DPDP Rules 2025

The rules that switched India's data protection law from paper to practice, notified 14 November 2025
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

DPDP Rules 2025: The Day the Law Became Real

The DPDP Rules 2025 were notified on 14 November 2025 through G.S.R. 843(E). They contain 23 rules and 7 schedules, and their notification is the moment the DPDP Act 2023 went from "a law on paper" to a fully operational compliance regime.

If the Act is the "what", the Rules are the "how": how consent notices must look, how a Consent Manager works, what "reasonable security safeguards" actually means, how fast you must report a breach, and how long you can keep data. Since 14 November 2025, the Data Protection Board of India has been active and the ₹250 crore per-violation penalty framework is live.

What the 23 Rules Cover

The main areas of the DPDP Rules 2025, in plain business language.

Privacy Notice

Notices must be plain-language and standalone (not buried in T&Cs), with an itemized data list, purposes, rights, grievance contact, in English plus any of the 22 scheduled Indian languages.

Consent Manager

A registered intermediary platform to give, manage, review, and withdraw consent. Must be India-incorporated with a net worth of at least ₹2 crore, and keep records for 7 years. Registration becomes mandatory in November 2026.

Security Safeguards (Rule 6)

Encryption at rest and in transit, masking, role-based access with least privilege, MFA, tamper-resistant logs kept at least 1 year, backups, a breach playbook, and vendor agreements.

Breach Intimation

Every breach is reportable, no risk threshold. Notify affected users without delay, plus a detailed report to the Board within 72 hours. See our breach reporting guide.

Retention & Erasure

Delete data when the purpose is served or consent is withdrawn. Large platforms face a 3-year retention/erasure rule and a 48-hour notice before erasure; logs stay at least 1 year.

Children, SDFs & Cross-Border

Verifiable parental consent for under-18s with no ad-targeting at minors; extra duties for Significant Data Fiduciaries (DPO, audits, DPIAs); and a blacklist model for cross-border transfers.

What Changed for Businesses on 14 November 2025

  • Penalties went live: the ₹250 Cr per-violation framework is legally active, not theoretical
  • The regulator exists: the Data Protection Board of India is operational and taking complaints
  • Compliance has a spec: "reasonable security" now has a concrete definition in Rule 6
  • Deadlines started counting: consent rules mandatory on 13 November 2026, full enforcement on 13 May 2027
  • Notices need a rewrite: generic privacy policies don't meet the itemized, multi-language format
  • Vendors need contracts: you stay legally responsible for every processor that touches your data

The Rules Are Live. The Deadlines Are Fixed.

Consent rules become mandatory on 13 November 2026, full enforcement begins on 13 May 2027, and setup takes 2-6 months. Waiting is the expensive option.

Book Your Free DPDP Audit

Want the Complete DPDP Picture?

The Rules are one piece. Our main guide covers the Act, deadlines, penalties, the full checklist, and how we get you compliant.

Learn Everything About DPDP Compliance

DPDP Rules 2025: Frequently Asked Questions

When were the DPDP Rules 2025 notified?

On 14 November 2025, via G.S.R. 843(E). The notification of the 23 rules and 7 schedules made the DPDP Act fully operational, with the Data Protection Board active and the ₹250 Cr penalty framework live.

23 Rules. One Simple First Step.

Our free audit maps your current setup against the DPDP Rules 2025 and hands you a prioritized fix roadmap.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.