DPDP Rules 2025 Phase 1 (In force — 13 November 2025) ADMINISTRATIVE

Rule 1

Short Title and Commencement

Practical Note

Rule 1 is purely administrative — it names the Rules and triggers the phased commencement. No direct business compliance obligation arises from Rule 1 itself.

THE STATUTE

Original Text

(1) These rules may be called the Digital Personal Data Protection Rules, 2025. (2) They shall come into force on such date as the Central Government may, by notification, appoint; and different dates may be appointed for different provisions of these rules.

Analysis & Details

Rule 1 names the subordinate legislation and establishes the phased commencement mechanism. The Central Government has used this power to stagger implementation across three phases: Phase 1 (13 November 2025) covers the administrative and board-constitution provisions; Phase 2 (13 November 2026) activates the Consent Manager registration framework; and Phase 3 (13 May 2027) brings into force the full substantive compliance obligations — notice, consent architecture, security safeguards, breach notification, data retention, and rights mechanisms. This phased approach follows international best practice — the GDPR had a 2-year implementation runway after enactment in 2016 before enforcement began in May 2018. The DPDP's 18-month Phase 3 timeline (November 2025 to May 2027) is shorter, placing significant pressure on large Data Fiduciaries to begin compliance preparation immediately.

GDPR Parallel

N/A

IT Act Impact

Rule 1's commencement date is also the trigger for the DPDP Act Section 44(1) repeal of Section 43A of the IT Act and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — meaning the SPDI Rules 2011 cease to apply as DPDP obligations go live.

Common Queries

The DPDP Rules 2025 were notified on 13 November 2025 and come into force in three phases. Phase 1 (administrative and DPBI provisions) is effective from 13 November 2025. Phase 2 (Consent Manager registration) is effective from 13 November 2026. Phase 3 (full compliance obligations including consent notices, security safeguards, breach notification, and rights mechanisms) is effective from 13 May 2027.

13 May 2027 — 18 months from the Rules notification date. From this date, all substantive obligations under the DPDP Act and Rules become enforceable: privacy notices, consent architecture, security safeguards, breach notification, data retention policies, children's data protections, and data subject rights mechanisms must all be fully operational.

Key Rules & Provisions

Rules formally named as 'Digital Personal Data Protection Rules, 2025'.

Three-phase commencement: Phase 1 (Nov 2025), Phase 2 (Nov 2026), Phase 3 (May 2027).

Full compliance obligations (Rules 3, 5–16, 22–23) only mandatory from 13 May 2027.

Penalty Exposure

N/A (Administrative)

N/A

Cross-References

DPDP Act §1Short Title, Extent and Commencement of the Act DPDP Act §38Power to Make Rules Rule 17Establishment of DPBI