DPDP Rules 2025 are notified — the compliance clock has started
India's Digital Personal Data Protection Rules, 2025 were notified on 14 November 2025, putting the 2023 Act into motion. The core obligations are phased in over 18 months, with the hard deadline for most businesses on 14 May 2027.
What changed
On 14 November 2025, the Ministry of Electronics & Information Technology (MeitY) notified the Digital Personal Data Protection (DPDP) Rules, 2025. This is the step everyone was waiting for: the DPDP Act, 2023 had been passed but was largely dormant until the Rules gave it operational detail.
Enforcement is phased over 18 months from notification, so nothing substantive is enforced overnight — but the timeline to get ready is now fixed.
Why it matters
If your business collects personal data from people in India — names, emails, phone numbers, payment details, anything that identifies a person — the DPDP framework now applies to you. The Rules cover how you take consent, what notice you must give, how people exercise their rights, and the security you must maintain.
What this means for you
You have a real, dated runway. The biggest mistake is treating "phased over 18 months" as "ignore until 2027." Mapping your data and fixing consent flows takes time — start now.
What to do now
SprintMap where you hold personal data and who you share it with, then plan your consent, privacy-notice and data-deletion flows well before 14 May 2027.
- you collect customer personal data
- you run a website or app with sign-ups
- you hold data on customers or employees
Press Information Bureau (MeitY) · DPDP Rules, 2025 (notified 14 Nov 2025)
Don't just read it — find out where you stand.
A free scan shows what your live site is exposing today. When you're ready to be audit-ready, our Compliance Sprint gets you DPDPA-ready in 30 days.
General information, not legal advice. Verify against the cited primary source and confirm specifics with a qualified advisor before acting.