DPDP Rules 2025 Decoded: What They Mean for Your Business

Introduction: The Rules Are What Make the Law Real

The Digital Personal Data Protection Act, 2023 is the skeleton. The DPDP Rules 2025, notified by the Ministry of Electronics and Information Technology (MeitY), are the flesh and muscle — the specific, operational requirements that determine what your organisation must actually do to be compliant.

If you have read the Act but not the Rules, you are only half-prepared.

This post decodes every significant provision in the DPDP Rules 2025, explains its practical business implication, and highlights where most organisations currently have gaps.

What Are the DPDP Rules 2025?

Under Section 40 of the DPDP Act, the Central Government is empowered to make rules to carry out the provisions of the Act. The Rules fill in the operational detail that the Act intentionally left to secondary legislation — specific formats, timelines, technical standards, and procedures.

The Rules were notified in early 2025. They are legally binding on all Data Fiduciaries operating under the Act. Rule 1 confirms: if the Act applies to you, the Rules apply to you. No separate applicability test.

Rule 3

Notice — The Operational Detail You Need

Rule 3 operationalises Section 5 of the Act with specific requirements that go beyond the Act's general principles. It has five significant sub-provisions.

3.1 Plain Language Mandate

Notices must be written in clear and plain language — not legalese. A privacy notice full of defined terms, cross-references, and lawyer-drafted qualifications does not satisfy Rule 3.

Your legal team drafts the content for accuracy; your UX/content team must rewrite it for clarity. Both versions matter. The standard is whether a reasonable person with no legal background can understand what they are agreeing to.

3.2 Standalone Format — No Bundling

The notice must be standalone — it cannot be embedded inside Terms and Conditions, End User Licence Agreements, or similar documents. The Rules explicitly prohibit presenting the privacy notice as part of a broader document the user is expected to scroll through.

If your current privacy policy is buried inside your Terms of Service, that is a Rule 3(2) violation. You need a separate, standalone privacy notice accessible at a distinct URL before consent is collected.

3.3 Five Mandatory Elements

Every notice must contain all five of these elements — not some, all:

What personal data is being collected — specific categories, not vague descriptions like "usage data"
The purpose for which data will be processed — specific, named purposes; not "to improve your experience"
The manner in which Data Principals can exercise their rights — a link to the rights portal, contact details, step-by-step process
The manner in which complaints/grievances can be filed — Grievance Officer name, contact details, filing process
The manner in which consent can be withdrawn — not just "you can withdraw consent" but the specific mechanism

Review your current notice against these five elements. Most organisations fail on (3), (4), and (5) — they tell users rights exist but not how to exercise them. "Contact our privacy team" is not a sufficient rights exercise mechanism.

3.4 Language: 22 + English

Notices must be available in English and at least one language from the Eighth Schedule to the Constitution — which lists 22 languages:

The 22 Eighth Schedule Languages

AssameseBengaliBodoDogriGujaratiHindiKannadaKashmiriKonkaniMaithiliMalayalamManipuriMarathiNepaliOdiaPunjabiSanskritSantaliSindhiTamilTeluguUrdu

"Hindi and English" is the minimum — not the standard. For organisations with significant user bases in South India, East India, or specific regional markets, a single Eighth Schedule language may not be sufficient to satisfy the "informed" prong of consent validity. Practically, organisations with national user bases should support multiple languages. The technical implication: your notice must be authored and maintained in multiple languages, with equivalence checks to ensure translated versions contain the same information.

3.5 Existing Data Principals

For personal data collected before the Rules came into effect, notices must be issued "at the first opportunity" when interacting with existing Data Principals.

You cannot grandfather your existing user base. The moment you have your first interaction with an existing customer after the Act applies to you, you must deliver a compliant notice. For digital products, this means your next login, next transaction, or next campaign is the trigger.

Rule 4

Consent Manager — The 7-Year Obligation

Rule 4 defines what it means to operate as a Consent Manager and sets the obligations for maintaining consent artifacts. This is the most technically demanding rule for most organisations.

4.1 Consent Artifacts: The 7-Year Retention Requirement

All consent artifacts must be maintained for a minimum of 7 years from the date of consent, or 7 years from the date of withdrawal — whichever is later.

A "consent artifact" is defined to include:

The identity of the Data Principal
The specific purpose for which consent was given
The version of the notice that was active at the time of consent
The exact timestamp
The channel through which consent was given (portal, API, campaign, etc.)
The mechanism by which consent was confirmed (email OTP, click, API call)

A consent record saying user_id: 123, purpose: marketing, status: granted, date: 2025-06-01 does not satisfy Rule 4. You need the full artifact — including the exact text of what the user was shown at the time of consent. This is what Vishwaas AI calls the consent_text_snapshot.

