The Digital Personal Data Protection Regime

The Digital Personal Data Protection Act, 2023 (the "Act") and the Digital Personal Data Protection Rules, 2025 (the "Rules") together establish the statutory framework for personal data protection in India. The Rules were notified in the Official Gazette on 13th November 2025. While certain provisions have come into immediate effect, the core compliance obligations will take effect over a phased 12-18 months period ("Phase I"). Specifically: Rules 1, 2 and 17-21 are effective upon publication; Rule 4 (pertaining to the registration of Consent Managers) comes into force 12 months from the date of publication i.e., on 13th November 2026 ("Phase II"); and Rules 3, 5-16, 22 and 23 will take effect 18 months from publication, i.e., on 13th May 2027 ("Phase III").

Definition (Applicable from Phase I)

a) "Appellate Tribunal" means the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which hears appeals against decisions of the Data Protection Board.

b) "Data Principal" means the individual to whom the personal data relates and includes the parent or lawful guardian of a child, and the lawful guardian of a person with disability acting on their behalf.

c) "Data Fiduciary" means any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data.

d) "Significant Data Fiduciaries"/ "SDF" means a Data Fiduciary or class of Data Fiduciaries notified by the Central Government based on factors such as: (i) Volume and sensitivity of personal data processed, (ii) Risk to the rights of Data Principals, (iii) Impact on India's sovereignty or electoral democracy, (iv) Use of public-facing profiling systems, (v) Potential systemic risks, (vi) Other factors the Government may consider relevant. Once notified, SDFs are subject to additional obligations (DPIA, audits, appointing a DPO, etc.).

e) "Consent Manager" means a person registered with the Data Protection Board who enables Data Principals to give, manage, review, or withdraw consent in an accessible, transparent, and interoperable manner, and acts as a single point of contact.

f) "Data Processor" means any person who processes personal data on behalf of a Data Fiduciary.

g) "Data Protection Officer"/ "DPO" means an individual appointed by the Significant Data Fiduciary, who shall: (i) represent the Significant Data Fiduciary under the provisions of this Act; (ii) be based in India; (iii) be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; and (iv) be the point of contact for the grievance redressal mechanism under the provisions of this Act.

h) "Personal Data" shall mean is defined as any data about an individual who is identifiable by or in relation to such data, whereas 'Digital Personal Data' is defined as personal data in digital form.

Phase I - Effective Immediately (13th November 2025)

Rules Effective: Rules 1, 2, 17-21

Objective: Operationalise Data Protection Board/appeals processes and internal staffing/governance structures.

1. Digital-First Data Protection Board (DPB)

(a) Digital Board Functioning: (i) The Board functions as a fully digital office. (ii) Inquiries should be completed within 6 (six) months, extendable in 3 (three) month increments.

2. Appeals Before Telecom Disputes Settlement and Appellate Tribunal (TDSAT)

(a) Appeals must be filed before the TDSAT within sixty (60) days of receiving the DPB order. (b) The TDSAT should endeavor to dispose of appeals within 6 (six) months. (c) The entire appellate process is digital, with fee payments enabled via UPI or other authorized modes.

Phase II - Effective From (13th November 2026)

Rules Effective: Rule 4

Objective: Operationalize Consent Managers ecosystem

1. Consent Managers (Registration & Governance)

(a) Consent manager must be formally registered with the DPB. (b) They operate under governance, security, assurance, and interoperability obligations. (c) Serve as a unified interface for Data Principals to give, manage, or withdraw consent.

2. Consent Manager Standards & Interoperability

(a) The DPB will publish certification standards, technical requirements, and interoperability guidelines. (b) Organisations must ensure systems can seamlessly integrate with registered Consent Managers.

3. Mandatory Notice Content And Consent Experience

Preparation Begins in Phase II (although Rule 3 becomes enforceable only in Phase III, organizations must begin redesigning now): Data Fiduciaries must provide a standalone, easily understandable notice that ultimately includes: (a) Categories of personal data collected. (b) Purpose(s) of processing. (c) Simple withdrawal mechanism. (d) Direct link to lodge complaints with the DPB.

4. Things To Watch Closely

(a) Cross-Border Transfer Conditions: Keep an eye out for Government notifications under Rule 15, which will specify the exact requirements and any jurisdiction-specific restrictions for transferring personal data outside India. These orders will determine which destinations or foreign State controlled entities may face limitations.

