The government on Friday formally notified the long-awaited Digital Personal Data Protection (DPDP) Rules, kicking off a staggered rollout of India’s new privacy regime. While several provisions come into effect immediately, others will be phased in over 12 and 18 months to give industry time to transition.
A key feature is the creation of a four-member Data Protection Board of India, which will oversee compliance, adjudicate breaches, and issue orders. The rules mandate strict breach reporting timelines: all data fiduciaries must inform the Board within 72 hours of any personal data breach, while affected users must be alerted "without undue delay."
The government has retained powers to call for information from any platform handling Indian users’ data for sovereignty, security or public order considerations. In certain sensitive cases, the Centre may also restrict fiduciaries from immediately disclosing a breach to users if such disclosure risks further harm.
"The DPDP rules emphasise on establishing a Data Protection Board, which serves as a key regulatory body. The rules also provide guidance to businesses on data breach reporting requirements, verifiable parental consent, the operational framework of a consent manager, compliance requirements, criteria for classifying a significant data fiduciary, and prescriptive security safeguards for protecting personal data," said Mayuran Palanisamy, Partner, Deloitte India.
Children’s data protection has been tightened substantially. Platforms must obtain verifiable parental consent, and are barred from tracking, profiling or serving targeted advertisements to minors. Government entities receive limited exemptions for specific notified functions, but not a blanket immunity.
Fiduciaries will now be required to delete the personal data of inactive users after three years, unless a longer retention period is mandated under law. They must also maintain one-year data logs covering consent, disclosures, processing activities and withdrawal actions.
The rules introduce a regulated framework for consent managers, who must mandatorily register with the government and comply with conflict-of-interest safeguards, security audits and grievance-redress timelines. Cross-border data transfers are allowed by default, except to countries that the government may explicitly place on a restricted list.
The notification also defines the three pillars of the regime:
Data Fiduciary: entities and platforms that collect or process personal data.
Data Principal: the individual user whose data is being processed.
Consent Manager: an authorised, neutral intermediary that enables users to manage permissions across platforms.
The rules further classify Significant Data Fiduciaries, large platforms such as telecom operators, social media companies, e-commerce marketplaces and gaming firms, who will face tighter obligations including annual audits, algorithmic transparency and independent Data Protection Officers.
"The real work begins now: translating policy into architecture, ambition into culture, and intent into impact. With the launch of the DPDP Act, the government has redeemed its pledge, not in half measure, but wholly and substantially, to guarantee, Privacy as a constitutational right for the people of Bharat, which it made in 2018,” said Ashok Hariharan, co-founder & CEO, IDfy.
RECOMMENDED FOR YOU
Realme UI 7.0: List Of Supported Devices, Rollout Timeline And New Features
Apple iOS 26.2 Beta Rollout Expected On Nov 4 After iOS 26.1 Release: Report
'History Repeats': CA Recalls 2011 Silver Crash To Warn Investors Against Greed, Cites THIS Timeless Rule
Legal Vetting To Be Done Before Final DPDP Draft Gets Issued, Says MeitY Secretary
POPULAR