4.2 Consent Artifacts Must Be Produced on Demand

On request from:

The Data Principal themselves (to verify their own consent history)
The Data Protection Board of India (in enforcement proceedings)

Consent artifacts must be produced immediately in a form that is verifiable.

You need a mechanism to retrieve and present specific consent records for any data principal at any time. If your consent data is in an unstructured log file or a shared spreadsheet, you cannot satisfy this requirement. "Give me 3 days to pull that" is not an acceptable response to a DPBI request.

4.3 Consent Propagation Log

Consent Managers must maintain a log of consent propagation — documenting how consent decisions were communicated to every downstream Data Processor, the timestamp of communication, and whether delivery was confirmed.

It is not enough to withdraw consent in your platform. You must document that the withdrawal was communicated to every system that holds or processes data for that individual — your CRM, email marketing platform, analytics tool, HRIS. If propagation fails, you must document the failure and the retry.

Rule 6

Processing Personal Data of Children

Rule 6 adds operational detail to Section 9's protections for children's data.

Verifiable Parental Consent

The Rules reference two mechanisms for verifying parental consent:

DigiLocker — India's digital document locker, linked to Aadhaar
Aadhaar-based OTP verification — for age and identity confirmation

"The parent checked a box saying they are a parent" is not verifiable consent. Your age verification and parental consent flow must use a government-recognised verification method. This is a significant implementation requirement for consumer applications that may be used by minors.

Prohibition on Tracking

Processing that involves tracking children's online behaviour, targeted advertising to children, or other activities "likely to cause detrimental effect" on children is prohibited.

Any consumer-facing product that uses behavioural analytics, retargeting, or personalised advertising must either age-gate these features for users under 18 or disable them entirely if age verification is not feasible.

Rule 7

Significant Data Fiduciaries

Rule 7 operationalises the SDF designation and its consequences. The DPBI may designate organisations as SDFs based on volume of personal data processed, sensitivity of personal data (health, financial, biometric), risk to national security or public order, and potential impact on sovereignty.

Large e-commerce platforms, major BFSI players, large HR/payroll processors, healthcare providers, and telecom companies are the most likely SDF candidates in the first wave of designations.

Requirement	What It Means
Data Protection Officer	Must be based in India; reports to the Board of Directors; single point of contact for DPBI
Independent Data Auditor	External auditor conducts periodic compliance audits; findings presented to the DPO
Data Protection Impact Assessments	Mandatory DPIA before commencing high-risk processing activities
Algorithm Assessment	Periodic assessment of algorithms used in profiling or automated decision-making for fairness and bias
DPIA submission to DPBI on request	DPIA register and individual DPIA reports must be producible for DPBI inspection on demand

If you believe you may be designated as an SDF, begin implementing these structures now — DPO appointment, DPIA process, and auditor engagement take time and should not be initiated after a designation notice arrives.

Rule 8

Breach Notification — 72 Hours Is Not Much Time

Rule 8 operationalises Section 8(6)'s breach notification obligation with specific procedural requirements.

The 72-Hour Clock

From the moment a Data Fiduciary becomes aware of a personal data breach, a 72-hour clock starts for notifying the DPBI. The notification must include:

Nature of the personal data breach
Categories of personal data involved
Estimated number of Data Principals affected
Estimated volume of personal data involved
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate its effects

Notification to Data Principals

Notification to affected Data Principals must follow "as soon as reasonably practicable" — the Rules do not prescribe a specific deadline beyond DPBI filing, but prompt communication is expected.

Why 72 Hours Disappears Fast

0 – 24 hrs

Incident discovery → internal escalation

12 – 36 hrs

Technical investigation — scope & categories

36 – 44 hrs

Legal review of notification content

44 – 52 hrs

Draft, review, file DPBI notification

52 – 72 hrs

Buffer · confirmation · principal notifications

Without a documented breach response playbook, discovery-to-filing routinely exceeds 72 hours.

Organisations need a documented breach response playbook that compresses discovery-to-notification to well under 48 hours, leaving buffer for the actual filing. Without this, the 72-hour deadline is routinely missed.

Rule 9

Grievance Redressal

Rule 9 requires:

Data Fiduciaries to publish the name and contact details of their Grievance Officer
Grievances to be acknowledged and resolved within 30 days
Responses to be in writing and, if rejected, to state reasons
If the Data Fiduciary fails to resolve within 30 days, the Data Principal may approach the DPBI directly

Many organisations have a "Privacy" inbox monitored weekly. The 30-day response obligation requires a structured DPR queue, not an ad-hoc inbox. The obligation to state reasons for rejection requires a proper decision-making process — not "we reviewed your request and determined it does not apply."

