The government on Friday formally issued the rules under the Digital Personal Data Protection (DPDP) Act, marking the operational rollout of India’s first dedicated law governing digital privacy.

Obligations for data handlers

The notification brings clarity to how companies, government departments and digital service providers must collect, store and handle personal data.

The rules outline detailed obligations for “data fiduciaries” — entities that process personal information — and establish clear rights for individuals, including the ability to give, withdraw or review consent for how their data is used.

Phased implementation timeline

A phased implementation schedule has been set. Core obligations related to consent, purpose-limited data use and grievance handling take effect immediately, while more complex compliance requirements will become mandatory over the next 12 to 18 months. The government has also defined the framework for identifying “significant data fiduciaries,” who will face enhanced responsibilities such as independent audits and impact assessments.

Breach reporting and special protections

The rules include mandatory reporting timelines for data breaches, requiring entities to notify both affected users and the Data Protection Board of India (DPB). Additional safeguards have been specified for processing children’s data and for handling personal information of persons with disabilities, emphasising stricter parental or guardian authorisation.

Cross-border data transfers

The DPDP framework also clarifies how cross-border data transfers will be managed. Overseas transfers will be allowed unless specifically restricted by the government, moving toward a more flexible approach compared with earlier data-localisation proposals.

Industry-wide compliance ahead

With the rules now in force, companies operating in India’s digital economy — from tech platforms and fintech firms to e-commerce players and government digital services — will begin aligning their internal systems and data-governance practices with the new regulatory structure. The operationalisation of the DPDP Act marks an important milestone in India’s efforts to strengthen user trust and bring its privacy standards closer to global benchmarks.