(b) SDF Designation & Potential In-India Processing Mandates: The criteria for identifying Significant Data Fiduciaries, along with any sectors or data categories that may require in-India processing or traffic-data restrictions, will be issued based on recommendations of a Government appointed committee. Monitoring notifications under Rule 13(4) will be crucial for early readiness.

Phase III - Effective From 13th May 2027

Rules Effective: Rules 3, 5-16, 22, 23

Objective: Full operational compliance with the DPDP regime

1. Redesign Notices And Consent Flows

Rewrite notices to meet Rule 3 requirements: (a) Clear, standalone notices with specific data-purpose mapping. (b) A dedicated URL/app link for consent withdrawal, rights requests, and complaints to the Board. (c) Withdrawal must be as simple as giving consent. (d) Includes a direct link for Data Principals to lodge complaints with the Data Protection Board.

2. Data Fiduciaries and Data Processors

All entities that determine the purpose and means of processing personal data and the processors acting on their behalf must comply with the full suite of obligations including detailed notice requirements, security safeguards, breach reporting, data retention rules, parental/guardian consent for children, rights enablement, and cross-border transfer restrictions.

3. Breach Notification Framework & Timelines

In the event of a personal data breach: (a) Affected Data Principals must be notified without delay. (b) The Board must be initially informed without undue delay. (c) A detailed breach report must be filed within 72 hours, covering the cause, scope, mitigation measures, remedial steps, and findings.

4. Baseline Security Standards & Minimum Retention Rules

The Rules codify what constitutes "reasonable security safeguards," including: (a) Encryption, obfuscation, masking, and use of virtual tokens. (b) Access controls, monitoring, logging, backups, and contractual security clauses. (c) Additionally: (i) Logs and personal data must be retained for at least one year to support breach detection, remediation, and continuity in adverse conditions. (ii) A separate minimum one-year retention of personal data, traffic data and processing logs applies for public-interest purposes listed in the Seventh Schedule, after which erasure is mandatory unless another law requires longer retention.

5. High-Impact Digital Sectors With Specific Retention Timelines

Certain large platforms face explicit timelines for when a "purpose is deemed to be served," including: (a) E-commerce platforms with 2 crore or more users. (b) Online gaming intermediaries with 50 lakh or more users. (c) Social media intermediaries with 2 crore or more users.

6. Time-To-Erasure And Mandatory 48-Hour Pre-Deletion Notice

For defined large-scale platforms, if a Data Principal neither engages for the specified purpose nor exercises data rights for 3 (three) years, the purpose is deemed no longer served. Before erasure, the Data Fiduciary must provide a minimum 48-hour advance notice to the Data Principal.

7. Children's Data And Persons With Disability ("PWD")

(a) The Rules detail what qualifies as "Verifiable consent" from: (i) A parent (for their child's data), or (ii) A lawful guardian (for a PWD). Accepted verification methods include identity/age checks and the use of authorised entities or Digital Locker-issued tokens.

(b) Exemptions from Verifiable Parental Consent and Restrictions on Child Data Processing: In certain limited circumstances, Data Fiduciaries may be exempted from: (i) the obligation to obtain verifiable parental consent; and (ii) the prohibition on tracking, behavioural monitoring, or targeted advertising directed at children.

(c) Further, these exemptions apply only to specified classes of Data Fiduciaries and only for specified purposes, as detailed below: (i) For clinical establishments, mental health establishments, or healthcare professionals: Processing must be strictly limited to the provision of health services to the child, to the extent necessary for protecting the child's health. (ii) For allied healthcare professionals: Processing must be limited to supporting the implementation of any healthcare treatment or referral plan recommended by such professionals, and only to the extent necessary for protecting the child's health. (iii) For educational institutions: Processing may involve tracking or behavioural monitoring only for: (i) educational activities; or (ii) ensuring the safety and protection of enrolled children. (iv) For individuals responsible for infants/children in a creche or day-care centre: Processing must be restricted to tracking or monitoring children solely in the interest of their safety while in the care of such creche, centre, or institution. (v) For Data Fiduciaries engaged for transport of children by educational institutions, creches, or childcare centres: Processing must be restricted to location tracking of children during transportation to and from the institution/centre, strictly for ensuring their safety.

