

The DPDP Rules 2025 were notified on 14 November 2025 through G.S.R. 843(E). They contain 23 rules and 7 schedules, and their notification is the moment the DPDP Act 2023 went from "a law on paper" to a fully operational compliance regime.
If the Act is the "what", the Rules are the "how": how consent notices must look, how a Consent Manager works, what "reasonable security safeguards" actually means, how fast you must report a breach, and how long you can keep data. Since 14 November 2025, the Data Protection Board of India has been active and the ₹250 crore per-violation penalty framework is live.
The main areas of the DPDP Rules 2025, in plain business language.
Notices must be plain-language and standalone (not buried in T&Cs), with an itemized data list, purposes, rights, grievance contact, in English plus any of the 22 scheduled Indian languages.
A registered intermediary platform to give, manage, review, and withdraw consent. Must be India-incorporated with a net worth of at least ₹2 crore, and keep records for 7 years. Registration becomes mandatory in November 2026.
Encryption at rest and in transit, masking, role-based access with least privilege, MFA, tamper-resistant logs kept at least 1 year, backups, a breach playbook, and vendor agreements.
Every breach is reportable, no risk threshold. Notify affected users without delay, plus a detailed report to the Board within 72 hours. See our breach reporting guide.
Delete data when the purpose is served or consent is withdrawn. Large platforms face a 3-year retention/erasure rule and a 48-hour notice before erasure; logs stay at least 1 year.
Verifiable parental consent for under-18s with no ad-targeting at minors; extra duties for Significant Data Fiduciaries (DPO, audits, DPIAs); and a blacklist model for cross-border transfers.
Consent rules become mandatory on 13 November 2026, full enforcement begins on 13 May 2027, and setup takes 2-6 months. Waiting is the expensive option.
Book Your Free DPDP AuditThe Rules are one piece. Our main guide covers the Act, deadlines, penalties, the full checklist, and how we get you compliant.
Learn Everything About DPDP ComplianceOn 14 November 2025, via G.S.R. 843(E). The notification of the 23 rules and 7 schedules made the DPDP Act fully operational, with the Data Protection Board active and the ₹250 Cr penalty framework live.
Privacy notice format, Consent Manager registration and duties, security safeguards, breach intimation, retention and erasure, children's data and parental consent, Significant Data Fiduciary duties, and cross-border transfer conditions.
Compliance became a live legal obligation: working consent flows, plain-language multi-language notices, encryption and access controls, 72-hour breach reporting, retention schedules, and vendor contracts. The penalty framework already applies.
Encryption at rest and in transit, masking, role-based access control with least privilege, MFA, tamper-resistant logs kept at least one year, backups, a breach response playbook, and data protection agreements with vendors. Failing here carries the top ₹250 Cr penalty tier.
Our free audit maps your current setup against the DPDP Rules 2025 and hands you a prioritized fix roadmap.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.