The DPDP Act 2023 established the framework. The DPDP Rules 2025, notified on November 13, 2025 (G.S.R. 846(E)), fill in the operational details — the specific procedures, timelines, and mechanisms that businesses must follow. Rules 5-23 take effect on May 13, 2027. Here's what they actually say.
Structure of the Rules
The DPDP Rules 2025 contain Rules 1-23. Rules 1-4 cover preliminary matters (definitions, commencement). Rules 5-23 contain the substantive compliance obligations that take effect in May 2027. The government can issue additional rules and amendments before then.
Rule 5 — Notice to Data Principals
Rule 5 operationalises Section 5 of the Act. Key requirements:
- Notice must be given before or at the time of collection — not after
- Must be in clear, plain language — not legal text
- Must specifically identify: the personal data being collected, the purpose, and any Data Processors involved
- Must be available in any Eighth Schedule language on request
- For businesses using a Consent Manager, the Manager handles the notice delivery
Rule 6 — Processing Conditions
Rule 6 details when processing without consent is permitted (the "legitimate uses" provision). This is important because it defines when businesses can process data without explicit consent — a very narrow set of circumstances:
- Performance of a function by the State (government functions)
- Compliance with a law or court order
- Medical emergency or disaster response
- Employment-related processing
- Certain research, archiving, or statistical purposes
Note what's absent: no broad "legitimate interests" provision like GDPR. For commercial processing, consent is the only valid basis.
Rule 7 — Consent Managers
The Rules establish the framework for Consent Managers — registered entities through which individuals can manage consent across multiple Fiduciaries. For businesses, this means:
- You can use a registered Consent Manager to collect and manage consent on your behalf
- The government maintains a register of approved Consent Managers
- A Consent Manager must have a minimum net worth (to be specified) and follow specific operational requirements
EasyDP is designed to operate as a compliant consent management interface for businesses, not as a regulated Consent Manager (which serves individuals across multiple Fiduciaries).
Rule 8 — Security Safeguards
Rule 8 operationalises the "reasonable security safeguards" requirement. It specifies that the measures must be appropriate to the nature and volume of personal data held. The Rule also requires that any security breach be reported to the DPB.
Rule 9 — Breach Notification
This is one of the most important Rules for operational compliance:
- Notification to the DPB within 72 hours of becoming aware of a breach
- Notification must include: nature of breach, categories of data affected, approximate number of people affected, consequences, and remedial steps
- Notification to affected Data Principals in "such form and manner as specified" — expected to be via the contact information held by the Fiduciary
Rule 10 — Children's Data
Rule 10 is the most operationally demanding rule for many businesses:
- Verifiable parental consent before processing data of anyone under 18
- Verification must establish that the parent/guardian is themselves an adult
- DigiLocker age verification is the specified mechanism for age verification
- Prohibition on tracking children's behaviour or targeting advertising at them
- Prohibition on processing data that "is likely to cause detrimental effect on the well-being of a child"
Rules 11-14 — Data Principal Rights
These Rules operationalise the rights of Data Principals:
- Rule 11: Process for access requests — the Fiduciary must provide the requested information within a specified period
- Rule 12: Process for correction and erasure — including the obligation to notify Data Processors of erasure
- Rule 13: Grievance redressal — businesses must provide a clear grievance mechanism and respond within a specified timeline
- Rule 14: Nomination — the process for a Data Principal to nominate another person to exercise rights on their behalf
Rules 15-18 — Data Protection Board
These Rules establish the operational procedures of the Data Protection Board — how it receives complaints, conducts inquiries, and imposes penalties. For businesses, the key takeaway is: the DPB has teeth. It can subpoena documents, conduct investigations, and impose penalties without necessarily requiring the affected customer to appear.
Rules 19-23 — Significant Data Fiduciaries
Rules 19-23 cover the additional obligations for entities designated as Significant Data Fiduciaries. Most SMBs will not be designated as SDFs initially, but businesses should monitor the government's notifications, as additional categories may be added over time.
What to Focus On Before May 2027
For most businesses, the most operationally significant rules are 5 (notice), 8 (security), 9 (breach notification), 10 (children), and 12 (erasure). Building compliant systems for these five will address the vast majority of your compliance risk. Start now — 18 months is not as long as it sounds when you're building from scratch.