The Digital Personal Data Protection (DPDP) Rules, 2025, operationalise the DPDP Act, 2023, and establish how organisations must collect, store, process, and safeguard personal data in India. However, these obligations do not take effect all at once. The Rules adopt a staggered commencement structure that phases in different compliance requirements over 18 months. As a result, Rules 1, 2, and 17 to 21, which deal largely with definitions, Board procedures, and miscellaneous provisions, take effect immediately upon publication in the Official Gazette on November 13, 2025.
Meanwhile, Rule 4, which creates and regulates Consent Managers, will come into force one year after publication, giving the ecosystem time to develop interoperable platforms and allowing the Board to build its registration and oversight processes.
Crucially, the core obligations that organisations must comply with, those governing Data Fiduciaries (DFs) and Significant Data Fiduciaries (SDFs), fall under Rules 3 and 5 to 16, as well as Rules 22 and 23.
These provisions cover notice requirements, breach reporting, data retention, children’s data, security safeguards, DPIAs, audits, and government information requests. According to the commencement clause, this entire set of obligations will come into force 18 months after publication. Once active, they will fundamentally reshape how companies handle personal data across sectors.
Transparency, Notices, And Retention
The Rules require DFs to publish a notice before collecting personal data. The notice must present an itemised description of the categories of personal data and the specified purpose(s) of processing, and it must provide the communication link for accessing the DF’s website or app. In addition, the notice must identify how a Data Principal can withdraw consent and exercise their rights; withdrawal must be as easy as giving consent.
Furthermore, the Rules require DFs and Consent Managers to publish grievance-redressal arrangements on their website or app and to implement technical and organisational measures to ensure those mechanisms respond within a reasonable period, not exceeding 90 days.
Separately, the Rules set out specific retention periods for certain classes of entities in the Third Schedule. For example, the Schedule permits specified e-commerce platforms, online-gaming intermediaries, and social-media intermediaries that meet the stated user thresholds to retain certain personal data for three years from the last user interaction or from the Rules’ commencement, where applicable.
Where data becomes due for erasure under the Third Schedule, the DF must inform the Data Principal at least 48 hours before erasure, unless the Data Principal prevents erasure by logging into their account or otherwise initiating contact with the DF. Outside these Schedule provisions, the Rules require retention only for the period necessary for the specified purpose or as required by law.
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
