The Union Government has officially notified the Digital Personal Data Protection Rules 2025, completing a major step in giving effect to India’s new data protection framework. The notification was issued on November 13, 2025, several months after the draft rules were released for public consultation earlier this year.
The final rules introduce a phased enforcement schedule. Provisions relating to key definitions and the establishment of the Data Protection Board of India come into force immediately. Requirements governing consent managers will apply from November 2026, while the core compliance obligations for data fiduciaries, including notice standards, data security protocols, record keeping and grievance handling, will be enforced from May 2027.
One of the major structural changes from the draft is the separation of rules concerning children and persons with disabilities. The draft had combined the two under a single chapter, but the final version places them in distinct provisions. Data concerning children will continue to require parental consent, while a separate rule now addresses situations in which persons with disabilities are unable to make legally binding decisions even with assistance. The substance of both requirements remains consistent with the draft.
The rules dealing with national security related information requests have been reorganised into a dedicated clause. Under this provision, when disclosure of a request risks affecting the sovereignty, integrity or security of India, data handlers must refrain from informing the individual involved unless specifically authorised. Although the structure has changed, the scope of governmental authority remains largely aligned with what the draft originally proposed.
Breach reporting requirements continue unchanged. Data fiduciaries must notify the Data Protection Board within seventy two hours of a breach and must also inform affected individuals. A significant addition in the final rules is a mandatory one year retention period. All fiduciaries must retain personal data, logs, traffic data and related records for at least one year, even if the purpose for which the data was collected has been fulfilled. This widens the earlier requirement, which applied only to specific logs.
Most other elements of the draft have been retained. These include the obligation to erase personal data once the processing purpose is complete, subject to statutory exceptions; the need for robust security safeguards such as encryption and audit trails; the permissive approach to cross border data transfers unless restricted by the Central Government; the responsibilities placed on significant data fiduciaries; and the overall framework governing the functioning of the Data Protection Board.
The notification of the 2025 Rules marks the transition from the drafting stage to the operational phase of India’s new data protection regime, setting precise timelines for compliance and clarifying the mechanisms through which the Act will be enforced.
The post Centre notifies digital personal data protection rules 2025 appeared first on India Legal.