November 17, 2025
The Ministry of Electronics and Information Technology (“MEIT”), vide notification dated November 13, 2025, has brought into force key provisions of the Digital Personal Data Protection Act, 2023 ("DPDP Act"). Alongside this notification, the MEIT has also notified the Digital Personal Data Protection Rules, 2025 (“2025 Rules”), which provide the operational framework for implementing the DPDP Act's provisions, including, notice requirements, data retention timelines, breach notification protocols, and obligations for significant data fiduciaries. These notifications mark a significant milestone in India's data protection regime, with the DPDP Act's implementation following a carefully structured, phased approach that provides immediate effect to institutional provisions while granting organisations eighteen months to prepare for substantive compliance requirements.
What is the DPDP Act?
The DPDP Act is India's primary data protection legislation, enacted to regulate the processing of personal data of individuals and establish a rights-based framework for data privacy. The DPDP Act imposes obligations on "Data Fiduciaries" (entities that determine the purpose and means of processing personal data), "Data Processors" (entities that process personal data on behalf of Data Fiduciaries), and grants rights to "Data Principals" (individuals whose personal data is being processed).
The Three-Phase Implementation
With immediate effect from November 13, 2025, the provisions establishing the Data Protection Board of India (“Board”) are now operational. The Central Government has notified the established of the Board. The Board is empowered to conduct inquiries, adjudicate complaints filed by individuals against organisations, and impose monetary penalties ranging up to ₹250 crore depending on the nature and severity of violations. Alongside the Board's establishment, the Central Government's rule-making powers and foundational definitions are now operational.
Two specific provisions will come into force one year from the notification date, in November 2026, relating to the registration of Consent Managers and prescription of penalties for breach of their obligations. Consent Managers are entities that will provide a platform for Data Principals to manage consent for processing personal data.
The core compliance provisions of the DPDP Act comprising rights of individuals and duties of organisations will come into force in May 2027, eighteen months from the notification date. Organisations processing personal data will be required to obtain free, specific, informed, unconditional, and unambiguous consent with clear affirmative action or only use personal data for certain legitimate purposes specified in the DPDP Act, and provide clear notices detailing the purpose, nature of data collected, and the specified purpose, and manner of exercising rights. Organisations will be required to implement reasonable security safeguards such as encryption, masking, access controls, logging and monitoring for unauthorised access detection, and retention of logs for a minimum of one year. In the event of a personal data breach, Data Fiduciaries must immediately notify affected Data Principals in plain language explaining the breach nature, consequences, and mitigation measures, and separately inform the Board without delay with detailed breach reports submitted within 72 hours (unless Board allows for a longer period). The 2025 Rules also establish data retention obligations requiring large e-commerce entities, online gaming intermediaries, and social media platforms to erase personal data after three years of user inactivity, while mandating all Data Fiduciaries to retain personal data along with associated data and logs for a minimum of one year from the date of processing and they must erase everything after this period, and notify Data Principals 48 hours before erasure.
Importantly, Section 43A of the Information Technology Act, 2000 (“IT Act”) and the Sensitive Personal Data or Information Rules, 2011 issued thereunder will continue to remain in force until the substantive provisions of the DPDP Act take effect. Sub-section (2) of Section 44 of the DPDP Act, which omits Section 43A of the IT Act, comes into force only after eighteen months, ensuring continuity of data protection obligations during the transition period.
Additional Obligations for Significant Data Fiduciaries
The DPDP Act introduces a category of "Significant Data Fiduciaries" who will be notified by the Central Government based on several factors, including volume of data processing, risks to rights of Data Principals, and impact on sovereignty and security. These entities face enhanced obligations including, conducting annual Data Protection Impact Assessments, undergoing audits, and ensuring that specified categories of personal data are not transferred outside India. The provisions relating to Significant Data Fiduciaries will also come into force in May 2027.
What This Means for Organisations
Organisations must commence comprehensive data mapping exercises immediately to identify personal data processing activities, redesign consent mechanisms to ensure compliance with statutory requirements, update privacy notices, and revise vendor contracts to incorporate data protection safeguards. Technical and organisational security measures must be implemented well before the compliance deadline. Organisations processing children's data must prioritize age-verification and verifiable parental consent systems ahead of the eighteen months deadline.
