DPDP Rules 2025 — Implementation Guide for Data Fiduciaries

Published May 20, 2026 · 16 min read · AxVeil Compliance

From Act 2023 to Rules 2025 — what actually changed

India's Digital Personal Data Protection Act, 2023 received Presidential assent on 11 August 2023 but sat largely dormant for eighteen months while the Ministry of Electronics and Information Technology (MeitY) drafted the operating Rules. On 3 January 2025 MeitY released the Draft DPDP Rules for public consultation, and through 2026 the Rules are being notified in tranches — Data Protection Board constitution and consent manager registration first, followed by Significant Data Fiduciary (SDF) notifications, breach reporting machinery, and sectoral carve-outs. If you read our earlier DPDP Act 2023 compliance checklist, this guide is the operational follow-on: the Act told you what to do, the Rules tell you how.

The headline shifts between Act and Rules: enforcement is no longer hypothetical, the Data Protection Board (DPB) has a published procedure for complaints and inquiries, breach reporting has a concrete 72-hour timeline (per draft Rules), Consent Managers are a registered class of intermediary, children's consent has prescribed verification mechanisms, and cross-border transfers run on a negative-list model with an explicit empty list at present. The penalty bands from Schedule of the Act — up to INR 250 crore for failure of reasonable security safeguards — remain unchanged.

Key provisions you must operationalise

• Consent Manager registration (Section 6 of the Act, operationalised in the Rules). Consent Managers are a new class of registered intermediary that act on behalf of Data Principals to give, manage, review and withdraw consent. The Rules prescribe minimum net worth, fit-and-proper criteria for directors, interoperability standards (Account Aggregator-style consent artefacts), and an obligation to be neutral — a Consent Manager cannot be a sister concern of a Data Fiduciary it serves. Fiduciaries do not need to register, but they must be able to plug into registered Consent Managers when a Principal chooses to route consent through one.
• SDF notification machinery. The Rules describe how the Central Government will notify Significant Data Fiduciaries — gazette notification naming the class or specific entity, with the additional obligations under Section 10(2) (DPO, Data Auditor, DPIA, additional measures) attaching from the notified date.
• Breach notification — 72 hours.Per draft Rules, the Fiduciary must inform affected Principals "without delay" and submit a detailed report to the DPB within 72 hours of becoming aware, including categories of data, number of Principals affected, possible consequences, and remediation. Extensions are permitted with written justification.
• Children's data (Section 9). The Rules prescribe verifiable parental consent mechanisms — DigiLocker credentials, Aadhaar-mediated parental consent, or via registered Consent Managers. Behavioural tracking and targeted advertising directed at children remain prohibited; penalty up to INR 200 crore.
• Cross-border via negative list (Section 16). Transfers are permitted to all jurisdictions exceptthose notified on a negative list. The list is empty as of this writing, but the framework allows real-time addition — and sector regulators (notably RBI's 2018 payment system data localisation circular) continue to impose stricter localisation.
• Exemptions for SMEs and startups. The Act under Section 17(3) and the draft Rules contemplate class-based exemptions from Sections 5, 8(3), 8(7) and 11 for notified classes of Fiduciary including startups. The exemption is not automatic and does notcover security safeguards (Section 8(5)), breach notification (Section 8(6)), or children's data (Section 9).

Significant Data Fiduciary — what triggers it

Section 10(1) of the Act gives the Central Government wide discretion to notify any Fiduciary as "Significant". The Rules clarify the assessment criteria the government will use:

• Volume of personal data processed. The expected threshold is in millions of Data Principals annually — fintech apps with 5M+ active users, e-commerce above a published GMV/user threshold, and large social platforms will all clear it.
• Sensitivity of data. Processing biometric, financial, health, or location data at scale weighs heavily. A hospital chain processing 500k patient records is more likely to be SDF-notified than a B2B SaaS processing 5M business email addresses.
• Risk to the sovereignty and integrity of India / electoral democracy / public order. This is the catch-all for social media platforms, news aggregators, messaging platforms, and ad-tech networks where amplification dynamics can affect public discourse.
• Risk to the rights of Data Principals.Profiling, automated decision-making affecting loan / insurance / employment outcomes, and behavioural advertising are explicitly mentioned in international DPIA literature and are mirrored in the draft Rules' SDF assessment guidance.

