The Digital Personal Data Protection Rules, 2025 are in force. If your organisation processes personal data of Indian residents — and almost every business does — you are a Data Fiduciary with obligations that fall squarely on your IT and security team.
Here's the plain-English version of what you need to do.
Notice and Consent. You must present a clear, plain-language notice to data principals (your users, customers, employees) explaining what data you collect, why, and for how long. Buried 40-page privacy policies don't satisfy this. The notice must be "in clear and plain language" and must precede or accompany data collection.
Consent mechanisms. Consent must be specific, informed, unconditional, and revocable. Pre-ticked boxes don't work. You need a genuine opt-in, and a mechanism for users to withdraw it at any time. Your marketing automation, CRM, and HR systems all need audit here. Check our own compliant setup in our Privacy Policy as a reference.
Data Principal rights. Users can request access to their data, correction of inaccuracies, erasure (right to be forgotten), and grievance redress. You must respond within the mandated window. This requires a workflow — in your CRM, your HR system, your cloud storage — not just a process document. Under the latest Rules, you must also support nominating a proxy to exercise rights.
Security safeguards. The Rules require "reasonable security safeguards" commensurate with the risk. In practice: encryption at rest and in transit, access controls, regular vulnerability assessments, and incident response procedures. See our security posture checklist in Trust & Compliance to check your enterprise alignment.
Breach notification. A personal data breach must be notified to the Data Protection Board of India (DPBI) and to affected Data Principals "in the prescribed manner." The DPBI enforces a strict 72-hour notification window. Your IR plan must include this.
Significant Data Fiduciaries. If you're designated an SDF (based on volume or sensitivity), you face additional obligations: a Data Protection Impact Assessment (DPIA), a Data Protection Officer (DPO), and annual audits. Watch for the government's SDF notification.
What to do today: 1) Map every personal data flow in your organisation. 2) Review all consent mechanisms. 3) Implement a data subject request (DSR) workflow. 4) Ensure your IR playbook includes DPB notification. 5) If you don't have a Grievance Officer appointed, do it now — the Rules require one. For expert advice on auditing your data mapping, consult with our compliance engineers.