Home » DPDP Act 2023 & DPDP Rules 2025 — A Practical, Human-Friendly Guide for Organisations

DPDP Act 2023 & DPDP Rules 2025 - A Practical Guide for Organizations

Introduction to DPDP Act 2023 & DPDP Rules 2025

India’s privacy law is finally complete.
The Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 together create a modern privacy framework that every organisation working with personal data must now put into practice.

The shift is simple, but significant:

You must explain clearly what data you collect and why.
You must erase personal data once the purpose ends.
You must enable people to access, correct and erase their data.
You must notify individuals and the Board quickly when things go wrong.

This guide breaks the Act and Rules down into practical terms—without legal jargon—so teams can understand what is changing and what needs to be implemented.

It reflects the latest text from the Act and the Rules (7 Schedules) exactly as notified.

Why the DPDP Act Matters

India is now one of the world’s largest digital markets. With millions of users generating data through apps, payments, health records, travel, and customer interactions, the earlier “trust-based” model simply wasn’t enough.

DPDPA In 8 Buckets

The DPDP Act introduces:

Clear rights for individuals
Clear duties for organisations
A dedicated Data Protection Board (DPB) for enforcement
Structured timelines for compliance
A rules engine for practical implementation

Most importantly, the law adopts a modern, predictable approach—one that expects organisations to be transparent, respectful, and responsible in how they handle personal data.

Want Your Teams to Become DPDP-Ready?

We run India’s most practical DPDP Training Programmes — including a 1-Day Masterclass and a 2-Day Advanced Bootcamp with real templates, SOPs, breach simulations, notice-rewriting workshops, and DSAR labs.

Ideal for: HR, Legal, IT, Security, Product, Ops, Marketing & Privacy Teams.

Explore DPDP Training Programmes

The Architecture of India’s Privacy Framework

(Act + Rules + 7 Schedules)

A) The Act
Defines the principles: rights, duties, legal grounds, penalties, exemptions, Board processes.

B) The Rules (23 Rules) and Seven Schedules
Operational elements: notices, consent, breach timelines, retention, children, SDFs, cross-border, log-retention.

Schedule I — Consent Manager
Schedule II — processing of personal data by State and its instrumentalities and research & development
Schedule III — Notified category – ecommerce, online gaming and social media intermediary – retention and pre deletion notice
Schedule IV — Exceptions for children and persons with disability (PWD) (e.g., real-time safety use cases)
Schedule V — Terms and conditions of service of Chairperson and other Members
Schedule VI — Terms and conditions of appointment and service of officers and employees of Board
Schedule VII — Processing by state and its instrumentalities

Together, these components form India’s complete privacy regime.

Applicability- Who must comply

The DPDP Act applies to:

Any personal data processed digitally in India
Personal data that starts offline but becomes digital
Processing outside India if tied to offering goods/services to people in India

DPDP does not apply to:

Personal data used for purely personal or domestic purposes
Offline-only data never digitised
Data that is self-published by the individual or legally required to be published

This is broad enough to cover almost every modern organisation.

Core Definitions — Get the Roles Right

These four terms determine obligations:

Data Principal

The individual to whom the data belongs (includes parents of children + lawful guardians of persons with disabilities).

Data Fiduciary (DF)

The organisation that decides why and how personal data is processed.

Data Processor (DP)

A service provider processing personal data on behalf of the DF.

Significant Data Fiduciary (SDF)

Large or high-impact organisations designated by Government based on:

volume
sensitivity
AI/ML usage
national interest
risk of harm

SDFs have stricter duties (DPO, audits, DPIA, algorithmic due-diligence).

Need Hands-On Help Implementing the DPDP Act?

Pricoris provides end-to-end DPDP compliance consulting:
Notice + consent redesign
Retention & erasure workflows
DSAR handling
Legitimate Use register
Security safeguards
Processor contracts
Breach governance
PIMS (ISO 27701:2025) upgrade
GDPR → DPDP alignment

Explore DPDP Consulting

Legal Grounds for Processing

(Consent + Legitimate Use)

Consent

Must be:

free
specific
informed
unambiguous
unconditional
based on clear affirmative action

Bundled or vague consent is invalid.

Legitimate Uses

The Act lists specific legitimate-use grounds, including:

voluntary data provided for a particular purpose
compliance with law
emergencies
employment-related purposes
fraud prevention
judicial orders

DPDP does not recognise GDPR-style “Legitimate Interest”.

It uses a strict, closed-list Legitimate Use category instead.

