On November 13, 2025, the Indian government published its final Digital Personal Data Protection Rules, 2025 (Rules). The substantive portions of these rules will come into force in 18 months from their date of publication.
You may remember that India had passed the Digital Personal Data Protection Act, 2023 (DPDPA), more than two years ago. The law’s implementation had been on hold pending the formulation of the rules to be issued under it. These rules have now been finalized and notified.
You can access the final version of the rules here.
What the final rules say: The final rules spell out how the substantive provisions of the DPDPA are to be implemented. They include additional guidance on matters such as the constituent elements of a Privacy Notice, mechanism and timelines for reporting personal data breaches, and data retention periods based on the nature of the entity (e.g., social media intermediaries, e-commerce entities, etc.). They also contain some administrative elements relating to the establishment of India’s data regulator, the Data Protection Board.
What this means for businesses collecting data: With the rules now in force, the stakes for data compliance are raised significantly. The DPDPA prescribes steep monetary penalties (up to INR 250 crore per breach in some cases) for non-compliance with its provisions. Organizations will need to revisit their operations and determine the gaps that need addressing. This includes reviewing how privacy notices are drafted, how data principals’ consent and withdrawal processes are operationalized, breach reporting mechanisms, retention practices, data principals’ exercise of their rights, and grievance redressal procedures.
What this means for “processors” of data: Entities that are operating in support of data fiduciaries (i.e., data collectors) will also need to align their practices for conformity with the DPDPA. These processors can expect specific contractual clauses in their agreements with data fiduciaries, mandating compliance with DPDPA norms, breach-reporting measures, and data-retention requirements. While most obligations under the DPDPA will fall on the data fiduciary, a data processor may also be called upon to show compliance in certain instances.
What happens next: The privacy rules will be implemented in a phased manner. Rules that pertain to “consent managers” come into force in one year from publication, and some administrative portions of these rules come into force immediately. Provisions impacting security safeguards, breach intimations, verifiable consent, etc., are coming into force 18 months from the date of publication.
Click here to read the original, full client alert by Vikram Jeet Singhof Ally Law member firm BTG Advaya.