If you operate in BFSI — particularly payment aggregators, NBFCs, and consumer credit bureaus — assume SDF notification is a matter of when, not if. Read our BFSI sector compliance brieffor the overlap with RBI's expectations. HealthTech operators should review the HealthTech India compliance page for sensitive-data handling under DPDP plus the Clinical Establishments Act and HIS guidelines.

DPO and Data Auditor — roles distinguished

Under Section 10(2) an SDF must appoint a Data Protection Officer (DPO) and engage an independent Data Auditor. The Rules clarify both roles:

• DPO — internal, India-resident, board-answerable.The DPO is the Fiduciary's own employee or officer (not an outsourced role), based in India, and reports to the board of directors or equivalent governing body. The DPO is the named contact for Data Principal grievances and for the DPB. Penalty for not appointing where required: SDF-class fines under the Schedule.
• Data Auditor — external, independent, periodic.The Data Auditor evaluates the Fiduciary's compliance against the Act and Rules, including DPIA outcomes, consent flows, breach playbooks, sub-processor contracts, and data retention. Per draft Rules, audit cadence is annual at minimum and the Auditor reports to the board and may be required to share findings with the DPB.
• DPIA — by design, periodic, and on every new high-risk operation. A Data Protection Impact Assessment is mandatory for SDFs before any new product, processing operation, or material change to existing operations that could affect Principal rights. The Rules prescribe a minimum DPIA template covering necessity / proportionality, risk identification, mitigation, residual risk, and sign-off.

10-step implementation roadmap (90 days)

Treat DPDP Rules 2025 readiness as a 13-week programme owned jointly by Engineering, Legal/Privacy, and Security. Below is the sprint-by-sprint plan our compliance engineers use with mid-market Indian Fiduciaries; SDF-candidates should plan for 120 days because of the auditor and DPIA work.

1. Week 1-2 — Data inventory and classification. Catalogue every system that touches personal data of a Data Principal in India. Tag at column level — identifier, contact, financial, biometric, health, location, behavioural. Tools: DataHub, Amundsen, OpenMetadata, or a hand-rolled spreadsheet if you are under 50 systems.
2. Week 2-3 — Lawful basis mapping. For every processing operation map it to either consent (Section 5) or one of the seven Section 7 legitimate uses. Anything that does not fit one of these eight bases is unlawful — either stop it, find another basis, or obtain consent.
3. Week 3-5 — Consent UX rebuild.Implement notice in English plus the Eighth Schedule language of the Principal's choice, granular per-purpose toggles, withdrawal as easy as giving, and version-stamped consent records. Add a Consent Manager integration interface even if you do not plan to onboard one immediately — the API surface is what the Rules require you to expose.
4. Week 4-6 — Data Principal rights endpoints.Build dedicated, authenticated endpoints for access (Section 11), correction / erasure (Section 12), grievance (Section 13) and nomination (Section 14). Each must respond within the Rules' stipulated window (30 days indicated in the draft).
5. Week 5-7 — Breach detection and response. SIEM alerts on bulk PII export, anomalous database queries, IAM changes, cloud bucket policy modifications. Document the 72-hour DPB notification flow and the 6-hour CERT-In flow together — see our CERT-In 6-hour reporting guide for the upstream incident timeline.
6. Week 6-8 — Sub-processor and vendor flow-downs. Every Data Processor contract must mirror your Section 8 obligations. Refresh vendor risk reviews. Inventory cross-border processors against the (currently empty) negative list and flag any sector-specific localisation overlap.
7. Week 7-9 — Reasonable security safeguards. ISO 27001-aligned controls, AES-256 at rest, TLS 1.2+ in transit, field-level encryption for Aadhaar / PAN / payment / health data, MFA on admin access, segregation of duties, immutable audit logs. Commission an independent VAPT as evidence — see our compliance and VAPT services.
8. Week 8-10 — Children's data gates (if applicable). Parental consent verification via DigiLocker, Aadhaar-mediated flow, or Consent Manager. Behavioural tracking off for users under 18. Age-gating UX that does not itself collect more child data than needed.
9. Week 10-12 — DPIA + SDF preparation (if in the candidate pool). Run a DPIA on your two highest-risk processing operations. Identify and onboard your DPO. Shortlist external Data Auditors and budget an annual engagement.
10. Week 12-13 — Tabletop, training, and board sign-off. Run a breach tabletop using the template below. Train customer-facing staff on grievance handling. Brief the board, get sign-off on residual risk, file the DPO appointment with the DPB (if SDF).