Notices — The Foundation of Lawful Processing

Notices (Rule 3 + Schedule Requirements)

A valid privacy notice must clearly explain:

Identity / contact details of the Data Fiduciary
What personal data is collected (itemised list)
Purpose of processing
Rights of the Data Principal
Grievance officer details
Language (English or any Eighth Schedule language)
Change notifications
Mechanism to withdraw consent

UI/UX matters.

Notice must be simple, accessible, and easy to understand.

Download Free DPDP Templates & SOPs

Our DPDP Toolkit includes ready-to-use:
DSAR Register
Breach Register
Notice Template
Consent SOP
Legitimate Use SOP
Children’s Data SOP
Data Protection Agreement
Exemption cheat sheet
Perfect for teams starting DPDP implementation.

Download the DPDP Toolkit

Consent Managers — Optional for Data Fiduciaries

Consent Managers form a separate category of registered entities, with obligations under the First Schedule.

Data Fiduciaries may choose to use a Consent Manager but are not mandated to do so.

Consent Managers must:

provide dashboards
maintain logs for 7 years
support APIs
offer secure, tamper-proof consent records
meet Indian incorporation + governance + financial criteria

Only Consent Managers must register under Rule 4.

Duties of Data Fiduciaries (DFs)

Data Fiduciaries must:

maintain reasonable security safeguards
ensure accuracy (when relevant)
publish contact details
allow withdrawal of consent
provide grievance redressal
implement retention + erasure as per Act & Rules
manage processors through contracts
notify breaches
build internal governance for rights, notices, retention

These duties form the backbone of compliance.

Retention & Erasure — Where Most Organizations Struggle

Default Rule (Act + Rule 6)

Erase data when:

purpose is complete
consent is withdrawn
retention period ends

Logs: minimum 1 year.

Third Schedule — Three-year inactivity rule

Applies to sectors like:

large e-commerce
OTT / gaming
social media platforms

They must:

delete data after 3 years of inactivity
provide 48-hour pre-erasure notice

Seventh Schedule — One-year mandatory retention

Applies to specific sovereign/statutory categories only.

These details must flow into every organisation’s retention policy.

Breach Notification — India’s Strongest Obligation

Breach Notification Duties

Data Fiduciaries must notify:

Data Principals — immediately
Data Protection Board — immediately, followed by a detailed report within 72 hours

Large platforms must maintain logs for 3 years (Schedule VI).

Children & Persons With Disabilities (PWD)

(Section 10 + Schedule IV)

Strictest provisions:

verifiable parental consent
no tracking, profiling, targeted ads
processing must not harm well-being
exceptions exist for real-time safety functions
guardian verification for PWD as per RPwD Act / National Trust Act

Significant Data Fiduciaries (SDF)

SDFs must implement:

Data Protection Officer (reporting to Board)
independent annual privacy audits
DPIA
enhanced algorithmic accountability
localisation if notified

DPDP Readiness Scorecard (Free Tool)

A 9-dimension assessment to benchmark your compliance maturity. Helps identify gaps across notices, consent, rights, breach governance, vendor ecosystem, retention, and technical controls.

Download the DPDP Readiness Scorecard (PDF/Excel)

Rights of Individuals

Every Data Principal has rights to:

access
correction
completion
updating
erasure
grievance redressal
nomination (post-death)

DFs must respond within 90 days.

Cross-Border Data Transfers

(Schedule V)

DPDP follows a blacklist model:

Transfers are allowed unless a country is specifically restricted.
Financial, health and telecom sectoral localisation rules remain unchanged.

Exemptions

Limited exemptions exist for:

sovereignty & security
public order
courts
preventive/detection functions
research & statistical uses
startups (if notified)

Even with exemptions, Second Schedule principles still apply.

Penalties

Penalties & Appeals

Up to ₹250 crore for security failures.

DPB will follow digital-first proceedings.

Appeals go to TDSAT.

Compliance Timelines

Immediate — 13 November 2025

DPB setup

Complaints and inquiries can begin

Organisations must show “good-faith readiness”

12–13 Months — By 13 November 2026

Consent Manager ecosystem becomes active

Registration + dashboards + APIs + log-retention

18 Months — By 13 May 2027

Full DF compliance kicks in:

notices

consent

legitimate use

rights + 90-day SLA

breach notification

retention + erasure

children/PWD rules

cross-border allocation

SDF duties

Early Readiness Advisory

IT Minister Ashwini Vaishnaw has confirmed that timelines may be shortened and urged companies to adapt GDPR/PIMS frameworks now, not later.

Download the DPDP 2025 Whitepaper

A concise, senior-leadership-ready whitepaper analysing:

Act + Rules + 7 Schedules

Practical obligations

Sectoral impact

SDF requirements

Retention logic

Governance & audit expectations

Download DPDP Whitepaper