Transforming data privacy: DPDP Act, 2023 and DPDP Rules, 2025

Key operational expectations for Data Fiduciaries

The Rules outline clear expectations for how Data Fiduciaries must manage notices, consent, retention, breach reporting, security safeguards and the processing of personal data relating to children and persons with disabilities.
 

Notice and consent

Fiduciaries must publish a notice in plain, itemized language specifying:

• What personal data is collected
• Why it is collected
• How Data Principals can exercise rights or submit complaints
• A communication link or any other means to contact the fiduciary

Consent must be free, specific, informed, unconditional and based on clear affirmative action.
 

Data retention and erasure

• Purpose-specific retention timelines must be defined.
• Individuals must be notified at least 48 hours before erasure.
• Special classes of data fiduciaries (e.g., e-commerce platforms with 2 crore users, social media intermediaries, gaming platforms) must delete personal data within three years of last interaction.

Personal data breach response

• Immediate intimation of the breach to Data Principals and the Board
• Mandatory detailed breach report to the Board within 72 hours
• Actionable steps to mitigate harm

Processing of children’s data

The Rules outline specific safeguards for processing children’s personal data. Organizations must:

• Obtain verifiable parental consent
• Verify the identity and age of the parent or guardian
• Refrain from behavioral monitoring and targeted advertising directed at children

Certain categories such as healthcare professionals, educational institutions and child transport providers are exempt from some parental consent requirements due to the nature of their services.
 

Significant Data Fiduciary (SDFs) obligations

Significant Data Fiduciaries must adopt enhanced governance and oversight measures. These include:

• Appointing a Data Protection Officer (DPO)
• Conducting annual Data Protection Impact Assessments (DPIAs)
• Undergoing annual independent audits
• Undertaking algorithmic transparency and fairness assessments
• Ensuring enhanced due diligence for technical measures

Preparing for compliance: The 18-month journey

Organizations are expected to follow a phased approach to align with the Act and the Rules. This involves both foundational and advanced activities across data discovery, governance, security and process modernization.
 

0-6 months: Assessment and planning

During this phase, organizations typically focus on understanding their current privacy posture and identifying personal data touchpoints. Key activities include:

• Assessing existing policies, processes and documentation
• Conducting data discovery and mapping
• Documenting processing activities and data flows

6-12 months: Implementation of core controls

Once the assessment is complete, organizations must focus on implementing the core requirements of the Rules. This includes:

• Updating privacy notices and consent mechanisms
• Strengthening baseline security safeguards (encryption, access controls, log retention)
• Establishing breach response procedures
• Defining and documenting retention schedules

12-18 months: Monitoring, automation and advanced compliance

As organizations approach full compliance, they will need to establish ongoing processes that support sustainability. These include:

• Conducting DPIAs and independent audits (for SDFs)
• Reviewing third-party contracts and governance mechanisms
• Implementing privacy-enabling technologies (PETs)
• Establishing periodic monitoring programs