🇮🇳Digital Personal Data Protection Rules

The Act left a lot of blanks. The Rules fill them in.

The Digital Personal Data Protection Rules 2025 are where the Act's obligations become operational. The Act says you must give notice — the Rules say exactly what that notice must contain. The Act says you must implement security safeguards — the Rules list the minimum seven. The Act says purpose cessation triggers erasure — the Rules specify the inactivity timelines that trigger it.

If the Act is the constitution, the Rules are the legislation. Both are binding. And because the Rules are delegated legislation, the Central Government can amend them without going back to Parliament in the same way. The Rules will change. Probably more than once. Monitoring them is not optional.

What a valid notice actually requires

Rule 3 prescribes the content of every notice given before or with a consent request. It must be self-standing — understandable without reference to any other document. It must include an itemised description of the personal data being collected and a specific description of the goods, services or uses it enables. And it must provide the specific communication link or means through which the Data Principal can withdraw consent, exercise rights under the Act, and make a complaint to the Data Protection Board.

A generic privacy policy does not satisfy this. A vague reference to "contact us" does not satisfy this. The notice must clearly specify the particular means available to the Data Principal for each of these three actions. If your consent flows currently leave any of these means unpublished or unspecified in the notice itself, they are non-compliant on the face of the Rules.

The seven minimum security safeguards

Rule 6 sets out seven minimum security safeguards every Data Fiduciary must implement. These are a floor, not a ceiling. The seven are: encryption, obfuscation, masking or virtual token mapping of personal data; access controls on computer resources; logs and monitoring for detecting unauthorised access; data backups for continuity; one-year minimum retention of logs and personal data; appropriate security provisions in all Data Processor contracts; and overarching technical and organisational measures for sustained observance of the above.

Note that Rule 6(1)(f) — requiring security provisions in Processor contracts — makes the security standards contractually enforceable against your vendors. If your vendor contracts do not currently include these provisions, you are not meeting the minimum. This is one of the most commonly overlooked obligations in the Rules.

The inactivity-based erasure system

The Act says personal data must be erased when the specified purpose is no longer being served. But when exactly is that? Rule 8 and the Third Schedule answer the question for three specific classes of organisation.

E-commerce entities with two crore or more registered users, online gaming intermediaries with fifty lakh or more users, and social media intermediaries with two crore or more users must erase personal data after three years of inactivity — measured from the last time the Data Principal approached the organisation for performance of the specified purpose or exercised her rights. The clock started from the commencement of the Rules, not from when the user last logged in historically.

Critically, Rule 8(2) requires the organisation to notify the Data Principal at least 48 hours before the erasure deadline, giving her a chance to re-engage and reset the clock. And Rule 8(3) requires all Data Fiduciaries — regardless of size or sector — to retain personal data, traffic data and processing logs for a minimum of one year before erasure. Even if a user deletes their account on day one, you must retain the associated data and logs for twelve months.

Verifiable parental consent — the mechanics matter

Rule 10 prescribes how verifiable parental consent must be obtained before processing any child's personal data. You must verify that the individual claiming to be the parent is an identifiable adult. The Rule gives three ways to do this: use reliable identity and age details you already hold for that person; use details voluntarily provided by the individual; or use a virtual token from an authorised entity such as a Digital Locker service provider.

The Rule also establishes exemptions in the Fourth Schedule — clinical establishments, mental health professionals, allied healthcare professionals, educational institutions, and a small set of other classes — subject to strict conditions. These exemptions are narrow and conditional. If you process children's data in a healthcare or education context, read the Fourth Schedule conditions carefully before assuming you qualify.

The annual DPIA and audit cycle for SDFs

Rule 13 operationalises the SDF obligations from the Act. Once designated, an SDF must complete a full Data Protection Impact Assessment and compliance audit within every rolling 12-month period from the date of notification. The person conducting the DPIA and audit must furnish to the Data Protection Board a report containing all significant observations — not just a clean bill of health.

Rule 13(3) requires SDFs to exercise due diligence on algorithmic software they use for hosting, displaying, uploading, modifying, transmitting, storing, updating or sharing personal data, to verify that it does not pose a risk to Data Principal rights. This is not a paper exercise. It requires a structured methodology, documented findings, and remediation of identified risks.

Rights exercise — the published identifiers requirement

Rule 14 requires every Data Fiduciary to prominently publish on its website or app the specific means by which a Data Principal can exercise her rights — and the specific identifiers she will need to do so. An identifier under Rule 14(5) means things like a customer ID, email address, mobile number, enrolment ID or application reference number. Publishing a general contact email and calling it a rights mechanism does not meet this standard.

The 90-day grievance response timeline is also prescribed here. The organisation must implement the technical and organisational measures necessary to actually meet that deadline — not just publish it and hope. If your current helpdesk process cannot guarantee a substantive response within 90 days, that is a gap that Rule 14 requires you to close.