ARTICLE
25 November 2025

DPDP Act Compliance Mandate

MC
MAHESHWARI & CO. Advocates & Legal Consultants

Contributor

MAHESHWARI & CO. Advocates & Legal Consultants logo
MAHESHWARI & CO., a multi-speciality law firm, advice on a variety of practice areas including Corporate & Commercial Law, M&A, IPR, Real Estate, Litigation, Arbitration and more. With expertise across diverse sectors like Automotive, Healthcare, IT and emerging fields such as Green Hydrogen and Construction, we deliver legal solutions tailored to evolving industry needs.
Explore Firm Details
After two years of anticipation, India has formally brought the Digital Personal Data Protection Act, 2023 ("DPDP Act") into force.
India Privacy
Ketan Joshi and Navya Saxena
Ketan Joshi’s articles from MAHESHWARI & CO. Advocates & Legal Consultants are most popular:
  • in India
MAHESHWARI & CO. Advocates & Legal Consultants are most popular:
  • within Privacy, Compliance and Criminal Law topic(s)
  • with readers working within the Law Firm industries

After two years of anticipation, India has formally brought the Digital Personal Data Protection Act, 2023 ("DPDP Act") into force. With this, the Government has also notified the long-awaited DPDP Rules, 2025, officially setting the compliance machinery in motion. Although implementation has been staggered over an 18-month window, the transition will demand sustained effort across legal, technical and operational teams. Following is a refined overview of the rollout, the key refinements introduced through the Rules, and what businesses must prioritize as they navigate the transition.

Related: Regulatory and Compliance Law Firms

1. A Phased Rollout, but a Narrow Compliance Runway

The Government has opted for phased implementation to reduce friction. This first phase sets up the institutional backbone of the new regime.

a. Immediately in Effect from 13 November 2025

Following core provisions became operational on 13th November 2025

  • The Data Protection Board ("DPB") is officially constituted and will function with its head office in NCR. Rule 4 of DPDP Rules relating to appointment, functioning, meetings and digital office have also kicked in. Along with Powers to enforce, investigate, and penalize, including inquiry powers when Consent Managers breach their obligations as mentioned under Section 27.
  • The earlier SPDI Rules, 2011 continue to remain in force for 18 more months, ensuring no compliance vacuum.
  • A major shift under the RTI Act – the presence of "personal information" is now a ground to reject disclosure. The earlier exception permitting disclosure in public interest has been removed.

b. After 12 months i.e,13 November 2026

This phase brings Consent Managers into the ecosystem. It can be described as an intermediary that serves as the central interface through which individuals can manage and control their data permissions across multiple organisations.

  • Consent Managers must register with the DPB.
  • They must comply with obligations under the Rules which include neutrality by avoiding conflict of interest, data integrity, audit trails, and grievance handling.
  • The Board may initiate inquiries and impose penalties on consent managers for violations.
  • This effectively introduces an accountability layer between Data Fiduciaries and individuals.

c. After 18 months – 13 May 2027

Under this phrase, the entire operational load intensifies which raises the compliance burden.

  • All Data Fiduciary duties, including purpose limitation, notice requirements, security safeguards and grievance redressal, become legally binding.
  • Data Principal Rights — access, correction, erasure, withdrawal of consent — become fully enforceable.
  • Provisions relating to children's data, cross-border transfers, and data breach notifications, and financial penalties come into effect.
  • The DPB's complaint-handling and adjudication mechanisms also become active.

2. Key Refinements Introduced in the Final DPDP Rules, 2025

a. More Precise Framework for "Verifiable Consent"

The Rules now articulate distinct processes for children and person with disabilities. This requires Data Fiduciaries to authenticate the identity of parents, guardians or authorized representatives. Verification may involve documentation, digital authentication systems or prescribed verification protocols.

This is a stronger, more operationally enforceable standard than earlier drafts, and will require reconfiguration of onboarding journeys across digital services.

b. New Definition of "User Account"

A user account now includes any identifier such as an email, mobile number, username, handle or any credential used to access a platform.

This affects:

  • How breach notifications must be directed;
  • How purpose limitation is interpreted in multi-service platforms;
  • How companies attribute actions within a digital environment.

c. Restrictions on Informing Users About Government Data Requests

Data Fiduciaries are prohibited from notifying individuals when the Government seeks access to their personal data.

This raises practical and contractual challenges:

  • Many platforms currently disclose such requests as part of their transparency commitments.
  • Terms of service may require revision to avoid non-compliance.
  • It sets up a future policy dialogue on transparency versus sovereign requirements.

This is likely to be a focal point of industry engagement in the months ahead.

d. Higher Operational Standards for Notice, Transparency and Retention

The Rules reinforce the DPDP Act's intent of informed and specific consent:

  • Notices must be clear, independent and self-contained — not buried within lengthy policies.
  • Purpose, collection, retention periods and potential disclosures must be explicitly stated.
  • Data Fiduciaries must retain certain logs and records for at least one year, subject to sectoral norms.
    This will require companies enhance clarity standards of notice templates.

e. Security and Breach Response

The Rules adopt a stringent approach:

  • Companies must implement strong technical and organizational safeguards.
  • Breach reporting must be made to the DPB — and, where applicable, to affected individuals within a strict timeline.
  • Platforms must maintain reliable logs to reconstruct breach events and support investigation.

f. Cross-Border Data Transfers

The Rules adopt a balanced approach — not a blanket ban, but certainly a more structured framework. Transfers must comply with prescribed conditions, and the Government retains the power to notify restricted jurisdictions. Companies involved in global processing will need to reassess data flows, localization commitments and contractual protections.

3. Next Step for Organizations

Even with staged enforcement, companies should treat these 18 months as a transition period. Immediate steps include:

  • Mapping all personal data flows, including historical data,
  • Re-drafting consent mechanisms and notice formats,
  • Reviewing vendor and inter-company contracts,
  • Setting up or restructuring internal governance (including DPO or authorized representative)
  • Updating retention and deletion workflows,
  • Auditing systems for breach-response readiness and logging practices,
  • Preparing for Consent Manager Interfaces.

Conclusion

The DPDP Act and the DPDP Rules, 2025 together establish a clear and enforceable data protection regime in India. Although implementation is phased, the compliance runway is narrow. The Rules introduce more precise consent standards, stricter notice and security requirements, clearer definitions, and tighter controls around government data requests—signaling a shift toward practical, outcome-based regulation.

Over the next 18 months, organisations must treat this as an active transition period. Early action on data mapping, consent redesign, contract revisions, governance upgrades, and breach-readiness will be critical to achieving full compliance by May 2027.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Ketan Joshi
Ketan Joshi
Person photo placeholder
Navya Saxena
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More