Govt Notifies DPDP Rules; Staggered Rollout Begins, Data Protection Board To Be Set Up
A key feature is the creation of a four-member Data Protection Board of India, which will oversee compliance, adjudicate breaches, and issue orders
The government on Friday formally notified the long-awaited Digital Personal Data Protection (DPDP) Rules, kicking off a staggered rollout of India’s new privacy regime. While several provisions come into effect immediately, others will be phased in over 12 and 18 months to give industry time to transition.
A key feature is the creation of a four-member Data Protection Board of India, which will oversee compliance, adjudicate breaches, and issue orders. The rules mandate strict breach reporting timelines: all data fiduciaries must inform the Board within 72 hours of any personal data breach, while affected users must be alerted "without undue delay."
The government has retained powers to call for information from any platform handling Indian users’ data for sovereignty, security or public order considerations. In certain sensitive cases, the Centre may also restrict fiduciaries from immediately disclosing a breach to users if such disclosure risks further harm.
Children’s data protection has been tightened substantially. Platforms must obtain verifiable parental consent, and are barred from tracking, profiling or serving targeted advertisements to minors. Government entities receive limited exemptions for specific notified functions, but not a blanket immunity.
Fiduciaries will now be required to delete the personal data of inactive users after three years, unless a longer retention period is mandated under law. They must also maintain one-year data logs covering consent, disclosures, processing activities and withdrawal actions.
The rules introduce a regulated framework for consent managers, who must mandatorily register with the government and comply with conflict-of-interest safeguards, security audits and grievance-redress timelines. Cross-border data transfers are allowed by default, except to countries that the government may explicitly place on a restricted list.
The notification also defines the three pillars of the regime:
Data Fiduciary: entities and platforms that collect or process personal data.
Data Principal: the individual user whose data is being processed.
Consent Manager: an authorised, neutral intermediary that enables users to manage permissions across platforms.
The rules further classify Significant Data Fiduciaries, large platforms such as telecom operators, social media companies, e-commerce marketplaces and gaming firms, who will face tighter obligations including annual audits, algorithmic transparency and independent Data Protection Officers.