8. Operationalise Rights Handling, DPO Transparency & Grievances Closure

(a) Publish DPO or key business contact details (in case of SDFs). (b) Provide clear channels to exercise rights and nominate authorised representatives. (c) Ensure grievances are resolved within a maximum of 90 (ninety) days. (d) Implement supporting technical and organisational measures for timely and secure rights handling.

9. Strengthen Breach Preparedness & Response Mechanism

Update incident response to meet Rule 7 which includes: (a) Templates for immediate notices to affected Data Principals. (b) Templates for initial Board intimation "without delay." (c) A process to submit the mandatory 72-hour detailed report, covering cause, scope, mitigation, and findings. (d) Logging, monitoring, forensic and investigation workflows must support these submissions.

10. Significant Data Fiduciaries

Once notified, SDFs will shoulder enhanced compliance duties, including annual DPIAs and independent audits, algorithmic risk assessments, and potential restrictions on transferring personal and traffic data for categories specified by the Government.

11. Upgrade Security Controls And Processor Contracts

Implement and audit baseline safeguards, including: (a) Encryption, masking, obfuscation, and virtual tokenisation for personal data. (b) Robust access controls, monitoring and log maintenance. (c) Redundant backups for data availability and integrity. (d) Processor agreements must be amended to include mandatory safeguard obligations under Rule 6(f).

12. Rights Enablement And Grievance Timelines

Data Fiduciary must: (a) Publish clear channels for Data Principals to exercise their rights. (b) Respond to grievances within a maximum of 90 (ninety) days. (c) Permit Data Principals to nominate individuals to act on their behalf. (d) Include the DPO or relevant business contact in all rights-related responses.

13. Cross-Border Personal Data Transfers

Cross-border transfers are broadly permitted, subject to future conditions the Central Government may notify for transfers to: (a) A foreign State, or (b) Any entity under the control of such State.

14. Government Access And Confidentiality Requirements

The Government may call for information for specified sovereign, legal, or security purposes. Where disclosure could prejudice sovereignty or security, the Government may direct that such requests be kept confidential.

15. Conduct Comprehensive Data Inventory, Flow Mapping & Retention Planning

Catalogue all Personal Data categories, purposes, processors/sub-processors, storage locations, and transfer flows. (a) Implement the minimum one-year retention for personal data and logs required for breach detection and continuity (Rule 6(e)). (b) Apply the Seventh Schedule minimum 1 (one) year retention for public-interest purposes; delete thereafter unless another law requires longer retention. (c) If you are a large e-commerce platform, gaming intermediary, or social media intermediary (meeting the thresholds), configure: (i) Purpose deemed served at 3 (three) years, and (ii) Mandatory 48-hour pre-erasure notifications, with exceptions for account access and authentication tokens. (d) Prepare to technically interface with Consent Managers; their formal registration and compliance obligations become effective after one year.

16. Build Complaint Framework For Children And PWD

Set up mechanism for: (a) Verifying parental identity for children's data. (b) Adult/guardian verification using reliable identity/age information or authorised tokens (including Digital Locker tokens). (c) Due diligence to confirm lawful guardianship for PWDs, consistent with applicable guardianship laws and authorities.

17. Prepare For SDF Classification (if applicable)

If likely to be notified as SDF, begin preparation now: (a) Scheduling annual DPIAs and independent audits. (b) Implement processes to submit significant findings to the Board. (c) Perform algorithmic and technical risk assessments to ensure no adverse impact on Data Principal rights. (d) Prepare for possible restrictions on data processing or data flows for categories that the Government may later specify.

