BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 3 (13 May 2027) ADMINISTRATIVE

Rule 23

Miscellaneous Provisions — Transitional and Supplementary

Practical Note

Rule 23 covers the transitional arrangements for the Rules, including how existing processing relationships (data collected before DPDP comes fully into force) are treated, and the mechanism for the Central Government to issue supplementary notifications and clarifications. Watch for Central Government notifications under Rule 23 that may clarify or adjust requirements across other Rules.

THE STATUTE

Original Text

The Central Government may, by notification, specify such supplementary or consequential provisions as may be necessary to give effect to the provisions of these rules and the Act. Any data processing activity lawfully initiated before the commencement of these rules may continue, subject to compliance with the requirements of the Act and these rules within such period as the Central Government may specify.

Analysis & Details

Rule 23 provides the transitional and miscellaneous framework for the DPDP Rules. KEY PROVISIONS: TRANSITIONAL ARRANGEMENTS: Data processing initiated before DPDP's full commencement (i.e., before 13 May 2027) can continue — subject to being brought into compliance within a period specified by the Central Government. This avoids a 'hard cliff' where all existing data processing relationships instantly become unlawful on 13 May 2027. Businesses must audit existing processing, identify what needs to be brought into compliance (notices, consent, processing agreements), and execute compliance before the specified transition deadline. SUPPLEMENTARY NOTIFICATIONS: The Central Government retains the power to issue supplementary notifications under Rule 23 to address gaps, ambiguities, or unforeseen implementation challenges. This creates a living regulatory framework — Rule 23 is effectively the 'escape valve' for the government to adjust requirements without going through the full parliamentary amendment process. REVIEW MECHANISM: The Rules include a periodic review mechanism — the government is expected to review the Rules' effectiveness and make adjustments based on implementation experience. This is consistent with good regulatory practice and mirrors GDPR Article 97's requirement for periodic Commission review.

GDPR Parallel

Article 99 (GDPR Entry into Force) + Article 97 (Periodic Review)

IT Act Impact

Rule 23's transitional provisions will determine how quickly the IT Act's SPDI Rules 2011 are fully superseded for digital personal data. During the transition period, both frameworks may technically apply to certain categories of processing — businesses in regulated sectors should seek legal advice on the interaction between SPDI Rules and DPDP compliance obligations during the transition.

Common Queries

Rule 23's transitional provision allows existing processing relationships — data collected before 13 May 2027 — to continue, subject to being brought into compliance within a period specified by the Central Government. This means businesses don't need to delete all previously collected data on 13 May 2027, but they must have a compliance plan and bring existing processing into DPDP compliance within the Central Government's specified transition period.
Yes, to a significant extent. The DPDP Act's Rule-making power (Section 38) and Rule 23's supplementary notification power give the Central Government substantial flexibility to adjust requirements through notifications and supplementary rules, which are then tabled before Parliament under Section 39. While Parliament has oversight, the practical flexibility available to the Executive in adjusting the Rules framework is substantial.

Key Rules & Provisions

Existing processing can continue — no 'hard cliff' on 13 May 2027.

Compliance transition deadline to be specified by Central Government.

Supplementary notification power — living regulatory framework.

Periodic review mechanism built into the Rules.