DPDP Rules 2025: What you need to know as India activates its full privacy framework

When the Government of India notified the Digital Personal Data Protection (DPDP) Rules, 2025, it closed the loop on a privacy framework nearly seven years in the making. Together with the DPDP Act, 2023, the rules shift India from broad policy intent to operational accountability, marking one of the most significant overhauls in the country’s digital governance architecture since Aadhaar.

This is no longer about drafting a law. It is about transforming how organisations understand, manage and honour personal data. It marks India’s shift into what experts describe as the era of performance-led privacy.

A citizen-first privacy model built on SARAL

The new rules operationalise SARAL — Simple, Accessible, Rational and Actionable — a design philosophy meant to keep the law easy to understand for citizens yet rigorous enough for enterprises. Consent notices must now be standalone and purpose-specific. Individuals can access, correct, update or erase their personal data. They can nominate someone else to exercise these rights. Organisations must respond within 90 days.

Experts believe this pushes India firmly into rights-led data governance. As Jaspreet Singh, Partner and Chief Revenue Officer at Grant Thornton Bharat, put it, “The DPDPA Rules 2025 mark India’s transition from policy intent to operational accountability. Privacy is no longer a principle, it is performance. Compliance under DPDPA is not a checklist, it is a culture of trust every organisation must now institutionalise.”

The shift from passive collection to active stewardship

Among India Inc, the rules are being seen as a pivot from passive data collection to active data stewardship. Sanket Atal, Senior Vice President, Engineering and Country Head, OpenText India, said the shift is structural.

“The DPDP Rules of 2025 represent one of the most consequential shifts in India’s data governance framework. Beyond the headline requirements, the rules formalise three critical obligations for enterprises: verifiable consent, demonstrable accountability, and real-time breach visibility. These expectations move organisations from passive data collection to active data stewardship.”

Sanket Atal, OpenText India

“DPDP moves India from passive data collection to active stewardship. Compliance is now about verifiable consent, real-time breach visibility and demonstrable accountability.”

He adds that the hardest-hit will be enterprises with sprawling data estates. “Legacy applications sitting alongside multi-cloud deployments make traceability difficult. The DPDP Rules now require accurate data maps, consent-verification workflows, retention schedules and alignment with the blacklist-based transfer regime. IT teams will need to strengthen identity governance, automate audit trails and reduce data sprawl to meet breach-reporting and consent standards.”

For India’s BFSI, healthcare, citizen services and e-commerce sectors, this signals a major re-engineering of data flows.

Phased compliance that balances regulation with innovation

Recognising the diversity of India’s digital ecosystem, the government has offered an 18-month phased compliance window. Consent managers have a one-year deadline, while breach reporting and data retention rules will come into force over 18 months.

Vikram Jeet Singh, Partner at BTG Advaya, who has closely tracked the rule-making process, noted, “The final set of rules are broadly in line with the version released earlier in 2025, with more clarity on timelines. Some targeted changes have been introduced, including specific provisions for verifiable parental consent and processing the data of disabled persons. The real proof of the pudding will be in implementation and enforcement. The Data Protection Board now becomes central to operationalising the law.”

This is also where industry readiness becomes critical. The staggered rollout mirrors the global GDPR experience, allowing organisations to modernise data architecture without disrupting operations.

Preparing for an AI-first future

As India accelerates towards an AI-led economy, clarity on data responsibilities becomes a foundational pillar. The DPDP Rules make it explicit that data security, governance and lifecycle management must keep pace with growing AI workloads across distributed cloud environments.

This is echoed by Karan Kirpalani, Chief Product Officer at Neysa.ai. “As India moves deeper into AI-led transformation, clarity on data responsibilities becomes central to building secure and dependable digital systems. The DPDP Rules encourage organisations to align governance with the realities of growing AI workloads and high-density digital interactions.”

