DPDP Act Rules

The DPDP Act received the Presidential Assent in October 2023, marking a significant step towards enforcement.

The union government of India has published "DPDP Act Rules" in January 2025 and these rules are known as Draft Rules.

Final rules are to be notified by the mnth of July-2025.

an abstract photograph of a curved wall
an abstract photograph of a curved wall
low-angle photography of blue glass walled building during daytime
low-angle photography of blue glass walled building during daytime
black blue and yellow textile

If the DPDP Act is passed, what is the need for separate rules?

Quoting from the bare Act (the DPDP Act, 2023)

"The provisions contained in this Act will be enforced on such dates as notified by the Union Government of India, and different dates may be notified for different provisions of the Act."

In other words, although the Act is technically a law now, it will only be fully enforceable once the union government issues specific notifications or rules detailing how and when each provision will take effect. The Act also allows the government to notify different dates for the enforcement of different sections.

DPDP Act Rules, 2025

Rule 3

Consent Notice

3(a) The notice for consent, should be drafted and presented separately and should not be combined with any other notices (e.g terms and conditions, terms of usage etc.)

3(b) The consent notice should be drafted in a simple language and should include the categories of personal data collected, the purpose of collection of personal data

3(c) The consent notice should also include the URL/Email addresses that could help the data principal to withdraw consent and exercise Data principal rights

Key Takeaways from Rule 3

The notice for consent refers to the privacy policy of the website/application.

The rule requires the privacy policy of the website to:

1. Be a separate document and not the contents of the privacy policy cannot be combined with any other consent sought by the business. For example, if the business website/app requires the users to agree to the ‘terms of use’ or ‘terms and conditions’, then privacy policy contents cannot be merged into these terms.

2. Be written in plain and simple language without much technical and legal jargon that can be understood by a common man. Provide the privacy policy in a language easily understood by the user

3. The privacy policy should provide the users with a URL/email address where the user can opt out of the consent (for example, delete data request can be sent) as well as the details of the Data Protection Board where the user can complain against any grievances with consent management (The Data Protection Board is yet to be formed)

Rule 6

Security Safeguards

6(1)(a) Encryption of personal data at rest as well as personal data in-transit

6(1)(b) Access control mechanisms including RBAC with the Principle of Least Privileges along with other measures like Multi-factor Authentication

6(1)(c) Logging and monitoring of security incidents and events to detect and investigate unauthorized access to personal data

6(1)(d) Measures for protecting confidentiality, integrity and, availability of personal data

6(1)(e) Retention of system access logs/application logs, error logs along with audit trail at least for 1 year

6(1)(f) Data Processing Agreements should be executed between the business processing personal data with its vendors (those who have access to the personal data)

6(1)(g) Organizational measures to delegate security responsibilities to experienced Data privacy professional or even consider creating a data Privacy Office with a team of internal employees and train them on the principles of data privacy. Clearly define the roles and responsibilities of personnel related to the compliance of DPDP Act.

Rule 7

Personal Data Breach

The definition of “personal data breach” from the DPDP Act – Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data;

7(1) In the event of a personal data breach, as per the definition in the act, the organization (Data Fiduciary) should intimate the persons whose personal data was breached. The communication to individuals will contain details like what personal data has been compromised, the likely consequences and risks to the individual due to the personal data breach, any recommendations to the individual for prevention of the risks and contact details for further queries.

DPDP Act Rules - FAQs

What are DPDP Act Rules?

While the DPDP Act lays the foundational framework for personal data protection in India, it does not include all the necessary operational details needed for enforcement. The missing pieces of this puzzle are expected to be filled in by the DPDP Act Rules. The initial rules have been drafted and released for public feedback and opinion in January 2025. Final rules are likely to be notified by the end of 20205

What is the purpose of DPDP Act rules?

The DPDP Act rules will serve as guidelines to clarify certain provisions of the Act. The rules also provide clarity on how the law will be implemented in practice. Some examples of what the DPDP Act Rules will likely include are:

  • Contact details of the Data Protection Board (DPB)

  • Breach notification timelines

What is the importance of DPDP Act rules?

Think of the DPDP Act as a skeleton that lays out the broad principles surrounding data privacy protection. The DPDP Rules, on the other hand, will serve as the flesh and blood, clarifying these principles to ensure proper execution. Without these rules, the Act would remain incomplete and unenforceable.

The rules will play a crucial role in the operationalization of the Act and avoid ambiguity in the interpretation of personal data protection law in India. The rules will provide clarity on several key matters, including:

  • Operational procedures: How organizations must handle requests from individuals exercising their data rights, such as the right to access, correct, or delete their data.

  • Categorization of data fiduciaries: What organizations would be considered as 'significant data fiduciaries' and the basis for such classification (e.g.: volumes of personal data, sensitivity of such data, risks to individuals, risks to national seciirty e.t.c,).

Who is responsible for creating these rules?

The Indian government, through the Ministry of Electronics and Information Technology (MeitY), has published draft rules and is in the process of notifying the final rules with feedback from industry and civil society. The finalization of the rules will be a crucial step towards making India’s data protection framework fully functional.

Where can I read the draft rules pubished by MeitY?

Download Draft DPDP Act Rules here.

Download explanatory note on the draft DPDP Act rules here.

DPDP act rules - Key compliance areas

Breach Notification Process

A key area that businesses will need to focus on is the breach notification requirements. The rules are expected to outline how quickly businesses must inform the Data Protection Board (DPB) and affected individuals in the event of a data breach. This will be crucial for organizations to stay compliant and mitigate risks associated with data leaks.

Data Processing Agreements

Since the DPDP Act applies to any organization processing personal data, it will be important for businesses to understand the specific obligations of their data processors (third parties handling data on behalf of the organization). The rules may outline what should be included in Data Processing Agreements (DPAs) to ensure compliance.

Cross-Border Data Transfers

As India’s data protection landscape takes shape, cross-border data transfers will become a vital area for compliance. The rules are expected to clarify how data can be transferred outside India and under what circumstances, ensuring businesses adhere to international standards while protecting individuals' data. Rival nations and adversaries like China, Pakistan, Turkey, Azerbaizan are likely to be in the list of black-listed countries for personal data transfers.

Data Protection Board (DPB)

The DPDP Rules are expected to outline the process for individuals to file complaints with the Data Protection Board (DPB) regarding violations of their data privacy rights. This will provide a clear, accessible route for redressal and strengthen the enforcement of the law.

What should you do while awaiting final DPDP Act rules?

Bellwether recommends that organizations should start preparing for DPDP Act compliance by focusing on the core principles outlined in the Act.

Some actionable steps include:

Talk to a DPDP Act consultant
Data Flow Map

Identify the inceptions points of personal data collection and the systems used to process personal data. A visual map can go a long way.

Document details on what pieces of personal data is processed and a rational for collection of each piece of personal data.

Define how long you intend to keep personal data collected from individuals. Consider other statutory requirements related to record keeping.

Personal Data Inventory
Data Retention Protocols