The Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules 2025 on 15 March 2026, bringing into force the subordinate legislation that gives operational effect to the Digital Personal Data Protection Act 2023. Businesses that collect, process, or store personal data of Indian residents now have a 12-month window — until 15 March 2027 — to achieve full statutory compliance. The notification removes the prolonged uncertainty that followed the parent Act's passage in August 2023 and sets non-negotiable timelines that companies cannot defer.
What the Rules Introduce
The Rules establish the operational architecture for three core obligations. First, the consent management framework requires Data Fiduciaries to obtain free, specific, informed, unconditional, and unambiguous consent before processing personal data. Consent must be recorded and retrievable. Data Principals have the right to withdraw consent at any time, and withdrawal must be as easy as giving it — companies must redesign consent flows that bury withdrawal options in multi-step menus.
Second, Significant Data Fiduciaries (SDFs) — entities to be designated by MeitY based on volume of data processed, sensitivity of data, risk to national security, and impact on electoral democracy — face an elevated compliance tier. SDFs must appoint a Data Protection Officer based in India, conduct annual Data Protection Impact Assessments, and submit to periodic audits by a DPDP Board-empanelled auditor. Any entity processing personal data of more than 10 million Data Principals, or any entity processing sensitive data categories at scale, should begin preparing for SDF designation now rather than waiting for formal notification.
Third, cross-border data transfer restrictions are now operative. Transfer of personal data outside India is permitted only to countries or territories notified by the Central Government as offering adequate protection. The list of approved jurisdictions has not yet been published, creating an immediate compliance gap for multinationals that route Indian customer data through global data centres. Until the whitelist is published, businesses should map their data flows and assess whether existing standard contractual clause frameworks or intra-group data transfer agreements require renegotiation.
Notice and Transparency Requirements
Rule 3 mandates that Data Fiduciaries provide a notice to Data Principals at the time of collecting personal data, or — for data already held — within a period specified in the Rules. Notices must be in plain language, itemise the categories of data collected, explain the purpose of processing for each category, and describe the rights available to the Data Principal. Notices that use legal boilerplate or that bundle consent with terms of service are non-compliant. Companies will need to conduct a complete review of their privacy notices, cookie banners, app permission screens, and employee data collection forms.
Rights of Data Principals
The Rules operationalise five rights: the right to access information about personal data processed, the right to correction and erasure, the right to grievance redressal, the right to nominate a nominee, and the right to withdraw consent. Data Fiduciaries must establish a functional grievance mechanism with a designated Grievance Officer and a 48-hour acknowledgement and 30-day resolution timeline. For Delhi NCR businesses, this means assigning internal ownership to a senior compliance or legal officer immediately.
Penalties Under the Parent Act
The DPDP Act 2023 prescribes penalties of up to Rs 250 crore per instance of failure to implement reasonable security safeguards, and up to Rs 200 crore for failure to notify a data breach to the Data Protection Board within the prescribed period. Penalties are not capped on an aggregate annual basis — each breach of duty is a separate contravention. Companies that have not yet invested in data security infrastructure face the highest exposure.
Sectoral Overlap and Existing Frameworks
Entities regulated by SEBI, RBI, IRDAI, or TRAI must reconcile the DPDP Rules with existing sectoral data protection requirements. Where the DPDP Rules impose stricter obligations, the stricter standard applies. Healthcare entities processing health data — a sensitive personal data category — face dual compliance under DPDP and the National Digital Health Mission framework. Financial institutions already subject to RBI's Master Direction on IT Governance will need to map those requirements against the new DPDP obligations to identify gaps.
Action Items for Delhi NCR Businesses
- Conduct a full personal data inventory and data flow mapping exercise across all business units by June 2026.
- Appoint a Grievance Officer and publish contact details on your website and in all notices.
- Audit and redraft all privacy notices, consent forms, and cookie banners for compliance with Rule 3.
- Map all cross-border data transfers and identify jurisdictional risk pending MeitY's approved country list.
- Assess whether your data volumes and categories are likely to trigger SDF designation and begin DPIA preparation.
- Review vendor and processor contracts to ensure sub-processing obligations and data return/deletion clauses meet DPDP standards.
- Establish an incident response and breach notification protocol capable of meeting the DPDP Board's reporting timelines.