Kirpalani adds that strong data foundations are indispensable for successful AI adoption. “Strong data practices are the foundation of every successful AI initiative. The DPDP Rules reinforce the very principles including transparency, control and accountability that our platforms are built to enable.”

Karan Kirpalani, Neysa.ai

“As India scales AI adoption, clarity on data responsibilities becomes critical. Strong governance and secure data environments will define the success of every AI ecosystem.”

This emerging convergence between privacy and AI governance is expected to influence how Indian enterprises architect their next-generation AI systems.

Children’s data protection strengthened with nuance

Protecting minors online has been a global regulatory concern, and India’s Rule 10 introduces clear and verifiable parental consent obligations. However, the rules also recognise practical exceptions for essential sectors.

Vikas Bansal, Partner, IT Risk Advisory and Assurance, BDO India, explains, “Rule 10 establishes a clear obligation for Data Fiduciaries to obtain verifiable parental consent before processing the personal data of children. Accepted methods include digital identity mechanisms such as Digital Locker tokens. Exemptions have been carved out for healthcare, education and safety-related processing where strict consent may hinder essential services.”

Vikas Bansal, BDO India

“Rule 10 sets strict parental-consent obligations but balances them with narrow exemptions for essential services in health, education and child safety.”

These exemptions are narrowly defined to prevent misuse. Only data used strictly for the stated purpose is exempt, ensuring protection without restricting necessary services.

Regulatory continuity with targeted refinements

The DPDP Rules, according to legal experts, preserve the intent of the earlier drafts while tightening definitions and operational clarity. Adult definition, digital locker recognition, and provisions for disabled persons have now been codified. A new ground for processing children’s data for real-time safety has also been added.

“The final Rules are an iteration with targeted changes and amendments on specific matters,” noted Vikram Jeet Singh of BTG Advaya. “Both the DPDPA law and these rules seek to operationalise the mandate of the Puttusamy judgement. India now has a standalone data privacy law. The success will depend on how the Data Protection Board exercises its discretion.”

From legal obligation to trust advantage

Industry leaders believe the rules deliver a deeper message: compliance is no longer about avoiding penalties but about earning trust. Chief executives will now be assessed on the controls they can demonstrate, not on the assurances they offer.

Ashok Hariharan, IDfy

“The real work begins now: translating policy into architecture and intent into impact. DPDP challenges organisations to lead on trust, not merely comply.”

Ashok Hariharan, co-founder and CEO of IDfy, frames it as a defining moment. “The notification of the DPDP Rules marks a pivotal shift. It is about redefining how we honour the trust placed in us by every individual whose personal data we steward. As an industry we must elevate our thinking from ‘Can we comply?’ to ‘How will we lead?’ The real work begins now: translating policy into architecture, ambition into culture, and intent into impact.”

He adds that India has fulfilled its 2018 pledge to guarantee privacy as a constitutional right. IDfy’s launch of PRIVY, India’s first consent governance platform, reflects the growing push for privacy-centric infrastructure.

The road ahead: privacy as a competitive differentiator

The DPDP framework positions India at a critical inflection point. With a fully notified law, structured obligations, a citizen-first design, and a digital Data Protection Board, India is now aligned with global privacy regimes while retaining a distinct identity rooted in accessibility and innovation.

Jaspreet Singh, Grant Thornton Bharat

“Privacy is no longer a principle, it is performance. DPDPA demands a culture of trust that organisations must now institutionalise across the enterprise.”

For India Inc, the advantage will belong to companies that treat privacy as a continuous assurance function, invest in governance infrastructure, and embed accountability across the data lifecycle.

As Jaspreet Singh says, “For India Inc, DPDPA compliance is more than a legal duty, it is a competitive edge in global trust economics.”

Evolution of India’s Data Protection Framework (2017–2025): A Timeline

If implemented effectively, the DPDP Rules could become one of India’s most influential policy frameworks, shaping not only the rights of citizens but the future of India’s digital economy.