--- title: "Detailed Analysis of the Digital Personal Data Protection Rules, 2025 (hereafter “Rules 2025”), which are the subordinate rules under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) in India" date: 2025-11-14 author: "Abha Shah" url: https://www.indialaw.in/blog/data-privacy/dpdp-rules-2025-explained-compliance-duties-and-key-risks/ --- # Detailed Analysis of the Digital Personal Data Protection Rules, 2025 (hereafter “Rules 2025”), which are the subordinate rules under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) in India Posted On - 14 November, 2025 • By - [Abha Shah](https://www.indialaw.in/people/abha-shah/ "Posts by Abha Shah") [![Digital Personal Data Protection Rules, 2025](https://www.indialaw.in/wp-content/uploads/DPDP-Rules-1920x960.webp)](https://www.indialaw.in/wp-content/uploads/DPDP-Rules-scaled.webp) The Rules 2025 represent a significant step forward in India’s data-protection regime. They build out the high-level DPDP Act in a way that draws on international good practices (consent, breach-notification, minimisation, erasure). ## **Purpose / Key Objectives**: The Rules-2025 are meant to operationalise the DPDP Act that aim to: 1. *Establish* detailed compliance requirements and duties for data fiduciaries – especially on transparency, consent, security, and breach management. 2. *Facilitate* the exercise of individual data rights – i.e. operationalizing user rights of access, correction, and deletion. 3. *Strengthen* safeguards for vulnerable groups – i.e. children and persons with disabilities. 4. *Regulate*and govern cross-border data flows/ data transfers, retention, and supervisory mechanisms. 5. *Align*and support privacy protection with business and governance priorities; keeping innovation-friendly digital ecosystem. ## **Evaluating the Rules: Merits and Concerns** ### **Merits of the Rules:** - These Rules bring clarity supplying more detailed obligations which will help organisations plan compliance. - They align with global best practices through focus on children’s data, retention/erasure norms, and breach notifications - The explicit requirement of “reasonableness” of safeguards promotes risk-based approach rather than rigid checklists. - The transparency/notice obligations bolster individual rights and enable accountability. ### **Areas of Concerns / Gaps** - Significant government discretion and exemptions may impact oversight and independence. - Operationalising obligations like verifiable consent for children or retention/erasure requirements can be challenging, especially for smaller or legacy systems. - Ambiguity in definitions, e.g., “significant data fiduciary” and thresholds for stricter obligations. - Potential compliance burden and operational costs for data-heavy or cross-border businesses, which may affect innovation. - Limited transparency in stakeholder consultations; draft summaries may not reflect full input. ## **Implications of Key Provisions** | **S.No** | **Rule** | **Description** | **Implications** ** ** | | --- | --- | --- | --- | | 1 | Rule 5 – Reasonable Security Safeguards | This Rule mentions data fiduciaries to implement measures such as encryption, obfuscation, masking or the use of virtual tokens, access controls (logs, monitoring), data backups, detection of unauthorized access, contractual and security safeguards.   | Businesses will need to audit/upgrade their data-security infrastructure. Smaller firms may struggle with costs or sophistication. | | 2 | Rules 7 – Data Breach Notification | This Rule mentions data fiduciaries to intimate the Data Protection Board “without delay” on becoming aware of a personal data breach specifying the nature, extent, timing, location of breach; circumstances and reasons leading to the breach, consequences, mitigation and remedial measures.   | Strong operational/incident-response requirements. Data-fiduciaries must have policies, detection capabilities. | | 3 | Rule 8 – Limitation on Retention / Erasure Obligation | This Rule mentions data fiduciaries like e-commerce, social media intermediaries and online gaming portals with large user-base; must erase personal data after 3 years of data collection. | Firms need strong data-lifecycle/record-management mechanisms. May impose challenges for business models reliant on long-term data retention for analytics, profiling, etc.   | | 4 | Rules 10 / 11- Consent & Children / Persons with Disabilities | This Rule mentions processing of personal data of vulnerable groups i.e. children and persons with disability – This requires “verifiable consent” of parent/guardian. | Platforms (especially social media, apps aimed at minors) must redesign flows for age-verification, parental/guardian consent. May introduce friction or exclusion risk for minors/guardians.   | | 5 | Rule 13 – Additional Obligations of Significant Data Fiduciary | This Rules mentions about annual independent audits, Mandatory Data Protection Impact Assessments, stronger governance and stricter record-keeping: | SDFs face **higher accountability and oversight** compared to ordinary data fiduciaries.Compliance cost for audits and impact assessments.; which require significant investment in governance, technology, and specialised staff.   | | 6 | Rule 15 – Transfer of personal data outside the territory of India | This Rule mentions that cross-border transfers will be allowed subject to prescribed restrictions. | Multinational businesses will need to monitor regulatory developments on which countries are permitted, what safeguards needed, possibility of localisation obligations. | ## **Practical Impact on Various Stakeholder Segments** - Individuals / Data Principals: Better rights (access/erasure), clearer notices, mandatory breach notifications. But they must be aware of rights and vigilant. - Private Sector / Businesses: Need to map data-flows, inventory personal data, ensure retention/erasure policies, implement security safeguards, update notices and consent flows, prepare for breach-notification mechanisms, audit cross-border flows. - Start-ups / SMEs: Greater compliance burden may hit smaller players harder. They may need to budget for compliance (legal, tech, operations). - Multinationals / SaaS / Platforms: Must watch thresholds/classifications (e.g., if you become a “significant data fiduciary”), address localisation/cross-border transfer risk, align global flows with Indian obligations. - Government / Regulators: Need to strengthen oversight infrastructure (e.g., the Data Protection Board), ensure clarity, transparency in rule-making, handle exemptions carefully to avoid undermining trust. **Comparative Angliss between the Digital Personal Data Protection Rules, 2025 (India) and the EU General Data Protection Regulation (GDPR).** ![](https://www.indialaw.in/wp-content/uploads/image-e1763118998490.png) ![](https://www.indialaw.in/wp-content/uploads/image-2-e1763119273952.png) ## **Conclusion:** While the Rules 2025 aims for the DPDP Act to be at par with international good practices consent, breach-notification, minimisation, erasure) ***however,*** its success will depend heavily on clarity in definitions, realistic operationalisation timelines, the strength of oversight institutions, and how well business practicality is balanced with rights-protection. If implemented well, they could elevate India’s data-protection landscape in the digital economy era. If not, there’s a risk of regulatory burden, ambiguity, and erosion of trust. [Download PDF](https://www.indialaw.in/blog/data-privacy/dpdp-rules-2025-explained-compliance-duties-and-key-risks//pdf/) [Data Protection and Privacy](https://www.indialaw.in/expertise/technology-law/data-protection-and-privacy/) --- # IndiaLaw LLP — Offices & Contact Details --- ## General Contact | | | |---|---| | **Website** | https://www.indialaw.in | | **Primary email** | contact@indialaw.in | | **Primary phone** | +91 836-9995919 | | **Contact form** | https://www.indialaw.in/connect/ | | **Careers (separate channel)** | https://www.indialaw.in/careers/ | --- ## All Offices (9 locations across 8 cities) ### 1. Mumbai — Registered Office & Head Office (Apeejay Chambers) | | | |---|---| | **Address** | Apeejay Chambers, Ground Floor, Wallace Street, Fort, Mumbai – 400 001 | | **Phone** | [022-6924-7400](tel:02269247400) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/mumbai/ | | **Practice focus** | Litigation · Arbitration · Insolvency & Bankruptcy · Corporate · Banking · Real Estate · IP | | **Notes** | The HQ. 5 partners based here. Handles PAN-India litigation, arbitration, corporate, banking, IP and real estate practice. Largest