Insight into Digital Personal Data Protection Rules 2025

  • Insights

Categories

Read the article on LinkedIn
Share

With the Digital Personal Data Protection Act 2023, now supported by the DPDP Rules 2025, organisations should begin aligning their governance, privacy operations and security protocols with the structured compliance timeline set out under the Rules.

The Rules reflect a SARAL approach (Simple, Accessible, Rational and Actionable) as highlighted in the framework, ensuring clarity in obligations and accessibility for all stakeholders.

Immediately on Notification

All provisions relating to oversight, inquiry and enforcement by the Data Protection Board are now effective.

1 Year After Publication

Consent Managers must register with the Data Protection Board and comply with defined eligibility and interoperability standards.

18 Months After Publication

Key compliance obligations become operational. Organisations must ensure:

  • Clear, independent privacy notices with itemised data details and an easy consent withdrawal mechanism (as illustrated under Notice Requirements).
  • Published channels for individuals to exercise access, correction and grievance rights.
  • Robust security safeguards including encryption, monitoring and continuity controls, together with retention of processing logs for at least one year (as reflected in the Security Safeguards and Retention sections).
  • Timely breach notifications to affected users and the Data Protection Board following the structured process outlined in the Rules.
  • Transparent publication of the DPO or authorised representative’s contact details.
  • Advance notice before data erasure and adherence to the statutory minimum retention period.
  • ⁠Verifiable parental consent for processing child data and confirmation of lawful guardian consent for persons with disabilities.
  • Additional obligations for Significant Data Fiduciaries including annual DPIA, independent audit and potential data localisation requirements.
  • Government directions that may restrict cross border transfers of personal data.
  • Intimation to individuals when their data is processed for State subsidies, benefits, licences or permits.
  • Flexibility for research and statistical processing when compliant with prescribed standards.

Sarvaank Associates continues to assist clients in interpreting the Act, mapping obligations to internal processes and building practical, implementable data protection frameworks suited to their sector and scale.

Categories

Related Posts

Monthly Newsletter | Sarvaank

Here is our Monthly Newsletter for period from 01 November 2025 to 30 November 2025. In this issue, we explore

SEBI: Revised Regulatory Framework for Angel Funds

SEBI’s revised framework for Angel Funds, effective September 2025, mandates raising capital solely from Accredited Investors, with a minimum of

FDI in Defence Sector

This presentation provides an in-depth overview of the evolution and liberalisation of Foreign Direct Investment (FDI) in India’s defence sector,

Locations

  • Delhi Office:
    Office No. 8, First Floor, Atmaram Mansion (Scindia House), Connaught Place, New Delhi 110 001
  • Bengaluru Office:
    WeWork Embassy Golf Links, Cinnabar Hills Off Intermediate Ring Road, Domlur Stage Bengaluru, Karnataka 560071

Contact Info

Linkedin-in Twitter

Practice Areas

Useful Links

Designed & Developed by LexBlurb. Powered By QD Communications

Semi Reverse Logo with Tagline (2)

Disclaimer

Sarvaank Associates provides a host of services including business advisory, secretarial retainership and legal retainership for which we engage several qualified professional including lawyers. Therefore, as per the rules of Bar Council of India, we are not permitted to solicit work and advertise. By clicking on the “I Agree” below, the user acknowledges the following:

  1. The user wishes to gain more information about Sarvaank Associates, its practice areas and its attorneys and other professionals for his/her own information and use;
  2. There has been no advertisement, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
  3. The user wishes to gain more information about us for his/her own information and use;
  4. The information about us is provided to the user only on his/her specific request and any information obtained or materials downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site would not create any lawyer-client relationship.
  5. None of the information contained on the website is in the nature of a legal opinion or otherwise amounts to any legal advice.

The information provided under this website is solely available at your request for informational purposes only, should not be interpreted as soliciting or advertisement. We are not liable for any consequence of any action taken by the user relying on material/ information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.


I AGREE
I DISAGREE