On 14 November 2025, the Indian Government issued four separate notifications (“Notifications”) under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) relating to the newly issued Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), the phased enforcement timeline for the DPDP Act, the formal establishment of the Data Protection Board of India (“Board”), and the determination of the number of members who will constitute the Board.
The DPDP Rules
The DPDP Rules encapsulate requirements for data fiduciaries, consent managers and other stakeholders under the DPDP Act and include:
- that Data Fiduciaries need to publish clear, standalone privacy notices in plain language, listing the items of personal data collected, their processing purposes, direct links for withdrawal of consent and grievance-redressal contact details.
- that Consent Managers continue to play a key role under the DPDP framework to assist individuals in exercising their rights and managing consent, with registration requirements and oversight by the Board.
- stipulating further obligations with respect to parental consent which must be obtained for processing data of children which should be verifiable by reference to either reliable details of identity and age of the individual available with the Data Fiduciary or details of identity and age voluntarily provided by the individual or through a virtual token mapped to such details which is issued by an authorised entity.
- security and organisational safeguards with respect to encryption, access controls, logging of processing activities and timelines for data-breach reporting;
- that any personal data may be transferred outside India, provided the Data Fiduciary complies with any conditions that the Central Government may prescribe by general or special order regarding making such data available to any foreign State or its controlled persons, entities or agencies.
Commencement and Framework
A phased commencement framework has been adopted for the DPDP Act and the DPDP Rules providing a structured and predictable transition pathway. As on the date of publication of Notifications, the Government of India has operationalised establishment of the Board and other sections that cover miscellaneous provisions such as protection of action taken in good faith, power to make rules and amend certain acts except the Information Technology Act, 2000. Post completion of 12 (twelve) months from the date of publication of the relevant Notification, registration and obligation of Consent Managers with the Board and powers of the Board to investigate and penalize Consent Managers for violating their registration conditions will be enforced. The remaining sections and rules covering detailed compliance obligations and other operative provisions concerning Data Fiduciary obligations and Data Principal rights will come into force 18 (eighteen) months from the date of publication of the relevant Notification.
Board
The Notifications clarify that the Board will consist of 4 (four) members responsible for carrying out its statutory functions under the DPDP Act and the head office of the Board will be situated in the National Capital Region of India.
- The DPDP Rules may be accessed at: https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf
- The Enforcement Timeline for the DPDP Act may be accessed at: https://www.meity.gov.in/static/uploads/2025/11/c56ceae6c383460ca69577428d36828b.pdf
- The Establishment of the Board may be accessed at: https://www.meity.gov.in/static/uploads/2025/11/cc217843dc3bcb37b2b05bcc3b4e031f.pdf
- The Decision Regarding Number of Members in the Board may be accessed at: https://www.meity.gov.in/static/uploads/2025/11/f6c0837972422cf79d890bfe84cc04d6.pdf