs to happen independently of the integration.
The Rule 11 vendor governance programme is fully buildable. Every processor contract that touches personal data needs a Rule 11-compliant DPA. That exercise does not depend on any pending notification the contract requirements are specified now.
5. DPDP Rules 2025 vs. SPDI Rules 2011: The Transition in Practice
For organisations that have been complying with the SPDI Rules 2011 India’s pre-DPDP data protection framework under Section 43A of the IT Act the DPDP Rules 2025 represent a significant upgrade in both scope and specificity. The DPDP vs. IT Act guide covers the legal transition in detail. What matters for compliance teams is the practical delta.
| Obligation Area | SPDI Rules 2011 | DPDP Rules 2025 |
|---|---|---|
| Privacy notice | Publish a privacy policy on your website. General categories of data and purposes. | Rule 3: Active notice before consent is sought. Itemise every data category by name and every purpose separately. Language requirements. No website-policy-only compliance. |
| Consent | Obtain knowledge and consent of the data provider before collecting sensitive personal data. | Rule 4: Five-element standard. Separate per purpose. Logged with timestamp. Withdrawal mechanism at same ease level. Unconditional no service denial for consent refusal. |
| Security practices | Implement reasonable security practices. ISO 27001 referenced as benchmark. | Rule 6: Specific technical requirements encryption in transit and at rest, access controls, MFA, logging, vulnerability assessments, incident response procedures. More prescriptive than a standards reference. |
| Grievance officer | Appoint a Grievance Officer and publish contact details. | Rule 9: Appoint Grievance Officer, publish contact details, acknowledge complaints within specified period, respond with reasons within 30 days, escalation path to the Board. |
| Breach notification | No breach notification obligation under SPDI Rules. | Rule 7: All breaches, no threshold, 72 hours to the Board, Data Principal notification as soon as possible. |
| Data retention | Do not retain information beyond the purpose for which it was collected. | Rule 8: Define retention periods, implement automated deletion, document the retention schedule, erasure verifiable. |
| Processor governance | Transferee must provide equivalent protection. No contract format specified. | Rule 11: Written contract with specified provisions purpose, security measures, breach notification by processor to fiduciary, sub-processing restrictions, deletion at end of engagement. |
| Children’s data | No specific children’s data protections in SPDI Rules. | Rule 10: Verifiable parental consent required for under-18s. Prohibition on tracking and behavioural monitoring. Prohibition on targeted advertising. Real age verification, not self-declaration. |
6. How to Use the Rules in Your Compliance Programme
The DPDP Rules 2025 are a technical document. Reading them cover to cover is less useful than reading them rule by rule, linked to the specific workstream they affect. Here is the practical mapping.
If you are building your consent architecture, your primary references are Rules 3 and 4 supplemented by the Consent guide in this cluster for the operational detail. The consent record format required by Rule 2’s definitions and the notice content required by Rule 3 are the two specifications to build against first.
If you are building your security programme, Rule 6 is your minimum specification. Every control it requires encryption, access controls, MFA, logging, vulnerability assessment, incident response should be verified as implemented and documented. The Rule 6 requirements are also what your independent data auditor will check if you are designated as an SDF, so the documentation standard matters as much as the implementation.
If you are managing a vendor ecosystem, Rule 11 is the template for every processor agreement. Work through your vendor list and identify every processor that handles personal data. Each needs a Rule 11-compliant DPA. This is a volume exercise for large organisations the Implementation guide’s workstream 4 on processor contracts covers how to prioritise and sequence it.
If you are preparing for SDF designation, Rules 12 and 13 define what you need to build. Start with the data inventory that a meaningful DPIA requires, then build the DPIA programme, then identify and brief an independent data auditor. The Significant Data Fiduciary guide covers the full build sequence.
If you are in financial services, healthcare, or telecom, cross-reference the Rules against your sector regulator’s requirements as set out in the Financial Services guide. The Rules represent the DPDP floor; sector requirements may set a higher ceiling in some areas.
FAQs
When were the DPDP Rules 2025 notified, and are they all in force?
The Digital Personal Data Protection Rules 2025 were notified in the Official Gazette in early 2025 under Section 40 of the DPDP Act 2023. Not all provisions came into force simultaneously Rule 1 specifies a staged commencement, with some provisions operative from the notification date and others coming into force on dates to be separately notified. Before building your compliance programme against any specific Rule, verify its commencement status from the current Gazette notification. The Rules are a live document in the sense that the government can notify further provisions into force at any time.
