Centre notifies Digital Personal Data Protection Rules, 2025: How different are they from the draft Rules?

The Central government has notified the Digital Personal Data Protection Rules, 2025 through the official gazette on November 13, 2025, several months after the draft rules were first released on January 3, 2025 for stakeholder comments..A notable change is the clarification of when different sections of the rules come into effect:Immediate effect: Provisions related to definitions (Rules 1 & 2) and the structure and procedures of the Data Protection Board (Rules 17 to 21) took effect upon the Gazette's publication on November 13, 2025.1-year deferral: Rule 4, covering the registration and obligations of consent managers, will come into force 1 year after the publication date (November 2026).Eighteen-month deferral: The main compliance burden, including core rules on notice, data security, erasure and appeal procedures (Rules 3, 5 to 16, 22, and 23), is set to begin eighteen months after publication (May 2027)..In the draft rules, the standards for verifying parental consent for children and the verification of lawful guardians for certain persons with disabilities were contained in a single provision (Draft Rule 10). The final rules separate these into two independent rules:Rule 10 now deals exclusively with children, retaining the same illustrations and standards for verifiable parental consent as in the draft.Rule 11 has been carved out as a standalone rule for persons with disabilities who cannot take legally binding decisions even with adequate support, repeating the draft language verbatim..The structure of the rule governing government requests for information has been adjusted for clarity:The confidentiality clause concerning national security, which was grouped with the government’s power to call for information in Draft Rule 22(1), has been moved.The final Rule 23(2) now stands separately, explicitly mandating that where disclosure of furnished information is likely to prejudice the sovereignty and integrity of India or security of the State, the data fiduciary or intermediary must not disclose this fact to the data principal or any other person, except with the prior written permission of the authorised person. This formal separation does not alter the substance of the government's power..The draft contained a complete breach notification regime, requiring data fiduciaries to notify affected individuals without delay and report breaches to the Data Protection Board within 72 hours. These requirements appear word-for-word in the final rules (Rule 7). However, the final notification creates an entirely new obligation that did not exist in the draft and fundamentally reshapes how breaches must be handled thereafter.In the draft, the only 1-year retention requirement was located in Rule 6(e) under security safeguards and applied solely to logs and personal data needed for detecting and investigating unauthorised access. It was not tied to all processing events, all traffic data, or all categories of personal data.The final rules introduce Rule 8(3), which expands the retention duty dramatically. A data fiduciary must now retain all personal data, all traffic data and all logs generated during any processing activity for at least 1 year from the date of such processing. This retention is mandatory for the oversight and investigation purposes listed in the Seventh Schedule and applies even after the primary purpose of processing is fulfilled, even if the user deletes their account. This requirement did not appear anywhere in the draft rules and represents a significant policy shift, creating a direct link between breach investigation and compulsory retention of all processing records for 1 year..Apart from Rule 8(3), the remainder of the regulatory framework is carried forward unchanged:Retention and deletion: Personal data must be erased once the purpose of processing is complete unless legal retention is required and a 48 hour pre-deletion notice must be issued. Entities specified in the Third Schedule must erase personal data after 3 years of user inactivity while retaining logs and records for at least 1 year.Security safeguards: The notified rules reproduce without substantive change the draft’s requirements for encryption, masking or tokenisation, access controls, monitoring for unauthorised access, audit logging, backup arrangements and continuity measures.Consent managers: The framework and detailed obligations for consent managers, including the minimum net worth of ₹2 crore and the requirement to ensure personal data routed through their platform is not readable by them, are identical to the draft.Cross-border transfers: Rule 15 retains the same legal principle that personal data may be transferred outside India unless the Central government imposes specific conditions or restrictions.Significant data fiduciaries & Data Protection Board (DPB): Obligations for significant data fiduciaries (for example, annual data protection impact assessments and audits) and the administrative rules for the DPB remain verbatim from the draft..[Read DPDP Rules].Follow Bar and Bench channel on WhatsAppDownload the Bar and Bench Mobile app for instant access to the latest legal news.