Statutory Archive

DPDP Rules
2025.

Rules Enriched

Metadata

Notification

13 November 2025

Max Penalty

₹250 Crore

Implementation.

Phase 1 - 13 November 2025Administrative — DPBI constitution, appointments, digital office establishment

Phase 2 - 13 November 2026Consent Manager registration framework opens

Phase 3 - 13 May 2027Full compliance obligations — notice, consent, security, breach notification, retention, rights, SDF obligations, exemptions

Rule Index

Rule

Compliance Roadmap

Monitor DPBI establishment and member appointments

Ongoing from 13 Nov 2025

Track DPBI Chairperson and member appointments. DPBI will begin issuing guidelines, standards, and specifications that will define compliance requirements across all Rules.

Conduct data mapping audit

Q1 2026 (recommended)

Map all personal data flows: what data is collected, from whom, for what purpose, where stored, who has access, how long retained, which third parties receive it. This audit is the foundation for all subsequent DPDP compliance work.

Assess SDF designation risk

Q1 2026

Assess whether your organisation is likely to be designated as a Significant Data Fiduciary based on data volume, sensitivity, and systemic importance. SDFs face additional obligations (India-based DPO, independent auditor, DPIA). Begin DPO talent planning if SDF designation is likely.

Monitor negative list notifications

Ongoing

Watch for Central Government notifications specifying countries on the cross-border transfer 'negative list'. Begin mapping all jurisdictions to which Indian user data is transferred — have contingency plans ready for business-critical transfers to potentially listed countries.

Penalty Schedule

Failure to take security safeguards to prevent data breach

Rule 7 • Section 33(1) read with Section 8(5)

₹250 crore per instance

Failure to notify Data Protection Board of personal data breach

Rule 7(2)(a) • Section 33(2) read with Section 8(6)

₹200 crore per instance

Failure to notify Data Principals of breach

Rule 7(2)(b) • Section 33(3) read with Section 8(6)

₹200 crore per instance

Processing children's data without verifiable parental consent

Rule 6 • Section 33(4) read with Section 9

₹200 crore per instance

DPDP Rules 2025.

Metadata

Implementation.

Rule Index

Short Title and Commencement

Definitions

Notice

Registration and Obligations of Consent Managers

Purposes for Which Personal Data May Be Processed Without Consent

Processing of Personal Data of Children and Persons with Disabilities

Security Safeguards and Breach Notification

Restriction on Transfer of Personal Data Outside India

Retention Limits and Erasure of Personal Data

Additional Obligations of Significant Data Fiduciaries

Mechanism for Exercise of Rights by Data Principals

Erasure of Personal Data from User Accounts

Data Protection Board — Complaint, Inquiry, and Appeal Procedures

Data Protection Board of India — Constitution, Appointments, and Procedures

Exemptions — Procedures and Safeguards

Miscellaneous Provisions — Transitional and Supplementary

Compliance Roadmap

Monitor DPBI establishment and member appointments

Conduct data mapping audit

Assess SDF designation risk

Monitor negative list notifications

Penalty Schedule

Failure to take security safeguards to prevent data breach

Failure to notify Data Protection Board of personal data breach

Failure to notify Data Principals of breach

Processing children's data without verifiable parental consent

DPDP Rules
2025.