Rule 10

Data Principal Rights — Operational Framework

Rule 10 provides the operational framework for how rights requests must be handled.

Response Timelines

Right	Response Deadline
Access (§11)	90 days
Correction / Erasure (§12)	90 days
Grievance (§13)	30 days
Nomination (§14)	As requested

Identity Verification

Before fulfilling a rights request — especially erasure — the Data Fiduciary must verify the identity of the requester. The Rules support:

Email OTP verification
DigiLocker / Aadhaar-based identity verification

You cannot fulfil an erasure request from an unverified email. But verification must not be so burdensome that it effectively prevents Data Principals from exercising their rights. A 10-step verification process for a simple access request may itself be a violation.

Erasure Propagation

For erasure requests, Data Fiduciaries must communicate the erasure instruction to all Data Processors holding data for the relevant individual. Processors must confirm completion.

If your user's data is in Salesforce, your ESP, your data warehouse, your HR system, and your CDN — you must orchestrate erasure across all five systems and document completion of each. Manual coordination across five systems is error-prone and time-consuming. Automated erasure job orchestration is the only scalable approach.

Compliance Gap Summary: Where Most Organisations Stand Today

Based on the Rules analysis above, here is a summary of the most common compliance gaps:

Area	Rule	Most Common Gap
Notice format	Rule 3	Bundled into T&Cs; English only; missing rights mechanism
Consent artifacts	Rule 4	No text snapshot; no 7-year retention; no on-demand production
Consent propagation	Rule 4	No log of downstream system notification or delivery confirmation
Children's data	Rule 6	No verifiable age / parental consent mechanism
SDF preparation	Rule 7	No DPO, no DPIA process, no audit relationship in place
Breach notification	Rule 8	No documented playbook; no 72-hour notification process
Grievance response	Rule 9	Ad-hoc inbox; no 30-day SLA tracking or written response process
Rights request SLA	Rule 10	No self-service portal; manual tracking; no erasure orchestration

How Vishwaas AI Maps to Each Rule

Every gap in the table above corresponds to a Vishwaas AI module purpose-built to close it:

Rule	Vishwaas AI Coverage
Rule 3 — Notice	Privacy Notice module: TipTap editor, standalone delivery, 22 languages, version control, acknowledgement tracking
Rule 4 — Consent artifacts	Non-repudiable consent ledger: SHA-256 hash chain, RSA signature, RFC 3161 TSA token, 7-year retention, on-demand export
Rule 4 — Propagation log	Consent Propagation module: HMAC-signed webhook delivery, delivery log, retry queue, propagation monitor
Rule 6 — Children	Minor flag, guardian linkage, DigiLocker / Aadhaar verification method support
Rule 7 — SDF / DPIA	DPIA module: questionnaire, risk heatmap, DPO approval gate, DPIA register export
Rule 8 — Breach notification	Breach Incident Management: 72-hour clock, DPBI notification panel, principal alert dispatch, immutable timeline
Rule 9 — Grievance	DPR module: grievance type, 30-day SLA, Grievance Officer assignment, written response, audit trail
Rule 10 — Rights	DPR module: self-service portal, 90-day SLA, identity verification, cross-system erasure job orchestration

Conclusion: The Rules Close the Gaps the Act Left Open

The DPDP Rules 2025 transform the Act's principles into specific, auditable obligations. The organisations that will emerge compliance-ready are those that read the Rules carefully, map them to their current processes, identify the gaps, and build or procure the infrastructure to close those gaps — before the DPBI is fully operational.

The question is not whether to comply — it is whether you are ready to prove it.

Resources

→ Download the DPDP Act Compliance Readiness Checklist — 30-item self-assessment

→ Read the Full DPDP Act Compliance Mapping — section-by-section feature map

→ Schedule a Vishwaas AI Demo

This blog post is for informational purposes only and does not constitute legal advice. Engage qualified legal counsel for specific regulatory guidance. © 2026 Cross Identity / IdentityPlus Pvt. Ltd. All rights reserved.

About Vishwaas AI

India's privacy and consent management platform purpose-built for DPDP Act compliance with a module for every rule: notice delivery in 22 languages, non-repudiable consent ledger, automated breach notification, rights request management, DPIA workflows, and vendor governance.

Schedule a Demo Compliance Checklist →

Thought Leadership · 18 min

The Complete Guide to India's DPDP Act, 2023

Every provision explained — the definitive reference.

Thought Leadership · 10 min

Why Consent Non-Repudiation Matters

Lessons from eight years of GDPR enforcement.