Template — DPDP-compliant consent notice

Notice under Section 5 of the Digital Personal Data Protection Act, 2023

You may read this notice in: [English] [हिंदी] [বাংলা] [தமிழ்] [తెలుగు] ...
                              [+18 more Eighth Schedule languages]

1. Identity of Data Fiduciary
   Example Pvt Ltd, CIN U72200KA2018PTC123456
   Registered office: <address>
   Contact for queries: Ms. <name>, DPO, dpo@example.in, +91-XXXXX-XXXXX

2. Personal data we will collect
   [ ] Name                    - to identify you
   [ ] Email                   - to send service messages
   [ ] Mobile                  - for OTP login & support
   [ ] Location (city)         - to localise content
   [ ] Payment data            - to process your transactions (RBI tokenised)

3. Specified purposes
   - Provide the [Product] service
   - Send transactional alerts
   - Detect and prevent fraud
   - Comply with applicable law

4. Your rights (Sections 11-14)
   - Access the data we hold about you
   - Correct, complete, update or erase your data
   - Lodge a grievance with our DPO
   - Nominate another individual to exercise rights in case of incapacity

5. Withdrawal of consent
   One-click withdrawal at: account.example.in/privacy/withdraw
   Or via a registered Consent Manager of your choice.

6. Cross-border processing
   Your data is processed within India. Backups are stored in India.
   No transfers to any jurisdiction on the negative list under Section 16.

7. Grievance redressal
   1st level: dpo@example.in (response within 30 days)
   2nd level: Data Protection Board of India — https://dpbi.gov.in

I have read and understood the above notice and CONSENT to the collection
and processing of my personal data for the specified purposes.

   [ AGREE & CONTINUE ]   [ DECLINE ]

Template — DPB breach notification (72-hour report)

To:   The Data Protection Board of India (online portal submission)
From: Example Pvt Ltd, CIN U72200KA2018PTC123456
      DPO: Ms. <name>, dpo@example.in

Section 1 — Incident identification
  Incident ID:           INC-2026-0042
  Discovered at:         2026-05-18T14:30:00+05:30
  Occurred between:      2026-05-16T22:00 — 2026-05-18T14:00 (IST)
  This 72-hour report submitted at: 2026-05-21T13:45:00+05:30
  Earlier Principal notification sent at: 2026-05-18T18:00:00+05:30

Section 2 — Nature of the breach
  Unauthorised access to user table via SQL injection in legacy
  reporting endpoint. Attacker exfiltrated ~17,840 rows.

Section 3 — Categories of personal data and Principals affected
  Categories: name, email, mobile, hashed_password (bcrypt cost 12)
  Sensitive categories: none
  Principals affected: 17,840 (all in India)
  Children affected: 0 (Section 9 verification required age >= 18)

Section 4 — Possible consequences for Principals
  - Phishing / smishing using leaked email + mobile
  - Credential stuffing against reused passwords on other services

Section 5 — Containment, remediation, mitigation
  - Vulnerable endpoint removed within 30 minutes of detection
  - WAF rule deployed, database query patterns under review
  - All affected Principals: password reset enforced
  - 24-month complimentary identity-monitoring offered

Section 6 — CERT-In cross-reference
  CERT-In reference: CERT-In-2026-05-XXXXX (submitted within 6 hours
  per CERT-In Directions of 28 April 2022)

Section 7 — Board liaison
  DPO available 24/7 at the above contact for follow-up queries.

Interplay with RBI, SEBI, IRDAI and CERT-In

DPDP is a baseline. Sector regulators continue to impose stricter obligations on regulated entities, and where they conflict, the stricter one wins.

• RBI. The 2018 Payment System Data Localisation circular requires storage-in-India for payment data, with foreign processing allowed only transiently. The IT Framework Directions (2023) prescribe security baselines for banks and NBFCs. DPDP does not relax either.
• SEBI.The Cyber Security and Cyber Resilience Framework (CSCRF) for SEBI-regulated entities continues to apply — incident reporting, VAPT cadence, and SOC obligations under CSCRF overlay DPDP's general breach duty.
• IRDAI.The Information and Cyber Security Guidelines for the insurance sector prescribe role-based access, encryption, and incident reporting that often exceed DPDP's general language. Insurers should treat IRDAI as the binding floor and DPDP as the privacy-rights layer.
• CERT-In.The 28 April 2022 Directions require reporting of 20 categories of cyber incidents within 6 hours. DPDP's 72-hour DPB report runs in parallel and is principal-facing. Maintain a consistent narrative across both — see our CERT-In 6-hour deep dive.