team across all offices. | ### 2. Mumbai — Non-Litigation Office (Excelsior, Fort) | | | |---|---| | **Address** | 4th Floor, New Excelsior Theatre Pvt. Ltd., Amrit Keshav Nayak Marg, Fort, Mumbai – 400 001 | | **Phone** | [022-697-40500](tel:022-697-40500) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/mumbai/ | | **Practice focus** | Non-litigation only — consultations, negotiations, transactional work | | **Notes** | Opened 2024. Litigation and arbitration remain at the Apeejay Chambers head office. | ### 3. Delhi | | | |---|---| | **Address** | Flat No. 1107 & 1108, Prakashdeep Building, Tolstoy Marg, Connaught Place, New Delhi – 110 001 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/delhi/ | | **Practice focus** | Litigation · Arbitration · Insolvency & Bankruptcy · Corporate · Banking · Real Estate | | **Notes** | 3 partners based here. Located near the Supreme Court of India, Delhi High Court and other appellate bodies. | ### 4. Kolkata | | | |---|---| | **Address** | Centre Point Building, Room No. 214, 2nd Floor, Premises No. 21, Hemanta Basu Sarani, Opp. Great Eastern Hotel, P.S. Hare Street, Kolkata – 700 001, West Bengal | | **Phone** | [+91 33 4813 1001](tel:+913348131001) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/kolkata/ | | **Practice focus** | Insolvency & Bankruptcy · Commercial & Civil Litigation · Arbitration · Banking Litigation · Real Estate · Labour & Employment · Consumer | | **Notes** | Advises banks, NBFCs, MSMEs and corporates on transactions and dispute resolution. Works in close coordination with the Mumbai HO. | ### 5. Chennai | | | |---|---| | **Address** | GF-A, 19 Casa Major Road, Egmore, Chennai – 600 008 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/chennai/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate | | **Notes** | Full-fledged office with experienced legal team. Supported by Mumbai HO. | ### 6. Bengaluru (Bangalore) | | | |---|---| | **Address** | INDIALAW LLP, No. 7 Chinnaswamy Mudaliar Road, Shivaji Nagar, Bangalore – 560 051 | | **Phone** | [080-4167-2444](tel:08041672444) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/bengaluru/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate · Family Laws · Labour | | **Notes** | Located near Bangalore High Court. Handles corporate, commercial, banking and matrimonial disputes. | ### 7. Hyderabad | | | |---|---| | **Address** | 403, 4th Floor, Sanatana Ecstasy Building, beside Tanishq Show Room, Himayathnagar, Hyderabad – 500 029, Telangana | | **Phone** | [040-6666-5166](tel:04066665166) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/hyderabad/ | | **Practice focus** | Litigation · Banking · Insolvency & Bankruptcy · Real Estate | | **Notes** | Particularly well known for complex banking matters and real estate transactions. | ### 8. Cochin (Kochi) | | | |---|---| | **Address** | Second Floor, Pulikkal Building, K.K. Padmanabhan Road, Ernakulam North – 682 018, Kerala | | **Phone** | [0484-3583961](tel:04843583961) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/cochin/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate | | **Notes** | Commercial disputes, property litigation, financial-claim arbitrations and real estate transactions. | ### 9. Noida (NCR) | | | |---|---| | **Address** | No. 16 & 17, Silver Offices, 17th Floor, Wave One, Sector 18, Noida – 201 301 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/noida/ | | **Practice focus** | Aviation · Insurance · Mergers & Acquisitions · Corporate | | **Office head** | **Mr. Dinesh Gupta** (joined August 2025 to lead and expand the corporate practice) | | **Notes** | Newest office. Sector-focused on highly regulated industries serving NCR-based clients. | --- ## Quick-Dial Phone List | Office | Phone | |---|---| | Mumbai HO (Apeejay) | 022-6924-7400 | | Mumbai Excelsior | 022-697-40500 | | Kolkata | +91 33 4813 1001 | | Bengaluru | 080-4167-2444 | | Hyderabad | 040-6666-5166 | | Cochin | 0484-3583961 | | **General / Marketing line** | **+91 836-9995919** | Delhi, Chennai and Noida route through the general number. --- ## Social Channels - LinkedIn: https://www.linkedin.com/company/indialaw - X / Twitter: https://twitter.com/Indialawmumbai - Facebook: https://www.facebook.com/indialawllp/ - Instagram: https://www.instagram.com/indialawllp ---