Do the DPDP Rules 2025 specify what counts as sensitive personal data?
No. The Rules 2025 do not specify sensitive personal data categories. That is the responsibility of a separate Central Government notification under the Act. Until that notification is published, there is no official DPDP sensitive personal data designation. The practical working approach is to treat data categories that were sensitive personal data under the SPDI Rules 2011 health, financial, biometric, credentials, sexual orientation as likely sensitive personal data under DPDP and apply heightened treatment accordingly. When the government notification is published, verify whether your working assumption matches the official categories and adjust as needed.
What does Rule 10 require for verifying parental consent for children’s data?
Rule 10 requires Data Fiduciaries to implement a mechanism for ‘verifiable’ parental consent before processing personal data of children under 18. Verifiable means the Data Fiduciary must actually verify that the consenting person is an adult a checkbox declaration by the user is not sufficient. The Rule does not mandate a single verification method, which gives organisations flexibility in implementation. Acceptable approaches include digital identity verification using Aadhaar or DigiLocker to confirm the consenting adult’s age, payment-based age inference (only adults hold payment accounts), or third-party age verification services. The key requirement is that the verification method actually works it must be designed to catch under-age users attempting to self-certify as adults, not merely to satisfy a formal compliance checkbox.
If I comply with the DPDP Rules 2025, am I also compliant with the DPDP Act?
Mostly, but not completely. The Rules operationalise the Act’s requirements in the areas they cover consent, security, breach notification, grievance, retention, processor governance, children’s data, and SDF-specific obligations. A Data Fiduciary that fully implements the Rules is substantially compliant with the Act. However, the Act contains provisions that the Rules do not fully operationalise particularly in areas where the detail is deferred to government notifications that have not yet been published. The sensitive personal data obligations, the SDF obligations for as-yet-undesignated entities, and the cross-border transfer restrictions are all Act-level obligations whose operational detail is still pending. Compliance with the Rules as currently published is necessary but not sufficient for complete DPDP Act compliance.
Are the DPDP Rules 2025 the same as the draft rules released in 2023?
No. The draft rules published for public consultation in late 2023 were significantly revised before the final Rules 2025 were notified. The consultation process generated substantial feedback from industry, civil society, and data protection practitioners, and several provisions of the draft rules were modified in response. If your organisation’s DPDP compliance programme was built against the 2023 draft rules rather than the final Rules 2025, it needs to be reviewed against the final text. Key areas that changed between draft and final include the Consent Manager framework, the security safeguards specification, and the grievance procedure requirements. Always build against the notified final Rules, not the draft.
Building Against the Rules That Are Live Today
The pending notifications are genuinely uncertain in timing. The obligations in the Rules 2025 are not. Security safeguards, breach detection and notification, consent architecture, processor governance, grievance procedures, children’s data verification these are live requirements with no pending notification between you and compliance.
The organisations that will handle the pending notifications well are the ones that have already built the technical foundation because when a sensitive personal data notification arrives, or an SDF designation notification lands, the response time is short and the compliance infrastructure either exists or it does not.
- Data discovery built against the current Rules: Rule 6’s security requirements and Rule 8’s retention requirements both depend on knowing what personal data you hold and where. Matters.AI‘s discovery runs continuously when the sensitive personal data notification arrives, your inventory is already complete and you are classifying against it immediately, not starting the discovery exercise.
- Security controls verified against Rule 6: Rule 6’s specific requirements encryption, MFA, access controls, logging are verifiable technical controls, not policy statements. Continuous monitoring confirms they are implemented across your full estate, not just on the systems your team remembers to check.
- Breach detection for Rule 7’s 72-hour window: Rule 7 starts the clock at discovery. The faster you detect, the more of the 72 hours you have left for assessment and notification. Anomaly detection and data movement monitoring compress the detection window to hours, not days.
- Consent record logging for Rule 4: Rule 4’s consent record requirements timestamp, notice version, mechanism, purpose, per Data Principal are technical requirements that must be implemented in the consent flow itself. A retrospective consent record reconstruction is not possible. Build it correctly the first time.