18. Risks To Manage

a) Regulatory Exposure & Enforcement Action: The DPB can initiate fully digital inquiries aiming to conclude within six months and issue binding directions. Any lapses in notice requirements, breach notifications, security measures, retention compliance, or rights-handling timelines will be visible, recorded, and enforceable under the Rules, increasing the likelihood of penalties.

b) Operational Disruption & Infrastructure Strain: The mandatory 1 (one) year logging and data retention obligations, coupled with the three-year "purpose deemed served" rule for large platforms, will require significant updates to data lifecycle management systems, archival tools, deletion workflows, and storage planning.

c) Third-Party / Vendor Liability: Non-compliant processors become a direct liability. Rule 6 requires Data Fiduciaries to embed specific security and safeguard obligations into all processor contracts. Weak vendor governance, insufficient due diligence, or missing contractual protections can expose your organisation to enforcement and penalties.

d) High-Risk Processing Of Children's & PWD Data: Inadequate verification of parents or lawful guardians can invalidate consent, leading to violations under Rules 10 and 11. Organisations must implement auditable, reliable identity and age-verification controls, including Digital Locker-based tokens where available.

19. Illustrations

a) If SDF is an NBFC

A large NBFC processes personal and financial data of 3 crore customers, including KYC, income proofs, bank statements, credit histories, behavioural sources, and repayment data. Given its large user base and sensitive financial data and algorithmic understanding, the government notifies it as an SDF.

Compliance requirements: (i) It must appoint a DPO who reports to top management. (ii) It must do annual DPIA to check whether its loan algorithms are fair and safe. (iii) It must undergo independent audits every year. (iv) It must review all AI models to ensure no bias in loan approvals. (v) It must have strict controls for retention (minimum 12 month logs), deletion, and security. (vi) If the Government restricts sending certain financial data abroad, the NBFC must process it only in India. (vii) If a data breach happens, it must notify customers immediately and file a Board report within 72 hours.

b) If SDF is a Hospitality Company

A large hotel chain has 4 crore loyalty members and collects guest passports, payment info, CCTV, room preferences, travel history and uses algorithms for pricing. The Government identifies it as an SDF.

Compliance requirements: (i) It must appoint a DPO to handle guest data issues and compliance. (ii) It must do a DPIA every year to check if pricing, recommendations and CCTV use are fair and safe. (iii) It must do independent audits every year. (iv) It must handle children's data carefully when families check in (parent verification). (v) It must keep logs and guest data safely for at least 1 year, and delete when purpose ends. (vi) If the Government restricts foreign processing, the hotel must keep certain guest data inside India. (vii) If a data breach happens (like passport leak), it must inform guests immediately and notify the Board quickly.

Penalties

Upon completing an inquiry and providing the concerned person an opportunity of being heard, the Data Protection Board may impose monetary penalties for any breach of the provisions of the Act, or the Rules. The penalty framework is tiered based on the nature and severity of non-compliance, as follows:

1. Failure to Implement Reasonable Security Safeguards: Critical security lapses such as failing to adopt reasonable technical and organisational measures to prevent personal data breaches may attract penalties of up to INR 2,50,00,00,000 (Indian Rupees Two Hundred and Fifty Crore).

2. Failure to Notify Data Breaches: Non-compliance with the obligation to notify the Data Protection Board and affected Data Principals of a personal data breach may result in penalties of up to INR 2,00,00,00,000 (Indian Rupees Two Hundred Crore). Similar penalties apply to violations relating to the processing of children's personal data.

3. Non-Compliance by an SDF: Failure by an SDF to fulfil enhanced obligations such as conducting audits, undertaking DPIAs, or adhering to additional safeguards may lead to penalties up to INR 1,50,00,00,000 (Indian Rupees One Hundred and Fifty Crore).

4. General Non-Compliance: Breaches not falling within the above categories may attract penalties up to INR 50,00,00,000 (Indian Rupees Fifty Crore).

5. Minor Breaches by Data Principals: Lesser infractions, such as breaches of duties imposed on Data Principals under the Act, may result in penalties as low as INR 10,000 (Indian Rupees Ten Thousand).

6. Breach of a Voluntary Undertaking: Where a Data Fiduciary violates a voluntary undertaking previously given to the Board, the penalty may extend up to the same maximum amount applicable to the underlying breach for which the undertaking was issued.

Conclusion

The coming 18 (eighteen) months must be treated as a strategic build-and-implement window. Organizations/entities should use this period to harden their data governance foundations finalizing compliant notice and consent flows, strengthening incident response and breach management, upgrading security controls and logging, implementing robust verification for children and PWD processing, and operationalizing retention, erasure, rights-handling, and vendor management frameworks. Early action will ensure readiness, reduce disruption, and position your organization to confidently meet full compliance when the Rules take effect.