The Government has finally notified the Digital Personal Data Protection Rules, 2025 under Section 40 of the Digital Personal Data Protection Act, 2023.

I spent time going through the Gazette in detail so you do not have to. Here is a practical breakdown of what actually changes for businesses in India. When something is “in force” under a Gazette notification, it means the obligations or institutional mechanisms under that Rule can legally operate from that day.

1. What has just gone live

The notification does three important things:

• Formally brings into effect the Digital Personal Data Protection Rules, 2025
• Immediately enforces only a small set of rules
• Schedules the rest of the heavy compliance obligations over the next 18 months

(The DPDP Act itself was enacted in August 2023. These Rules determine when different parts of the Act start applying.)

Effective from the date of publication (13 November 2025):

• Rule 1 – short title and commencement
• Rule 2 – key definitions used in the Rules (Act, user account, techno legal measures, verifiable consent)
• Rules 17 to 21 – everything related to the Data Protection Board of India

This covers:

• How the Chairperson and Members are selected
• Their salary and service conditions
• How Board meetings are run and how its orders are authenticated
• The Board functioning as a fully digital office and hiring its staff

This matters because enforcement of the DPDP Act is not possible without a functioning Data Protection Board. With these Rules, the institutional machinery is now live.

2. What is coming next and when

The compliance obligations that most companies care about will kick in in phases:

After 1 year

• Rule 4, linked to certain State processing and standards for public bodies

After 18 months

• Rules 3, 5 to 16, 22 and 23

These will specify:

• How notices to individuals must look and what they must contain
• Security safeguards and breach notification obligations
• Extra obligations for Significant Data Fiduciaries (DPIA, audits, etc)
• Rules for processing children’s data and data of persons with disabilities
• Rules on cross border transfers, research exemptions, and appeals to the Appellate Tribunal
• The Government’s power to call for information from Data Fiduciaries and intermediaries

The Act itself sets the foundation for cross-border data transfers; the Rules define the operational timing.

So we now have a clear runway: roughly 18 months for businesses to get DPDP ready.

3. Who needs to care

The DPDP Act applies to almost every organization that touches digital personal data in India:

• Startups and tech product companies
• MSMEs and SMBs managing customer or employee records
• Large enterprises and conglomerates
• SaaS providers and cloud platforms
• Government agencies and public sector entities

There is a special high-risk category called Significant Data Fiduciary, which will have extra obligations like regular audits and data protection impact assessments. But even “normal” Data Fiduciaries cannot ignore the Act.

4. What happens if you get this wrong

The Act’s Schedule gives the Data Protection Board power to impose very high financial penalties:

• Up to ₹250 crore for failing to maintain reasonable security safeguards
• Up to ₹200 crore for not reporting a personal data breach or mishandling children’s data
• Up to ₹150 crore for breach of Significant Data Fiduciary obligations
• Up to ₹50 crore for other violations of the Act or Rules
• Up to ₹10,000 for misuse of rights by individuals

The Board will look at the nature and duration of the breach, type of data, recurrence and mitigation efforts before deciding the actual penalty.

This is not an “only big tech will be fined” law. Any organization that mishandles personal data at scale can be in scope.

5. How does DPDP compare globally

A short view based on other regimes like GDPR and CCPA:

• Teeth – Strong. Penalties are comparable in deterrence to global laws.
• Complexity – Lower. The Act is shorter and easier to read than GDPR, which is good for MSMEs.
• Individual rights – Narrower. Fewer explicit rights than GDPR, but core ideas like access, correction and erasure are present.
• Government role – More controversial. The State has wider exemptions and stronger control over the regulator than what you see in EU-style models.

Overall, DPDP is a serious data protection law with strong enforcement, written in simpler language, but with some trade-offs around government power and scope of individual rights.

6. What should MSMEs, SMBs and enterprises do now

Treat the next 12 to 18 months as a focused transformation window, not a grace period to ignore the law.

Get a real handle on:

• What personal data you collect and where it lives
• How long you keep it and whether you really need all of it
• Basic security hygiene – access control, patching, backup, logging and incident response
• Your breach notification playbook and who will talk to the Board when something goes wrong

If you are building or running products for Indian users, this is the right time to align your architecture, contracts and processes to DPDP instead of bolting it on later.

We finally have clarity on India’s data protection journey. The next 18 months will separate organizations that take privacy seriously from those that treat compliance as a checkbox.

If you are a founder, CISO or product leader and want to discuss how DPDP impacts your business, happy to chat.

‍

SecOps Solution is an agentless patch and vulnerability management platform that helps organizations quickly remediate security risks across operating systems and third-party applications, both on-prem and remote.

Contact us to learn more.