Common pitfalls we see in real implementations

• Treating DPDP like GDPR with a search-and-replace.The Act has no "legitimate interest" basis. EU consent templates ported wholesale to India often rely on legitimate interest for marketing or analytics — that is invalid under DPDP and the Board will treat such processing as consent-less.
• Generic support aliases as DPO contact. The Rules expect a named, India-based DPO for SDFs and a named grievance officer for all Fiduciaries. support@ does not satisfy.
• Backups outside the erasure pipeline.Right to erasure is undermined if your daily backup rotates a deleted Principal's record back in. Backups can stay (legal retention), but they must be excluded from restoration paths or scrubbed on cycle.
• Consent bundling and dark patterns.Pre-checked boxes, "Accept All" only, cookie walls that force consent for service — all explicitly disallowed. The draft Rules cross-reference CCPA's December 2023 Dark Patterns guidelines.
• Forgetting employee data. Section 7(g) covers employment-related processing without consent, but the data is still personal data — security, breach notification, retention limits all apply. HRMS and ATS systems are in scope.
• Assuming "we host in AWS Mumbai" solves localisation.AWS Mumbai is in India, but cross-region replication, support access from outside India, and metadata may still cross borders. Audit your provider's data flow diagrams against Section 16 and any sectoral localisation.

Enforcement landscape — DPB and the penalty bands

The Data Protection Board of India (DPB) is the adjudicatory body constituted under Section 18 of the Act. Its procedure under the Rules:

• Initiation. Complaint from a Data Principal (after grievance escalation), reference from a sector regulator, suo motu cognisance based on media or breach reports, or DPB-initiated inquiry on a class of Fiduciaries.
• Inquiry. Written submissions, document production, and hearings. The DPB has powers akin to a civil court for summons and discovery.
• Voluntary undertaking. A Fiduciary can offer a binding remediation undertaking; if accepted, the DPB closes the inquiry without monetary penalty.
• Order and appeal. DPB orders are appealable to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days.

The penalty Schedule (unchanged from the Act):

Three signals from the early enforcement posture worth absorbing: (a) the DPB has signalled it will prioritise breach-notification failures and consent-validity inquiries in the first 12 months; (b) voluntary undertakings are being accepted where remediation is concrete and time-bound; (c) penalties are calibrated to scale of harm and revenue, not just maximum bands — small fiduciaries will not automatically see the 250-crore headline.

Frequently asked questions

1. When did the DPDP Rules 2025 come into force?

The Act was notified on 11 August 2023; the Draft Rules were released on 3 January 2025 for consultation; final Rules are being notified in tranches through 2026. The Board, consent manager registration window, and breach reporting machinery are already live. Treat current obligations as in-force.

2. What is the breach notification timeline?

"Without delay" to affected Principals on becoming aware, and within 72 hours to the DPB with a fuller report (per draft Rules). Extension possible with written justification. CERT-In's separate 6-hour clock runs in parallel.

3. Who is a Significant Data Fiduciary?

Any Fiduciary the Central Government notifies under Section 10(1) based on volume, sensitivity, sovereignty and democracy risk. First-wave candidates are large telecom, payment aggregators, top-tier e-commerce, major social platforms, and consumer credit bureaus.

4. Are SMEs exempt?

Partially and only by class-based notification. Security, breach notification, and children's data duties apply universally — only Sections 5, 8(3), 8(7) and 11 are candidates for exemption per the draft.

5. How does DPDP interact with RBI / SEBI / IRDAI?

DPDP is a baseline floor; sectoral rules apply on top and the stricter obligation prevails. Payment data localisation, CSCRF, and IRDAI cyber guidelines all remain binding alongside DPDP.

What to do this quarter

If you have not already started, the 90-day plan above is your roadmap. If you have, treat the next 90 days as the consolidation cycle: harden the consent UX, run a real breach tabletop, get your DPO appointed and your auditor shortlisted, file the residual-risk memo with your board. The Board will not accept "we are still building it" as a defence once inquiry letters start landing, and the penalty bands are calibrated to be material at any reasonable annual revenue. Read our underlying DPDP Act 2023 checklist for the statute-level obligations this Rules guide operationalises, and our compliance services page if you need an execution partner for the engineering work.